diff options
author | taca <taca@pkgsrc.org> | 2004-05-13 11:42:43 +0000 |
---|---|---|
committer | taca <taca@pkgsrc.org> | 2004-05-13 11:42:43 +0000 |
commit | bb5daad3794102b1be21fdac09d984eb39807dbc (patch) | |
tree | 78781cb6a92705712dfd5d5e628ba53bafcc5a17 /archivers | |
parent | 822c75de8b44e1ecc5c8d51a0bf7ab40a7045535 (diff) | |
download | pkgsrc-bb5daad3794102b1be21fdac09d984eb39807dbc.tar.gz |
Fix security problem of lha package applying patches by David Ahmad
< da at securityfocus dot com > on bugtraq mailing list.
Bump pacakge revision to nb2.
Diffstat (limited to 'archivers')
-rw-r--r-- | archivers/lha/Makefile | 4 | ||||
-rw-r--r-- | archivers/lha/distinfo | 4 | ||||
-rw-r--r-- | archivers/lha/patches/patch-ad | 53 | ||||
-rw-r--r-- | archivers/lha/patches/patch-ak | 26 |
4 files changed, 84 insertions, 3 deletions
diff --git a/archivers/lha/Makefile b/archivers/lha/Makefile index 9aa68700e49..56659e968b1 100644 --- a/archivers/lha/Makefile +++ b/archivers/lha/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.19 2004/05/06 08:15:08 itojun Exp $ +# $NetBSD: Makefile,v 1.20 2004/05/13 11:42:43 taca Exp $ DISTNAME= lha-114i PKGNAME= lha-114.9 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= archivers MASTER_SITES= http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ \ ftp://ftp.win.ne.jp/pub/misc/ diff --git a/archivers/lha/distinfo b/archivers/lha/distinfo index c33f85c6bab..ac4f68f3a67 100644 --- a/archivers/lha/distinfo +++ b/archivers/lha/distinfo @@ -1,10 +1,12 @@ -$NetBSD: distinfo,v 1.5 2002/08/25 21:49:12 jlam Exp $ +$NetBSD: distinfo,v 1.6 2004/05/13 11:42:43 taca Exp $ SHA1 (lha-114i.tar.gz) = 79e35271f2cf783f946db3f22e304fef72dbac99 Size (lha-114i.tar.gz) = 64608 bytes +SHA1 (patch-ad) = a3169c55c462d4eb54e52709744ef7084a94bcb4 SHA1 (patch-ae) = a53647ccf72511ecd2b5306e23da1219fa5e7264 SHA1 (patch-af) = 0c2f6d5bf23c3c98b102487abe3dd1190470f50c SHA1 (patch-ag) = 9ad3bc807a3cda4f71d8fbbbea19306f252f2489 SHA1 (patch-ah) = cd44b40fa7e25a9996b2441d1b78a1a6570977b2 SHA1 (patch-ai) = d988b7d048656080d14bfad1da89c9888c9ddf90 SHA1 (patch-aj) = 6331fce7f55eef1c2003e693f165dd0565e7172e +SHA1 (patch-ak) = fa6de630a7414b73dec8b75be0bfbb3493c4192f diff --git a/archivers/lha/patches/patch-ad b/archivers/lha/patches/patch-ad new file mode 100644 index 00000000000..5939e831736 --- /dev/null +++ b/archivers/lha/patches/patch-ad @@ -0,0 +1,53 @@ +$NetBSD: patch-ad,v 1.3 2004/05/13 11:42:43 taca Exp $ + +--- src/lhext.c.orig 2000-10-04 23:57:38.000000000 +0900 ++++ src/lhext.c +@@ -190,8 +190,13 @@ extract_one(afp, hdr) + q = (char *) rindex(hdr->name, '/') + 1; + } + else { ++ if (is_directory_traversal(q)) { ++ fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q); ++ exit(111); ++ } ++ + if (*q == '/') { +- q++; ++ while (*q == '/') { q++; } + /* + * if OSK then strip device name + */ +@@ -419,6 +424,33 @@ cmd_extract() + return; + } + ++int ++is_directory_traversal(char *string) ++{ ++ unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */ ++ char *temp; ++ ++ temp = string; ++ ++ while (*temp != 0) { ++ if (temp[0] == '/') { ++ if (type == 1) { return 1; } ++ type = 0; ++ temp++; ++ continue; ++ } ++ ++ if ((temp[0] == '.') && (type < 2)) ++ type = 1; ++ if (temp[0] != '.') ++ type = 2; ++ ++ temp++; ++ } /* while */ ++ ++ return (type == 1); ++} ++ + /* Local Variables: */ + /* mode:c */ + /* tab-width:4 */ diff --git a/archivers/lha/patches/patch-ak b/archivers/lha/patches/patch-ak new file mode 100644 index 00000000000..bd3f7427577 --- /dev/null +++ b/archivers/lha/patches/patch-ak @@ -0,0 +1,26 @@ +$NetBSD: patch-ak,v 1.1 2004/05/13 11:42:43 taca Exp $ + +--- src/header.c.orig 2000-10-06 02:36:03.000000000 +0900 ++++ src/header.c +@@ -538,6 +538,10 @@ get_header(fp, hdr) + /* + * filename + */ ++ if (header_size >= 256) { ++ fprintf(stderr, "Possible buffer overflow hack attack, type #1\n"); ++ exit(109); ++ } + for (i = 0; i < header_size - 3; i++) + hdr->name[i] = (char) get_byte(); + hdr->name[header_size - 3] = '\0'; +@@ -547,6 +551,10 @@ get_header(fp, hdr) + /* + * directory + */ ++ if (header_size >= FILENAME_LENGTH) { ++ fprintf(stderr, "Possible buffer overflow hack attack, type #2\n"); ++ exit(110); ++ } + for (i = 0; i < header_size - 3; i++) + dirname[i] = (char) get_byte(); + dirname[header_size - 3] = '\0'; |