summaryrefslogtreecommitdiff
path: root/archivers
diff options
context:
space:
mode:
authortaca <taca@pkgsrc.org>2004-05-13 11:42:43 +0000
committertaca <taca@pkgsrc.org>2004-05-13 11:42:43 +0000
commitbb5daad3794102b1be21fdac09d984eb39807dbc (patch)
tree78781cb6a92705712dfd5d5e628ba53bafcc5a17 /archivers
parent822c75de8b44e1ecc5c8d51a0bf7ab40a7045535 (diff)
downloadpkgsrc-bb5daad3794102b1be21fdac09d984eb39807dbc.tar.gz
Fix security problem of lha package applying patches by David Ahmad
< da at securityfocus dot com > on bugtraq mailing list. Bump pacakge revision to nb2.
Diffstat (limited to 'archivers')
-rw-r--r--archivers/lha/Makefile4
-rw-r--r--archivers/lha/distinfo4
-rw-r--r--archivers/lha/patches/patch-ad53
-rw-r--r--archivers/lha/patches/patch-ak26
4 files changed, 84 insertions, 3 deletions
diff --git a/archivers/lha/Makefile b/archivers/lha/Makefile
index 9aa68700e49..56659e968b1 100644
--- a/archivers/lha/Makefile
+++ b/archivers/lha/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.19 2004/05/06 08:15:08 itojun Exp $
+# $NetBSD: Makefile,v 1.20 2004/05/13 11:42:43 taca Exp $
DISTNAME= lha-114i
PKGNAME= lha-114.9
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= archivers
MASTER_SITES= http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ \
ftp://ftp.win.ne.jp/pub/misc/
diff --git a/archivers/lha/distinfo b/archivers/lha/distinfo
index c33f85c6bab..ac4f68f3a67 100644
--- a/archivers/lha/distinfo
+++ b/archivers/lha/distinfo
@@ -1,10 +1,12 @@
-$NetBSD: distinfo,v 1.5 2002/08/25 21:49:12 jlam Exp $
+$NetBSD: distinfo,v 1.6 2004/05/13 11:42:43 taca Exp $
SHA1 (lha-114i.tar.gz) = 79e35271f2cf783f946db3f22e304fef72dbac99
Size (lha-114i.tar.gz) = 64608 bytes
+SHA1 (patch-ad) = a3169c55c462d4eb54e52709744ef7084a94bcb4
SHA1 (patch-ae) = a53647ccf72511ecd2b5306e23da1219fa5e7264
SHA1 (patch-af) = 0c2f6d5bf23c3c98b102487abe3dd1190470f50c
SHA1 (patch-ag) = 9ad3bc807a3cda4f71d8fbbbea19306f252f2489
SHA1 (patch-ah) = cd44b40fa7e25a9996b2441d1b78a1a6570977b2
SHA1 (patch-ai) = d988b7d048656080d14bfad1da89c9888c9ddf90
SHA1 (patch-aj) = 6331fce7f55eef1c2003e693f165dd0565e7172e
+SHA1 (patch-ak) = fa6de630a7414b73dec8b75be0bfbb3493c4192f
diff --git a/archivers/lha/patches/patch-ad b/archivers/lha/patches/patch-ad
new file mode 100644
index 00000000000..5939e831736
--- /dev/null
+++ b/archivers/lha/patches/patch-ad
@@ -0,0 +1,53 @@
+$NetBSD: patch-ad,v 1.3 2004/05/13 11:42:43 taca Exp $
+
+--- src/lhext.c.orig 2000-10-04 23:57:38.000000000 +0900
++++ src/lhext.c
+@@ -190,8 +190,13 @@ extract_one(afp, hdr)
+ q = (char *) rindex(hdr->name, '/') + 1;
+ }
+ else {
++ if (is_directory_traversal(q)) {
++ fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q);
++ exit(111);
++ }
++
+ if (*q == '/') {
+- q++;
++ while (*q == '/') { q++; }
+ /*
+ * if OSK then strip device name
+ */
+@@ -419,6 +424,33 @@ cmd_extract()
+ return;
+ }
+
++int
++is_directory_traversal(char *string)
++{
++ unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */
++ char *temp;
++
++ temp = string;
++
++ while (*temp != 0) {
++ if (temp[0] == '/') {
++ if (type == 1) { return 1; }
++ type = 0;
++ temp++;
++ continue;
++ }
++
++ if ((temp[0] == '.') && (type < 2))
++ type = 1;
++ if (temp[0] != '.')
++ type = 2;
++
++ temp++;
++ } /* while */
++
++ return (type == 1);
++}
++
+ /* Local Variables: */
+ /* mode:c */
+ /* tab-width:4 */
diff --git a/archivers/lha/patches/patch-ak b/archivers/lha/patches/patch-ak
new file mode 100644
index 00000000000..bd3f7427577
--- /dev/null
+++ b/archivers/lha/patches/patch-ak
@@ -0,0 +1,26 @@
+$NetBSD: patch-ak,v 1.1 2004/05/13 11:42:43 taca Exp $
+
+--- src/header.c.orig 2000-10-06 02:36:03.000000000 +0900
++++ src/header.c
+@@ -538,6 +538,10 @@ get_header(fp, hdr)
+ /*
+ * filename
+ */
++ if (header_size >= 256) {
++ fprintf(stderr, "Possible buffer overflow hack attack, type #1\n");
++ exit(109);
++ }
+ for (i = 0; i < header_size - 3; i++)
+ hdr->name[i] = (char) get_byte();
+ hdr->name[header_size - 3] = '\0';
+@@ -547,6 +551,10 @@ get_header(fp, hdr)
+ /*
+ * directory
+ */
++ if (header_size >= FILENAME_LENGTH) {
++ fprintf(stderr, "Possible buffer overflow hack attack, type #2\n");
++ exit(110);
++ }
+ for (i = 0; i < header_size - 3; i++)
+ dirname[i] = (char) get_byte();
+ dirname[header_size - 3] = '\0';