From cafd294a671581d90a78e216825244f20eae643a Mon Sep 17 00:00:00 2001
From: tonnerre <tonnerre@pkgsrc.org>
Date: Sun, 8 Jun 2008 02:40:38 +0000
Subject: Fix directory traversal vulnerability (CVE-2007-4134) in star.

---
 archivers/star/Makefile         |  4 +--
 archivers/star/distinfo         |  3 +-
 archivers/star/patches/patch-ad | 64 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+), 3 deletions(-)
 create mode 100644 archivers/star/patches/patch-ad

(limited to 'archivers/star')

diff --git a/archivers/star/Makefile b/archivers/star/Makefile
index c10e26fe04d..ee685c4b076 100644
--- a/archivers/star/Makefile
+++ b/archivers/star/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.21 2007/12/30 17:25:41 cjep Exp $
+# $NetBSD: Makefile,v 1.22 2008/06/08 02:40:38 tonnerre Exp $
 #
 
 DISTNAME=	star-1.4.3
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	archivers
 MASTER_SITES=	ftp://ftp.berlios.de/pub/star/
 
diff --git a/archivers/star/distinfo b/archivers/star/distinfo
index a277abb6d0b..e034bfdf70f 100644
--- a/archivers/star/distinfo
+++ b/archivers/star/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2007/12/30 17:25:42 cjep Exp $
+$NetBSD: distinfo,v 1.9 2008/06/08 02:40:38 tonnerre Exp $
 
 SHA1 (star-1.4.3.tar.gz) = c59b68d97edba77a9ac6000be04d457ded1eefe9
 RMD160 (star-1.4.3.tar.gz) = f7ec71bfab1723c994e5eed7e6818394a41d44d9
@@ -6,3 +6,4 @@ Size (star-1.4.3.tar.gz) = 520388 bytes
 SHA1 (patch-aa) = 4fe4af396adf23eb7ac071b02a7bf726ab1e4318
 SHA1 (patch-ab) = aea3af88d3bedf2ce7a7744c90062ba4e57bb79f
 SHA1 (patch-ac) = 81e6361db3903e5b04fae4e70ad3a37f9a2f4fa7
+SHA1 (patch-ad) = 8e9fff0b8345a1997ae08a5c5e57260b4c5f8090
diff --git a/archivers/star/patches/patch-ad b/archivers/star/patches/patch-ad
new file mode 100644
index 00000000000..f40d56bfebe
--- /dev/null
+++ b/archivers/star/patches/patch-ad
@@ -0,0 +1,64 @@
+$NetBSD: patch-ad,v 1.1 2008/06/08 02:40:38 tonnerre Exp $
+
+--- star/extract.c.orig	2002-05-02 22:02:41.000000000 +0200
++++ star/extract.c
+@@ -92,6 +92,7 @@ EXPORT	int	xt_file		__PR((FINFO * info,
+ 					int (*)(void *, char *, int),
+ 					void *arg, int amt, char* text));
+ EXPORT	void	skip_slash	__PR((FINFO * info));
++LOCAL	BOOL	has_dotdot	__PR((char *name));
+ 
+ EXPORT void
+ extract(vhname)
+@@ -152,6 +153,12 @@ extract(vhname)
+ 		if (is_symlink(&finfo) && same_symlink(&finfo)) {
+ 			continue;
+ 		}
++		if (!interactive && has_dotdot(finfo.f_name)) {
++			errmsgno(EX_BAD, "'%s' contains '..', skipping ...\n",
++				finfo.f_name);
++			void_file(&finfo);
++			return (FALSE);
++		}
+ 		if (interactive && !ia_change(ptb, &finfo)) {
+ 			if (!nflag)
+ 				fprintf(vpr, "Skipping ...\n");
+@@ -169,6 +176,12 @@ extract(vhname)
+ 			if (!make_dir(&finfo))
+ 				continue;
+ 		} else if (is_link(&finfo)) {
++			if (!interactive && has_dotdot(finfo.f_lname)) {
++				errmsgno(EX_BAD, "'%s' contains '..', "
++					"skipping ...\n", finfo.f_lname);
++				void_file(&finfo);
++				return (FALSE);
++			}
+ 			if (!make_link(&finfo))
+ 				continue;
+ 		} else if (is_symlink(&finfo)) {
+@@ -830,3 +843,25 @@ skip_slash(info)
+ 	while (info->f_lname[0] == '/')
+ 		info->f_lname++;
+ }
++
++LOCAL BOOL
++has_dotdot(name)
++	char	*name;
++{
++	register char	*p = name;
++
++	while (*p) {
++		if ((p[0] == '.' && p[1] == '.') &&
++		    (p[2] == '/' || p[2] == '\0')) {
++			return (TRUE);
++		}
++		do {
++			if (*p++ == '\0')
++				return (FALSE);
++		} while (*p != '/');
++		p++;
++		while (*p && *p == '/')	/* Skip multiple slashes */
++			p++;
++	}
++	return (FALSE);
++}
-- 
cgit v1.2.3