- Added patch from Debian to avoid free on invalid pointer due to a buffer overflow (#1196751, #1207180)

- Added patch from Debian for symlink directory traversal (#1178824)
- Added patch from Debian to fix the directory traversal via //multiple/leading/slash (#1178824)
epel9
Robert Scheck 10 years ago
parent 550c1ebdbf
commit 097f276de9

@ -0,0 +1,35 @@
Description: Fix buffer overflow causing an invalid pointer free().
Author: Guillem Jover <guillem@debian.org>
Origin: vendor
Bug-Debian: https://bugs.debian.org/774015
Forwarded: no
Last-Update: 2015-02-26
---
decode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/decode.c
+++ b/decode.c
@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
if(i==i_special)
{
c=getbits(2);
- while(--c>=0)
+ while(--c>=0&&i<nn)
pt_len[i++]=0;
}
}
@@ -314,10 +314,10 @@ void read_c_len()
c=getbits(CBIT);
c+=20;
}
- while(--c>=0)
+ while(--c>=0&&i<NC)
c_len[i++]=0;
}
- else
+ else if (i<NC)
c_len[i++]=(unsigned char)(c-2);
}
while(i<NC)

@ -0,0 +1,33 @@
Description: Fix absolute path traversals.
Catch multiple leading slashes when checking for absolute path traversals.
.
Fixes CVE-2015-0557.
Author: Guillem Jover <guillem@debian.org>
Origin: vendor
Bug-Debian: https://bugs.debian.org/774435
Forwarded: no
Last-Update: 2015-02-26
---
environ.c | 3 +++
1 file changed, 3 insertions(+)
--- a/environ.c
+++ b/environ.c
@@ -1087,6 +1087,8 @@ static char *validate_path(char *name)
if(action!=VALIDATE_DRIVESPEC)
{
#endif
+ while (name[0]!='\0'&&
+ (name[0]=='.'||name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)) {
if(name[0]=='.')
{
if(name[1]=='.'&&(name[2]==PATHSEP_DEFAULT||name[2]==PATHSEP_UNIX))
@@ -1096,6 +1098,7 @@ static char *validate_path(char *name)
}
if(name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)
name++; /* "\\" - revert to root */
+ }
#if SFX_LEVEL>=ARJSFXV
}
}

@ -0,0 +1,85 @@
Description: Fix symlink directory traversal.
Do not allow symlinks that traverse the current directoru, nor absolute
symlinks.
.
Fixes CVE-2015-0556.
Author: Guillem Jover <guillem@debian.org>
Origin: vendor
Bug-Debian: https://bugs.debian.org/774434
Forwarded: no
Last-Update: 2015-03-28
---
uxspec.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
--- a/uxspec.c
+++ b/uxspec.c
@@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha
}
#endif
+#if TARGET==UNIX
+static int is_link_traversal(const char *name)
+{
+ enum {
+ STATE_NONE,
+ STATE_DOTS,
+ STATE_NAME,
+ } state = STATE_NONE;
+ int ndir = 0;
+ int dots = 0;
+
+ while(*name) {
+ int c = *name++;
+
+ if (c == '/')
+ {
+ if ((state == STATE_DOTS) && (dots == 2))
+ ndir--;
+ if (ndir < 0)
+ return 1;
+ if ((state == STATE_DOTS && dots == 1) && ndir == 0)
+ return 1;
+ if (state == STATE_NONE && ndir == 0)
+ return 1;
+ if ((state == STATE_DOTS) && (dots > 2))
+ ndir++;
+ state = STATE_NONE;
+ dots = 0;
+ }
+ else if (c == '.')
+ {
+ if (state == STATE_NONE)
+ state = STATE_DOTS;
+ dots++;
+ }
+ else
+ {
+ if (state == STATE_NONE)
+ ndir++;
+ state = STATE_NAME;
+ }
+ }
+
+ if ((state == STATE_DOTS) && (dots == 2))
+ ndir--;
+ if ((state == STATE_DOTS) && (dots > 2))
+ ndir++;
+
+ return ndir < 0;
+}
+#endif
+
/* Restores the UNIX special file data */
int set_uxspecial(char FAR *storage, char *name)
@@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha
l=sizeof(tmp_name)-1;
far_memmove((char FAR *)tmp_name, dptr, l);
tmp_name[l]='\0';
+ if (is_link_traversal(tmp_name))
+ return(UXSPEC_RC_ERROR);
rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name);
if(!rc)
return(0);

@ -1,7 +1,7 @@
Summary: Archiver for .arj files
Name: arj
Version: 3.10.22
Release: 21%{?dist}
Release: 22%{?dist}
License: GPL+
Group: Applications/Archiving
URL: http://arj.sourceforge.net/
@ -20,6 +20,9 @@ Patch7: arj-3.10.22-missing-protos.patch
Patch8: arj-3.10.22-custom-printf.patch
# Filed into upstream bugtracker as https://sourceforge.net/tracker/?func=detail&aid=2853421&group_id=49820&atid=457566
Patch9: arj-3.10.22-quotes.patch
Patch10: arj-3.10.22-security-afl.patch
Patch11: arj-3.10.22-security-traversal-dir.patch
Patch12: arj-3.10.22-security-traversal-symlink.patch
BuildRequires: autoconf
Provides: unarj = %{version}-%{release}
Obsoletes: unarj < 3
@ -43,6 +46,9 @@ Software, Inc.
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
pushd gnu
autoconf
@ -73,13 +79,22 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root,-)
%doc ChangeLog* doc/COPYING doc/rev_hist.txt
%{!?_licensedir:%global license %%doc}
%license doc/COPYING
%doc ChangeLog* doc/rev_hist.txt
%config(noreplace) %{_sysconfdir}/rearj.cfg
%{_bindir}/*arj*
%{_libdir}/arj/
%{_mandir}/man1/*arj*1.*
%changelog
* Fri Apr 03 2015 Robert Scheck <robert@fedoraproject.org> 3.10.22-22
- Added patch from Debian to avoid free on invalid pointer due to a
buffer overflow (#1196751, #1207180)
- Added patch from Debian for symlink directory traversal (#1178824)
- Added patch from Debian to fix the directory traversal via
//multiple/leading/slash (#1178824)
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.10.22-21
- Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code

Loading…
Cancel
Save