archivers/ha: Fix CVE-2015-1198
Fix directory traversal vulnerabilities (CVE-2015-1198)
Reported by: decke
(cherry picked from commit 0e6da3c2e1
)
This commit is contained in:
parent
e8a8d2eb01
commit
e28d4d2d9d
@ -2,7 +2,7 @@
|
||||
|
||||
PORTNAME= ha
|
||||
PORTVERSION= 0.999b
|
||||
PORTREVISION= 1
|
||||
PORTREVISION= 2
|
||||
CATEGORIES= archivers
|
||||
MASTER_SITES= https://aklv.github.io/distfiles/
|
||||
DISTNAME= ha0999
|
||||
@ -25,6 +25,8 @@ post-patch:
|
||||
-e 's|LDFLAGS = -O2||' \
|
||||
-e 's|CFLAGS = -Wall -O2|CFLAGS += -Wall|' \
|
||||
${WRKSRC}/makefile.nix
|
||||
@${REINPLACE_CMD} -e 's|OBJS = machine.o info.o|OBJS = machine.o info.o sanitize.o|' \
|
||||
${WRKSRC}/nix/makefile
|
||||
|
||||
do-install:
|
||||
${INSTALL_PROGRAM} ${WRKSRC}/ha ${STAGEDIR}${PREFIX}/bin
|
||||
|
123
archivers/ha/files/patch-CVE-2015-1198
Normal file
123
archivers/ha/files/patch-CVE-2015-1198
Normal file
@ -0,0 +1,123 @@
|
||||
- Fix unchecked path extraction problem (CAN-2015-1198)
|
||||
|
||||
Index: nix/sanitize.c
|
||||
@@ -0,0 +1,79 @@
|
||||
+/*
|
||||
+ * Path sanitation code by Ludwig Nussel <ludwig.nussel@suse.de>. Public Domain.
|
||||
+ */
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include <limits.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#ifndef PATH_CHAR
|
||||
+#define PATH_CHAR '/'
|
||||
+#endif
|
||||
+#ifndef MIN
|
||||
+#define MIN(x,y) ((x)<(y)?(x):(y))
|
||||
+#endif
|
||||
+
|
||||
+/* copy src into dest converting the path to a relative one inside the current
|
||||
+ * directory. dest must hold at least len bytes */
|
||||
+void copy_path_relative(char *dest, char *src, size_t len)
|
||||
+{
|
||||
+ char* o = dest;
|
||||
+ char* p = src;
|
||||
+
|
||||
+ *o = '\0';
|
||||
+
|
||||
+ while(*p && *p == PATH_CHAR) ++p;
|
||||
+ for(; len && *p;)
|
||||
+ {
|
||||
+ src = p;
|
||||
+ p = strchr(src, PATH_CHAR);
|
||||
+ if(!p) p = src+strlen(src);
|
||||
+
|
||||
+ /* . => skip */
|
||||
+ if(p-src == 1 && *src == '.' )
|
||||
+ {
|
||||
+ if(*p) src = ++p;
|
||||
+ }
|
||||
+ /* .. => pop one */
|
||||
+ else if(p-src == 2 && *src == '.' && src[1] == '.')
|
||||
+ {
|
||||
+ if(o != dest)
|
||||
+ {
|
||||
+ char* tmp;
|
||||
+ *o = '\0';
|
||||
+ tmp = strrchr(dest, PATH_CHAR);
|
||||
+ if(!tmp)
|
||||
+ {
|
||||
+ len += o-dest;
|
||||
+ o = dest;
|
||||
+ if(*p) ++p;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ len += o-tmp;
|
||||
+ o = tmp;
|
||||
+ if(*p) ++p;
|
||||
+ }
|
||||
+ }
|
||||
+ else /* nothing to pop */
|
||||
+ if(*p) ++p;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ size_t copy;
|
||||
+ if(o != dest)
|
||||
+ {
|
||||
+ --len;
|
||||
+ *o++ = PATH_CHAR;
|
||||
+ }
|
||||
+ copy = MIN(p-src,len);
|
||||
+ memcpy(o, src, copy);
|
||||
+ len -= copy;
|
||||
+ src += copy;
|
||||
+ o += copy;
|
||||
+ if(*p) ++p;
|
||||
+ }
|
||||
+ while(*p && *p == PATH_CHAR) ++p;
|
||||
+ }
|
||||
+ o[len?0:-1] = '\0';
|
||||
+}
|
||||
Index: nix/machine.c
|
||||
@@ -22,6 +22,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
+#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <utime.h>
|
||||
#include <time.h>
|
||||
@@ -68,6 +69,8 @@
|
||||
static Mdhd mdhd;
|
||||
struct stat filestat;
|
||||
|
||||
+void copy_path_relative(char *dest, char *src, size_t len);
|
||||
+
|
||||
static void sig_handler(int signo) {
|
||||
|
||||
error(1,ERR_INT,signo);
|
||||
@@ -375,7 +378,7 @@
|
||||
if (i==0) skipemptypath=1;
|
||||
else skipemptypath=0;
|
||||
if ((hapath=malloc(j+1-i))==NULL) error(1,ERR_MEM,"md_tohapath()");
|
||||
- strcpy(hapath,mdpath+i);
|
||||
+ copy_path_relative(hapath, mdpath+i, sizeof(hapath));
|
||||
for (i=0;hapath[i];++i) if (hapath[i]=='/') hapath[i]=0xff;
|
||||
return md_strcase(hapath);
|
||||
}
|
||||
@@ -388,8 +391,10 @@
|
||||
if (mdpath!=NULL) free(mdpath),mdpath=NULL;
|
||||
if ((mdpath=malloc(strlen(hapath)+1))==NULL)
|
||||
error(1,ERR_MEM,"md_tomdpath()");
|
||||
- strcpy(mdpath,hapath);
|
||||
- for (i=0;mdpath[i];++i) if ((unsigned char)mdpath[i]==0xff) mdpath[i]='/';
|
||||
+ /* Kludge to avoid temp string allocation */
|
||||
+ for (i=0;hapath[i];++i) if (hapath[i]==0xff) hapath[i]='/';
|
||||
+ copy_path_relative(mdpath, hapath, sizeof(mdpath));
|
||||
+ for (i=0;hapath[i];++i) if (hapath[i]=='/') hapath[i]=0xff;
|
||||
return mdpath;
|
||||
}
|
||||
|
@ -1,11 +0,0 @@
|
||||
--- nix/machine.c.orig 1995-01-12 06:53:00 UTC
|
||||
+++ nix/machine.c
|
||||
@@ -417,7 +417,7 @@ char *md_stripname(char *mdfullpath) {
|
||||
if (plainname!=NULL) free(plainname),plainname=NULL;
|
||||
if ((plainname=malloc(strlen(mdfullpath)+1))==NULL)
|
||||
error(1,ERR_MEM,"md_stripname()");
|
||||
- for (i=strlen(mdfullpath)-1;i>0;i--) {
|
||||
+ for (i=strlen(mdfullpath)-1;i>=0;i--) {
|
||||
if (mdfullpath[i]=='/') {
|
||||
i++;
|
||||
break;
|
Loading…
Reference in New Issue
Block a user