archivers/ha: Fix CVE-2015-1198

Fix directory traversal vulnerabilities (CVE-2015-1198)

Reported by:	decke

(cherry picked from commit 0e6da3c2e1)
This commit is contained in:
Alex Kozlov 2021-09-27 19:42:12 +02:00
parent e8a8d2eb01
commit e28d4d2d9d
3 changed files with 126 additions and 12 deletions

View File

@ -2,7 +2,7 @@
PORTNAME= ha
PORTVERSION= 0.999b
PORTREVISION= 1
PORTREVISION= 2
CATEGORIES= archivers
MASTER_SITES= https://aklv.github.io/distfiles/
DISTNAME= ha0999
@ -25,6 +25,8 @@ post-patch:
-e 's|LDFLAGS = -O2||' \
-e 's|CFLAGS = -Wall -O2|CFLAGS += -Wall|' \
${WRKSRC}/makefile.nix
@${REINPLACE_CMD} -e 's|OBJS = machine.o info.o|OBJS = machine.o info.o sanitize.o|' \
${WRKSRC}/nix/makefile
do-install:
${INSTALL_PROGRAM} ${WRKSRC}/ha ${STAGEDIR}${PREFIX}/bin

View File

@ -0,0 +1,123 @@
- Fix unchecked path extraction problem (CAN-2015-1198)
Index: nix/sanitize.c
@@ -0,0 +1,79 @@
+/*
+ * Path sanitation code by Ludwig Nussel <ludwig.nussel@suse.de>. Public Domain.
+ */
+
+#include <string.h>
+#include <limits.h>
+#include <stdio.h>
+
+#ifndef PATH_CHAR
+#define PATH_CHAR '/'
+#endif
+#ifndef MIN
+#define MIN(x,y) ((x)<(y)?(x):(y))
+#endif
+
+/* copy src into dest converting the path to a relative one inside the current
+ * directory. dest must hold at least len bytes */
+void copy_path_relative(char *dest, char *src, size_t len)
+{
+ char* o = dest;
+ char* p = src;
+
+ *o = '\0';
+
+ while(*p && *p == PATH_CHAR) ++p;
+ for(; len && *p;)
+ {
+ src = p;
+ p = strchr(src, PATH_CHAR);
+ if(!p) p = src+strlen(src);
+
+ /* . => skip */
+ if(p-src == 1 && *src == '.' )
+ {
+ if(*p) src = ++p;
+ }
+ /* .. => pop one */
+ else if(p-src == 2 && *src == '.' && src[1] == '.')
+ {
+ if(o != dest)
+ {
+ char* tmp;
+ *o = '\0';
+ tmp = strrchr(dest, PATH_CHAR);
+ if(!tmp)
+ {
+ len += o-dest;
+ o = dest;
+ if(*p) ++p;
+ }
+ else
+ {
+ len += o-tmp;
+ o = tmp;
+ if(*p) ++p;
+ }
+ }
+ else /* nothing to pop */
+ if(*p) ++p;
+ }
+ else
+ {
+ size_t copy;
+ if(o != dest)
+ {
+ --len;
+ *o++ = PATH_CHAR;
+ }
+ copy = MIN(p-src,len);
+ memcpy(o, src, copy);
+ len -= copy;
+ src += copy;
+ o += copy;
+ if(*p) ++p;
+ }
+ while(*p && *p == PATH_CHAR) ++p;
+ }
+ o[len?0:-1] = '\0';
+}
Index: nix/machine.c
@@ -22,6 +22,7 @@
#include <stdlib.h>
#include <ctype.h>
#include <stdio.h>
+#include <string.h>
#include <sys/types.h>
#include <utime.h>
#include <time.h>
@@ -68,6 +69,8 @@
static Mdhd mdhd;
struct stat filestat;
+void copy_path_relative(char *dest, char *src, size_t len);
+
static void sig_handler(int signo) {
error(1,ERR_INT,signo);
@@ -375,7 +378,7 @@
if (i==0) skipemptypath=1;
else skipemptypath=0;
if ((hapath=malloc(j+1-i))==NULL) error(1,ERR_MEM,"md_tohapath()");
- strcpy(hapath,mdpath+i);
+ copy_path_relative(hapath, mdpath+i, sizeof(hapath));
for (i=0;hapath[i];++i) if (hapath[i]=='/') hapath[i]=0xff;
return md_strcase(hapath);
}
@@ -388,8 +391,10 @@
if (mdpath!=NULL) free(mdpath),mdpath=NULL;
if ((mdpath=malloc(strlen(hapath)+1))==NULL)
error(1,ERR_MEM,"md_tomdpath()");
- strcpy(mdpath,hapath);
- for (i=0;mdpath[i];++i) if ((unsigned char)mdpath[i]==0xff) mdpath[i]='/';
+ /* Kludge to avoid temp string allocation */
+ for (i=0;hapath[i];++i) if (hapath[i]==0xff) hapath[i]='/';
+ copy_path_relative(mdpath, hapath, sizeof(mdpath));
+ for (i=0;hapath[i];++i) if (hapath[i]=='/') hapath[i]=0xff;
return mdpath;
}

View File

@ -1,11 +0,0 @@
--- nix/machine.c.orig 1995-01-12 06:53:00 UTC
+++ nix/machine.c
@@ -417,7 +417,7 @@ char *md_stripname(char *mdfullpath) {
if (plainname!=NULL) free(plainname),plainname=NULL;
if ((plainname=malloc(strlen(mdfullpath)+1))==NULL)
error(1,ERR_MEM,"md_stripname()");
- for (i=strlen(mdfullpath)-1;i>0;i--) {
+ for (i=strlen(mdfullpath)-1;i>=0;i--) {
if (mdfullpath[i]=='/') {
i++;
break;