[patch/f13/master] Incorporate upstream fix for CVE-2010-4651 patch (bug #667529).

Tim Waugh twaugh at fedoraproject.org
Thu Feb 10 12:48:32 UTC 2011 

commit 4b3160c81a682ff27ff2ad2b4ad9d45c6e6d9905
Author: Tim Waugh <twaugh at redhat.com>
Date:   Thu Feb 10 12:33:04 2011 +0000

    Incorporate upstream fix for CVE-2010-4651 patch (bug #667529).

 patch-CVE-2010-4651.patch |   78 +++++++++++++++++++++++++++++++-------------
 patch.spec                |    6 +++-
 2 files changed, 60 insertions(+), 24 deletions(-)
---
diff --git a/patch-CVE-2010-4651.patch b/patch-CVE-2010-4651.patch
index d7556b6..3f2de6a 100644
--- a/patch-CVE-2010-4651.patch
+++ b/patch-CVE-2010-4651.patch
@@ -1,7 +1,6 @@
-diff -U0 patch-2.6.1/ChangeLog.CVE-2010-4651 patch-2.6.1/ChangeLog
 diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in
---- patch-2.6.1/Makefile.in.CVE-2010-4651	2011-02-08 11:26:21.782503673 +0000
-+++ patch-2.6.1/Makefile.in	2011-02-08 11:26:56.004078346 +0000
+--- patch-2.6.1/Makefile.in.CVE-2010-4651	2009-12-30 12:56:30.000000000 +0000
++++ patch-2.6.1/Makefile.in	2011-02-10 12:29:32.926361705 +0000
 @@ -192,6 +192,7 @@ installcheck::
  TESTS = \
  	tests/asymmetric-hunks \
@@ -10,27 +9,38 @@ diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in
  	tests/corrupt-reject-files \
  	tests/create-delete \
  	tests/crlf-handling \
-diff -up patch-2.6.1/NEWS.CVE-2010-4651 patch-2.6.1/NEWS
-diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c
---- patch-2.6.1/src/pch.c.CVE-2010-4651	2009-12-30 12:56:30.000000000 +0000
-+++ patch-2.6.1/src/pch.c	2011-02-08 11:25:53.821034698 +0000
-@@ -3,7 +3,7 @@
- /* Copyright (C) 1986, 1987, 1988 Larry Wall
+diff -up patch-2.6.1/src/common.h.CVE-2010-4651 patch-2.6.1/src/common.h
+--- patch-2.6.1/src/common.h.CVE-2010-4651	2011-02-10 12:30:29.142797627 +0000
++++ patch-2.6.1/src/common.h	2011-02-10 12:30:33.566989729 +0000
+@@ -169,6 +169,7 @@ XTERN char *revision;			/* prerequisite 
+ #endif
  
-    Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
--   2002, 2003, 2006, 2009 Free Software Foundation, Inc.
-+   2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc.
+ void fatal_exit (int) __attribute__ ((noreturn));
++void validate_target_name (char const *n);
  
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-@@ -194,11 +194,31 @@ grow_hunkmax (void)
-     return false;
+ #include <errno.h>
+ #if !STDC_HEADERS && !defined errno
+diff -up patch-2.6.1/src/patch.c.CVE-2010-4651 patch-2.6.1/src/patch.c
+--- patch-2.6.1/src/patch.c.CVE-2010-4651	2011-02-10 12:30:20.721432124 +0000
++++ patch-2.6.1/src/patch.c	2011-02-10 12:30:33.567989772 +0000
+@@ -34,6 +34,7 @@
+ #include <util.h>
+ #include <version.h>
+ #include <xalloc.h>
++#include <dirname.h>
+ 
+ /* procedures */
+ 
+@@ -916,6 +917,26 @@ numeric_string (char const *string,
+   return value;
  }
  
-+static void
++void
 +validate_target_name (char const *n)
 +{
 +  char const *p = n;
++  if (explicit_inname)
++    return;
 +  if (IS_ABSOLUTE_FILE_NAME (p))
 +    fatal ("rejecting absolute target file name: %s", quotearg (p));
 +  while (*p)
@@ -45,8 +55,22 @@ diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c
 +    }
 +}
 +
- static bool
- maybe_reverse (char const *name, bool nonexistent, bool is_empty)
+ /* Attempt to find the right place to apply this hunk of patch. */
+ 
+ static LINENUM
+diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c
+--- patch-2.6.1/src/pch.c.CVE-2010-4651	2009-12-30 12:56:30.000000000 +0000
++++ patch-2.6.1/src/pch.c	2011-02-10 12:30:33.573990033 +0000
+@@ -3,7 +3,7 @@
+ /* Copyright (C) 1986, 1987, 1988 Larry Wall
+ 
+    Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
+-   2002, 2003, 2006, 2009 Free Software Foundation, Inc.
++   2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc.
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -199,6 +199,8 @@ maybe_reverse (char const *name, bool no
  {
    bool looks_reversed = (! is_empty) < p_says_nonexistent[reverse ^ is_empty];
  
@@ -55,7 +79,7 @@ diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c
    if (looks_reversed)
      reverse ^=
        ok_to_reverse ("The next patch%s would %s the file %s,\nwhich %s!",
-@@ -725,6 +745,7 @@ intuit_diff_type (bool need_header)
+@@ -725,6 +727,7 @@ intuit_diff_type (bool need_header)
  	inerrno = stat_errno[i];
  	invc = version_controlled[i];
  	instat = st[i];
@@ -64,9 +88,9 @@ diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c
  
      return retval;
 diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-filenames
---- patch-2.6.1/tests/bad-filenames.CVE-2010-4651	2011-02-08 11:24:57.517092060 +0000
-+++ patch-2.6.1/tests/bad-filenames	2011-02-08 11:24:57.518092076 +0000
-@@ -0,0 +1,63 @@
+--- patch-2.6.1/tests/bad-filenames.CVE-2010-4651	2011-02-10 12:29:32.931361921 +0000
++++ patch-2.6.1/tests/bad-filenames	2011-02-10 12:30:33.576990163 +0000
+@@ -0,0 +1,71 @@
 +# Copyright (C) 2011 Free Software Foundation, Inc.
 +#
 +# Copying and distribution of this file, with or without modification,
@@ -130,3 +154,11 @@ diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-fil
 +patching file target
 +status: 0
 +EOF
++
++# Do not validate any file name from the input when the target
++# is specified on the command line:
++touch abs
++check 'emit_patch /absolute/path | patch `pwd`/abs; echo status: $?' <<EOF
++patching file `pwd`/abs
++status: 0
++EOF
diff --git a/patch.spec b/patch.spec
index 1e9acdf..e2320b2 100644
--- a/patch.spec
+++ b/patch.spec
@@ -1,7 +1,7 @@
 Summary: Utility for modifying/upgrading files
 Name: patch
 Version: 2.6.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 URL: http://www.gnu.org/software/patch/patch.html
 Group: Development/Tools
@@ -67,6 +67,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/*
 
 %changelog
+* Thu Feb 10 2011 Tim Waugh <twaugh at redhat.com> 2.6.1-8
+- Incorporate upstream fix for CVE-2010-4651 patch so that a target
+  name given on the command line is not validated (bug #667529).
+
 * Tue Feb  8 2011 Tim Waugh <twaugh at redhat.com> 2.6.1-7
 - Applied upstream patch to fix CVE-2010-4651 so that malicious
   patches cannot create files above the current directory

More information about the scm-commits mailing list