[pl/f17] Fix CVE-2012-6090
Petr Pisar
ppisar at fedoraproject.org
Fri Jan 4 12:13:37 UTC 2013
commit 8e4707fdb925de7b6236b68a0b1fcf7f83545c05
Author: Petr Písař <ppisar at redhat.com>
Date: Fri Jan 4 12:53:27 2013 +0100
Fix CVE-2012-6090
pl-6.0.2-CVE-2012-6090.patch | 112 ++++++++++++++++++++++++++++++++++++++++++
pl.spec | 5 ++
2 files changed, 117 insertions(+), 0 deletions(-)
---
diff --git a/pl-6.0.2-CVE-2012-6090.patch b/pl-6.0.2-CVE-2012-6090.patch
new file mode 100644
index 0000000..bb6fe94
--- /dev/null
+++ b/pl-6.0.2-CVE-2012-6090.patch
@@ -0,0 +1,112 @@
+From b2c88972e7515ada025e97e7d3ce3e34f81cf33e Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker at cs.vu.nl>
+Date: Sun, 16 Dec 2012 17:29:37 +0100
+Subject: [PATCH] SECURITY: Possible buffer overflows when expanding
+ file-names with long paths. Affects expand_file_name/2.
+
+Can lead to crashes (DoS attacks) and possibly execution of arbitrary
+code if an attacker can control the names of the files searched for,
+e.g., if expand_file_name/2 is used in a directory to which an attacker
+can upload files for which he can control the name.
+---
+ src/os/pl-glob.c | 46 ++++++++++++++++++++++++++++------------------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/src/os/pl-glob.c b/src/os/pl-glob.c
+index 46ddf5b..0b1baeb 100644
+--- a/src/os/pl-glob.c
++++ b/src/os/pl-glob.c
+@@ -424,6 +424,7 @@ expand(const char *pattern, GlobInfo info)
+ compiled_pattern cbuf;
+ char prefix[MAXPATHLEN]; /* before first pattern */
+ char patbuf[MAXPATHLEN]; /* pattern buffer */
++ size_t prefix_len;
+ int end, dot;
+
+ initBuffer(&info->files);
+@@ -442,20 +443,25 @@ expand(const char *pattern, GlobInfo info)
+ switch( (c=*s++) )
+ { case EOS:
+ if ( s > pat ) /* something left and expanded */
+- { un_escape(prefix, pat, s);
++ { size_t prefix_len;
++
++ un_escape(prefix, pat, s);
++ prefix_len = strlen(prefix);
+
+ end = info->end;
+ for( ; info->start < end; info->start++ )
+ { char path[MAXPATHLEN];
+- size_t plen;
+-
+- strcpy(path, expand_entry(info, info->start));
+- plen = strlen(path);
+- if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
+- path[plen++] = '/';
+- strcpy(&path[plen], prefix);
+- if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
+- add_path(path, info);
++ const char *entry = expand_entry(info, info->start);
++ size_t plen = strlen(entry);
++
++ if ( plen+prefix_len+2 <= MAXPATHLEN )
++ { strcpy(path, entry);
++ if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
++ path[plen++] = '/';
++ strcpy(&path[plen], prefix);
++ if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
++ add_path(path, info);
++ }
+ }
+ }
+ succeed;
+@@ -490,8 +496,9 @@ expand(const char *pattern, GlobInfo info)
+ */
+ un_escape(prefix, pat, head);
+ un_escape(patbuf, head, tail);
++ prefix_len = strlen(prefix);
+
+- if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */
++ if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */
+ fail;
+ dot = (patbuf[0] == '.'); /* do dots as well */
+
+@@ -503,12 +510,16 @@ expand(const char *pattern, GlobInfo info)
+ char path[MAXPATHLEN];
+ char tmp[MAXPATHLEN];
+ const char *current = expand_entry(info, info->start);
++ size_t clen = strlen(current);
++
++ if ( clen+prefix_len+1 > sizeof(path) )
++ continue;
+
+ strcpy(path, current);
+- strcat(path, prefix);
++ strcpy(&path[clen], prefix);
+
+ if ( (d=opendir(path[0] ? OsPath(path, tmp) : ".")) )
+- { size_t plen = strlen(path);
++ { size_t plen = clen+prefix_len;
+
+ if ( plen > 0 && path[plen-1] != '/' )
+ path[plen++] = '/';
+@@ -522,12 +533,11 @@ expand(const char *pattern, GlobInfo info)
+ matchPattern(e->d_name, &cbuf) )
+ { char newp[MAXPATHLEN];
+
+- strcpy(newp, path);
+- strcpy(&newp[plen], e->d_name);
+-/* if ( !tail[0] || ExistsDirectory(newp) )
+- Saves memory, but involves one more file-access
+-*/
++ if ( plen+strlen(e->d_name)+1 < sizeof(newp) )
++ { strcpy(newp, path);
++ strcpy(&newp[plen], e->d_name);
+ add_path(newp, info);
++ }
+ }
+ }
+ closedir(d);
+--
+1.7.11.7
+
diff --git a/pl.spec b/pl.spec
index 4a1537d..0c4fdff 100644
--- a/pl.spec
+++ b/pl.spec
@@ -29,6 +29,8 @@ Patch3: %{name}-6.0.2-jni.patch
Patch4: %{name}-5.10.5-pc.patch
# Fix CVE-2012-6089, in upstream 6.2.5, bug #891666
Patch5: %{name}-6.0.2-CVE-2012-6089.patch
+# Fix CVE-2012-6090, in upstream 6.2.5, bug #891666
+Patch6: %{name}-6.0.2-CVE-2012-6090.patch
# Base
BuildRequires: gmp-devel
@@ -168,6 +170,7 @@ in Prolog. In both setups it provides a re-entrant bidirectional interface.
%patch3 -p1 -b .jni
%patch4 -p1 -b .pc
%patch5 -p1 -b .CVE-2012-6089
+%patch6 -p1 -b .CVE-2012-6090
(
cd src
autoconf
@@ -329,6 +332,8 @@ rm $RPM_BUILD_ROOT%{_libdir}/swipl-%{version}/xpce/bin/*-linux/xpce-client
%changelog
* Fri Jan 04 2013 Petr Pisar <ppisar at redhat.com> - 6.0.2-4
- Fix CVE-2012-6089 (buffer overflows in path canonisation code) (bug #891666)
+- Fix CVE-2012-6090 (buffer overflows when expanding file-names with long
+ paths) (bug #891666)
* Thu Mar 22 2012 Petr Pisar <ppisar at redhat.com> - 6.0.2-3
- Remove JDK version constrain by hacking JDK paths (bug #740897)
More information about the scm-commits
mailing list