[arc] Fix directory traversal security issue (rhbz#1179143)

Hans de Goede jwrdegoede at fedoraproject.org
Fri Jan 16 15:24:40 UTC 2015 

commit 5cc962a08c88685cd93217c6961994a29f88e10c
Author: Hans de Goede <hdegoede at redhat.com>
Date:   Fri Jan 16 16:25:01 2015 +0100

    Fix directory traversal security issue (rhbz#1179143)

 arc-5.21p-directory-traversel.patch |   21 ++++++++++
 arc-5.21p-fix-arcdie.patch          |   34 +++++++++++++++++
 arc-5.21p-hdrv1-read-fix.patch      |   70 +++++++++++++++++++++++++++++++++++
 arc.spec                            |   14 ++++++-
 4 files changed, 138 insertions(+), 1 deletions(-)
---
diff --git a/arc-5.21p-directory-traversel.patch b/arc-5.21p-directory-traversel.patch
new file mode 100644
index 0000000..b55e153
--- /dev/null
+++ b/arc-5.21p-directory-traversel.patch
@@ -0,0 +1,21 @@
+Fix directory traversal bugs
+
+arc archives do not contain directory hierarchies, only filenames, so refuse
+to operate on archives which have the directory-seperator inside filenames.
+
+BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1179143
+Signed-off-by: Hans de Goede <hdegoede at redhat.com>
+diff -up arc-5.21p/arcio.c~ arc-5.21p/arcio.c
+--- arc-5.21p/arcio.c~	2015-01-16 13:04:16.000000000 +0100
++++ arc-5.21p/arcio.c	2015-01-16 15:45:31.389010626 +0100
+@@ -109,6 +109,9 @@ readhdr(hdr, f)			/* read a header from
+ #if	_MTS
+ 	(void) atoe(hdr->name, strlen(hdr->name));
+ #endif
++	if (strchr(hdr->name, CUTOFF) != NULL)
++		arcdie("%s contains illegal filename %s", arcname, hdr->name);
++
+ 	for (i = 0, hdr->size=0; i<4; hdr->size<<=8, hdr->size += dummy[16-i], i++);
+ 	hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
+ 	hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
diff --git a/arc-5.21p-fix-arcdie.patch b/arc-5.21p-fix-arcdie.patch
new file mode 100644
index 0000000..03fa9de
--- /dev/null
+++ b/arc-5.21p-fix-arcdie.patch
@@ -0,0 +1,34 @@
+Fix arcdie crash when called with more then 1 variable argument
+
+Add proper vararg handling to fix crash on 64 bit machines when arcdie gets
+called with more then 1 variable argument.
+
+Signed-off-by: Hans de Goede <hdegoede at redhat.com>
+diff -up arc-5.21p/arcmisc.c~ arc-5.21p/arcmisc.c
+--- arc-5.21p/arcmisc.c~	2010-08-07 15:06:42.000000000 +0200
++++ arc-5.21p/arcmisc.c	2015-01-16 16:10:29.322603290 +0100
+@@ -4,6 +4,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <stdarg.h>
+ #include <ctype.h>
+ #include "arc.h"
+ 
+@@ -223,11 +224,13 @@ upper(string)
+ }
+ /* VARARGS1 */
+ VOID
+-arcdie(s, arg1, arg2, arg3)
+-	char           *s;
++arcdie(const char *s, ...)
+ {
++	va_list args;
+ 	fprintf(stderr, "ARC: ");
+-	fprintf(stderr, s, arg1, arg2, arg3);
++	va_start(args, s);
++	vfprintf(stderr, s, args);
++	va_end(args);
+ 	fprintf(stderr, "\n");
+ #if	UNIX
+ 	perror("UNIX");
diff --git a/arc-5.21p-hdrv1-read-fix.patch b/arc-5.21p-hdrv1-read-fix.patch
new file mode 100644
index 0000000..f9c0e3c
--- /dev/null
+++ b/arc-5.21p-hdrv1-read-fix.patch
@@ -0,0 +1,70 @@
+Fix version 1 arc header reading
+
+The code for v1 hdr reading was reading the packed header directly into an
+unpacked struct.
+
+Use the same read to dummy array, then manual unpack to header struct as
+used for v2 headers for v1 headers too.
+
+Signed-off-by: Hans de Goede <hdegoede at redhat.com>
+diff -ur arc-5.21p/arcio.c arc-5.21p.new/arcio.c
+--- arc-5.21p/arcio.c	2010-08-07 15:06:42.000000000 +0200
++++ arc-5.21p.new/arcio.c	2015-01-16 12:59:43.203289118 +0100
+@@ -37,6 +37,7 @@
+ #endif
+ 	char            name[FNLEN];	/* filename buffer */
+ 	int             try = 0;/* retry counter */
++	int             hdrlen;
+ 	static int      first = 1;	/* true only on first read */
+ 
+ 	if (!f)			/* if archive didn't open */
+@@ -92,23 +93,19 @@
+ 		printf("I think you need a newer version of ARC.\n");
+ 		exit(1);
+ 	}
++
+ 	/* amount to read depends on header type */
++	if (hdrver == 1) {
++		hdrlen = 23; /* old style is shorter */
++	} else {
++		hdrlen = 27;
++	}
+ 
+-	if (hdrver == 1) {	/* old style is shorter */
+-		if (fread(hdr, sizeof(struct heads) - sizeof(long int), 1, f) != 1)
+-			arcdie("%s was truncated", arcname);
+-		hdrver = 2;	/* convert header to new format */
+-		hdr->length = hdr->size;	/* size is same when not
+-						 * packed */
+-	} else
+-#if	MSDOS
+-		if (fread(hdr, sizeof(struct heads), 1, f) != 1)
+-			arcdie("%s was truncated", arcname);
+-#else
+-		if (fread(dummy, 27, 1, f) != 1)
+-			arcdie("%s was truncated", arcname);
++	if (fread(dummy, hdrlen, 1, f) != 1)
++		arcdie("%s was truncated", arcname);
+ 
+ 	for (i = 0; i < FNLEN; hdr->name[i] = dummy[i], i++);
++	hdr->name[FNLEN - 1] = 0; /* ensure 0 termination */
+ #if	_MTS
+ 	(void) atoe(hdr->name, strlen(hdr->name));
+ #endif
+@@ -116,8 +113,14 @@
+ 	hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
+ 	hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
+ 	hdr->crc = (short) ((dummy[22] << 8) + dummy[21]);
+-	for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++);
+-#endif
++
++	if (hdrver == 1) {
++		hdrver = 2;	/* convert header to new format */
++		hdr->length = hdr->size;	/* size is same when not
++						 * packed */
++	} else {
++		for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++);
++	}
+ 
+ 	if (hdr->date > olddate
+ 	    || (hdr->date == olddate && hdr->time > oldtime)) {
diff --git a/arc.spec b/arc.spec
index e30cd97..9ffbfac 100644
--- a/arc.spec
+++ b/arc.spec
@@ -1,6 +1,6 @@
 Name:      arc
 Version:   5.21p
-Release:   4%{?dist}
+Release:   5%{?dist}
 Summary:   Arc archiver
 Group:     Applications/Archiving
 License:   GPL+
@@ -13,6 +13,12 @@ Patch1:    arc-5.21p-manpage-section-fix.patch
 # of its original author. But there still is some confusing license text in the
 # docs this clarifies those parts of the text (rhbz#947786)
 Patch2:    arc-5.21p-clarify-license.patch
+# Fix reading v1 headers
+Patch3:    arc-5.21p-hdrv1-read-fix.patch
+# Fix arcdie crash
+Patch4:    arc-5.21p-fix-arcdie.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1179143
+Patch5:    arc-5.21p-directory-traversel.patch
 
 %description
 Arc file archiver and compressor. Long since superseded by zip/unzip
@@ -24,6 +30,9 @@ but useful if you have old .arc files you need to unpack.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 sed -i -e 's,^OPT =.*$,OPT = ${RPM_OPT_FLAGS},' Makefile
 
 
@@ -44,6 +53,9 @@ install -m 0644 arc.1 marc.1 %{buildroot}%{_mandir}/man1/
 
 
 %changelog
+* Fri Jan 16 2015 Hans de Goede <hdegoede at redhat.com> - 5.21p-5
+- Fix directory traversal security issue (rhbz#1179143)
+
 * Fri Aug 15 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 5.21p-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

More information about the scm-commits mailing list