robert pushed to arj (f20). "- Added patch from Debian to avoid free on invalid pointer due to a buffer overflow (#1196751, #1207180) (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Apr 3 14:02:41 UTC 2015
>From 097f276de931e340747d450aa190a463621a701c Mon Sep 17 00:00:00 2001
From: Robert Scheck <robert at fedoraproject.org>
Date: Fri, 3 Apr 2015 15:58:14 +0200
Subject: - Added patch from Debian to avoid free on invalid pointer due to a
buffer overflow (#1196751, #1207180) - Added patch from Debian for symlink
directory traversal (#1178824) - Added patch from Debian to fix the directory
traversal via //multiple/leading/slash (#1178824)
diff --git a/arj-3.10.22-security-afl.patch b/arj-3.10.22-security-afl.patch
new file mode 100644
index 0000000..ed2bf57
--- /dev/null
+++ b/arj-3.10.22-security-afl.patch
@@ -0,0 +1,35 @@
+Description: Fix buffer overflow causing an invalid pointer free().
+Author: Guillem Jover <guillem at debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774015
+Forwarded: no
+Last-Update: 2015-02-26
+
+---
+ decode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/decode.c
++++ b/decode.c
+@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
+ if(i==i_special)
+ {
+ c=getbits(2);
+- while(--c>=0)
++ while(--c>=0&&i<nn)
+ pt_len[i++]=0;
+ }
+ }
+@@ -314,10 +314,10 @@ void read_c_len()
+ c=getbits(CBIT);
+ c+=20;
+ }
+- while(--c>=0)
++ while(--c>=0&&i<NC)
+ c_len[i++]=0;
+ }
+- else
++ else if (i<NC)
+ c_len[i++]=(unsigned char)(c-2);
+ }
+ while(i<NC)
diff --git a/arj-3.10.22-security-traversal-dir.patch b/arj-3.10.22-security-traversal-dir.patch
new file mode 100644
index 0000000..02d955c
--- /dev/null
+++ b/arj-3.10.22-security-traversal-dir.patch
@@ -0,0 +1,33 @@
+Description: Fix absolute path traversals.
+ Catch multiple leading slashes when checking for absolute path traversals.
+ .
+ Fixes CVE-2015-0557.
+Author: Guillem Jover <guillem at debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774435
+Forwarded: no
+Last-Update: 2015-02-26
+
+---
+ environ.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/environ.c
++++ b/environ.c
+@@ -1087,6 +1087,8 @@ static char *validate_path(char *name)
+ if(action!=VALIDATE_DRIVESPEC)
+ {
+ #endif
++ while (name[0]!='\0'&&
++ (name[0]=='.'||name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)) {
+ if(name[0]=='.')
+ {
+ if(name[1]=='.'&&(name[2]==PATHSEP_DEFAULT||name[2]==PATHSEP_UNIX))
+@@ -1096,6 +1098,7 @@ static char *validate_path(char *name)
+ }
+ if(name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)
+ name++; /* "\\" - revert to root */
++ }
+ #if SFX_LEVEL>=ARJSFXV
+ }
+ }
diff --git a/arj-3.10.22-security-traversal-symlink.patch b/arj-3.10.22-security-traversal-symlink.patch
new file mode 100644
index 0000000..3248169
--- /dev/null
+++ b/arj-3.10.22-security-traversal-symlink.patch
@@ -0,0 +1,85 @@
+Description: Fix symlink directory traversal.
+ Do not allow symlinks that traverse the current directoru, nor absolute
+ symlinks.
+ .
+ Fixes CVE-2015-0556.
+Author: Guillem Jover <guillem at debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774434
+Forwarded: no
+Last-Update: 2015-03-28
+
+---
+ uxspec.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 54 insertions(+)
+
+--- a/uxspec.c
++++ b/uxspec.c
+@@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha
+ }
+ #endif
+
++#if TARGET==UNIX
++static int is_link_traversal(const char *name)
++{
++ enum {
++ STATE_NONE,
++ STATE_DOTS,
++ STATE_NAME,
++ } state = STATE_NONE;
++ int ndir = 0;
++ int dots = 0;
++
++ while(*name) {
++ int c = *name++;
++
++ if (c == '/')
++ {
++ if ((state == STATE_DOTS) && (dots == 2))
++ ndir--;
++ if (ndir < 0)
++ return 1;
++ if ((state == STATE_DOTS && dots == 1) && ndir == 0)
++ return 1;
++ if (state == STATE_NONE && ndir == 0)
++ return 1;
++ if ((state == STATE_DOTS) && (dots > 2))
++ ndir++;
++ state = STATE_NONE;
++ dots = 0;
++ }
++ else if (c == '.')
++ {
++ if (state == STATE_NONE)
++ state = STATE_DOTS;
++ dots++;
++ }
++ else
++ {
++ if (state == STATE_NONE)
++ ndir++;
++ state = STATE_NAME;
++ }
++ }
++
++ if ((state == STATE_DOTS) && (dots == 2))
++ ndir--;
++ if ((state == STATE_DOTS) && (dots > 2))
++ ndir++;
++
++ return ndir < 0;
++}
++#endif
++
+ /* Restores the UNIX special file data */
+
+ int set_uxspecial(char FAR *storage, char *name)
+@@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha
+ l=sizeof(tmp_name)-1;
+ far_memmove((char FAR *)tmp_name, dptr, l);
+ tmp_name[l]='\0';
++ if (is_link_traversal(tmp_name))
++ return(UXSPEC_RC_ERROR);
+ rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name);
+ if(!rc)
+ return(0);
diff --git a/arj.spec b/arj.spec
index f614a41..3e7f0d6 100644
--- a/arj.spec
+++ b/arj.spec
@@ -1,7 +1,7 @@
Summary: Archiver for .arj files
Name: arj
Version: 3.10.22
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPL+
Group: Applications/Archiving
URL: http://arj.sourceforge.net/
@@ -20,6 +20,9 @@ Patch7: arj-3.10.22-missing-protos.patch
Patch8: arj-3.10.22-custom-printf.patch
# Filed into upstream bugtracker as https://sourceforge.net/tracker/?func=detail&aid=2853421&group_id=49820&atid=457566
Patch9: arj-3.10.22-quotes.patch
+Patch10: arj-3.10.22-security-afl.patch
+Patch11: arj-3.10.22-security-traversal-dir.patch
+Patch12: arj-3.10.22-security-traversal-symlink.patch
BuildRequires: autoconf
Provides: unarj = %{version}-%{release}
Obsoletes: unarj < 3
@@ -43,6 +46,9 @@ Software, Inc.
%patch7 -p1
%patch8 -p1
%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
pushd gnu
autoconf
@@ -73,13 +79,22 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root,-)
-%doc ChangeLog* doc/COPYING doc/rev_hist.txt
+%{!?_licensedir:%global license %%doc}
+%license doc/COPYING
+%doc ChangeLog* doc/rev_hist.txt
%config(noreplace) %{_sysconfdir}/rearj.cfg
%{_bindir}/*arj*
%{_libdir}/arj/
%{_mandir}/man1/*arj*1.*
%changelog
+* Fri Apr 03 2015 Robert Scheck <robert at fedoraproject.org> 3.10.22-22
+- Added patch from Debian to avoid free on invalid pointer due to a
+ buffer overflow (#1196751, #1207180)
+- Added patch from Debian for symlink directory traversal (#1178824)
+- Added patch from Debian to fix the directory traversal via
+ //multiple/leading/slash (#1178824)
+
* Sat Feb 21 2015 Till Maas <opensource at till.name> - 3.10.22-21
- Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/arj.git/commit/?h=f20&id=097f276de931e340747d450aa190a463621a701c
More information about the scm-commits
mailing list