Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 38971 Details for
Bug 62618
app-arch/lha: multiple vulnerabilities
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Red Hat patch 4
rhel3-lha.patch (text/plain), 6.29 KB, created by
Matthias Geerdsen (RETIRED)
on 2004-09-05 05:07:07 UTC
(
hide
)
Description:
Red Hat patch 4
Filename:
MIME Type:
Creator:
Matthias Geerdsen (RETIRED)
Created:
2004-09-05 05:07:07 UTC
Size:
6.29 KB
patch
obsolete
>diff -urNp lha-114i.orig/src/lha_macro.h lha-114i/src/lha_macro.h >--- lha-114i.orig/src/lha_macro.h 2004-08-03 15:53:56.000000000 -0500 >+++ lha-114i/src/lha_macro.h 2004-08-03 15:54:05.000000000 -0500 >@@ -53,7 +53,7 @@ > #define SEEK_SET 0 > #define SEEK_CUR 1 > #define SEEK_END 2 >-#endif /* SEEK_SET >+#endif /* SEEK_SET */ > > > /* non-integral functions */ >diff -urNp lha-114i.orig/src/lharc.c lha-114i/src/lharc.c >--- lha-114i.orig/src/lharc.c 2004-08-03 15:53:56.000000000 -0500 >+++ lha-114i/src/lharc.c 2004-08-03 15:54:05.000000000 -0500 >@@ -830,9 +830,10 @@ find_files(name, v_filec, v_filev) > DIRENTRY *dp; > struct stat tmp_stbuf, arc_stbuf, fil_stbuf; > >- strcpy(newname, name); >+ strncpy(newname, name, sizeof(newname)); >+ newname[sizeof(newname)-1] = 0; > len = strlen(name); >- if (len > 0 && newname[len - 1] != '/') >+ if (len > 0 && newname[len - 1] != '/' && len < (sizeof(newname)-1)) > newname[len++] = '/'; > > dirp = opendir(name); >@@ -846,6 +847,11 @@ find_files(name, v_filec, v_filev) > > for (dp = readdir(dirp); dp != NULL; dp = readdir(dirp)) { > n = NAMLEN(dp); >+ if (len >= (sizeof(newname)-1) || >+ (len+n) >= (sizeof(newname)-1) || >+ n <= 0 || >+ (len+n) <= 0) >+ break; > strncpy(newname + len, dp->d_name, n); > newname[len + n] = '\0'; > if (GETSTAT(newname, &fil_stbuf) < 0) >@@ -903,7 +909,8 @@ build_temporary_name() > strcpy(temporary_name, TMP_FILENAME_TEMPLATE); > } > else { >- sprintf(temporary_name, "%s/lhXXXXXX", extract_directory); >+ snprintf(temporary_name, sizeof(temporary_name), >+ "%s/lhXXXXXX", extract_directory); > } > #ifdef MKSTEMP > mkstemp(temporary_name); >@@ -913,10 +920,16 @@ build_temporary_name() > #else > char *p, *s; > >- strcpy(temporary_name, archive_name); >+ strncpy(temporary_name, archive_name, sizeof(temporary_name)); >+ temporary_name[sizeof(temporary_name)-1] = 0; > for (p = temporary_name, s = (char *) 0; *p; p++) > if (*p == '/') > s = p; >+ >+ if( sizeof(temporary_name) - ((size_t) (s-temporary_name)) - 1 >+ <= strlen("lhXXXXXX")) >+ exit(-1); >+ > strcpy((s ? s + 1 : temporary_name), "lhXXXXXX"); > #ifdef MKSTEMP > mkstemp(temporary_name); >@@ -1052,7 +1065,8 @@ open_old_archive() > > if (open_old_archive_1(archive_name, &fp)) > return fp; >- sprintf(expanded_archive_name, "%s.lzh", archive_name); >+ snprintf(expanded_archive_name, sizeof(expanded_archive_name), >+ "%s.lzh", archive_name); > if (open_old_archive_1(expanded_archive_name, &fp)) { > archive_name = expanded_archive_name; > return fp; >@@ -1061,7 +1075,8 @@ open_old_archive() > * if ( (errno&0xffff)!=E_PNNF ) { archive_name = > * expanded_archive_name; return NULL; } > */ >- sprintf(expanded_archive_name, "%s.lzs", archive_name); >+ snprintf(expanded_archive_name, sizeof(expanded_archive_name), >+ "%s.lzs", archive_name); > if (open_old_archive_1(expanded_archive_name, &fp)) { > archive_name = expanded_archive_name; > return fp; >diff -urNp lha-114i.orig/src/lhext.c lha-114i/src/lhext.c >--- lha-114i.orig/src/lhext.c 2004-08-03 15:53:56.000000000 -0500 >+++ lha-114i/src/lhext.c 2004-08-03 15:55:40.000000000 -0500 >@@ -82,7 +82,8 @@ make_parent_path(name) > register char *p; > > /* make parent directory name into PATH for recursive call */ >- strcpy(path, name); >+ memset(path, 0, sizeof(path)); >+ strncpy(path, name, sizeof(path)-1); > for (p = path + strlen(path); p > path; p--) > if (p[-1] == '/') { > *--p = '\0'; >@@ -212,9 +213,11 @@ extract_one(afp, hdr) > } > > if (extract_directory) >- sprintf(name, "%s/%s", extract_directory, q); >- else >- strcpy(name, q); >+ snprintf(name, sizeof(name), "%s/%s", extract_directory, q); >+ else { >+ strncpy(name, q, sizeof(name)); >+ name[sizeof(name) - 1] = '\0'; >+ } > > > /* LZHDIRS_METHOD�����ĥإå��������å����� */ >@@ -335,7 +338,8 @@ extract_one(afp, hdr) > if ((hdr->unix_mode & UNIX_FILE_TYPEMASK) == UNIX_FILE_SYMLINK) { > char buf[256], *bb1, *bb2; > int l_code; >- strcpy(buf, name); >+ strncpy(buf, name, sizeof(buf)); >+ buf[sizeof(buf)-1] = 0; > bb1 = strtok(buf, "|"); > bb2 = strtok(NULL, "|"); > >@@ -365,9 +369,10 @@ extract_one(afp, hdr) > if (quiet != TRUE) { > printf("Symbolic Link %s -> %s\n", bb1, bb2); > } >- strcpy(name, bb1); /* Symbolic's name set */ >+ strncpy(name, bb1, 255); /* Symbolic's name set */ >+ name[255] = 0; > #else >- sprintf(buf, "%s -> %s", bb1, bb2); >+ sprintf(buf, sizeof(buf), "%s -> %s", bb1, bb2); > warning("Can't make Symbolic Link", buf); > return; > #endif >diff -urNp lha-114i.orig/src/lhlist.c lha-114i/src/lhlist.c >--- lha-114i.orig/src/lhlist.c 2004-08-03 15:53:56.000000000 -0500 >+++ lha-114i/src/lhlist.c 2004-08-03 15:54:05.000000000 -0500 >@@ -250,7 +250,8 @@ list_one(hdr) > printf(" %s", hdr->name); > else { > char buf[256], *b1, *b2; >- strcpy(buf, hdr->name); >+ strncpy(buf, hdr->name, sizeof(buf)); >+ buf[sizeof(buf)-1] = 0; > b1 = strtok(buf, "|"); > b2 = strtok(NULL, "|"); > printf(" %s -> %s", b1, b2); >diff -urNp lha-114i.orig/src/util.c lha-114i/src/util.c >--- lha-114i.orig/src/util.c 2004-08-03 15:53:56.000000000 -0500 >+++ lha-114i/src/util.c 2004-08-03 15:54:05.000000000 -0500 >@@ -276,21 +276,27 @@ rmdir(path) > char *path; > { > int stat, rtn = 0; >- char *cmdname; >- if ((cmdname = (char *) malloc(strlen(RMDIRPATH) + 1 + strlen(path) + 1)) >- == 0) >+ pid_t child; >+ >+ >+ /* XXX thomas: shell meta chars in path could exec commands */ >+ /* therefore we should avoid using system() */ >+ if ((child = fork()) < 0) >+ return (-1); /* fork error */ >+ else if (child) { /* parent process */ >+ while (child != wait(&stat)) /* ignore signals */ >+ continue; >+ } >+ else { /* child process */ >+ execl(RMDIRPATH, "rmdir", path, (char *) 0); >+ /* never come here except execl is error */ > return (-1); >- strcpy(cmdname, RMDIRPATH); >- *(cmdname + strlen(RMDIRPATH)) = ' '; >- strcpy(cmdname + strlen(RMDIRPATH) + 1, path); >- if ((stat = system(cmdname)) < 0) >- rtn = -1; /* fork or exec error */ >- else if (stat) { /* RMDIR command error */ >- errno = EIO; >- rtn = -1; > } >- free(cmdname); >- return (rtn); >+ if (stat != 0) { >+ errno = EIO; /* cannot get error num. */ >+ return (-1); >+ } >+ return (0); > } > > /* ------------------------------------------------------------------------ */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=38971">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 62618
: 38971 |
38972
|
38973
|
38975
