Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 43788 Details for
Bug 70966
app-arch/unarj: Filename Handling Buffer Overflow - CAN-2004-0947
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
unarj-path.diff
unarj-path.diff (text/plain), 2.97 KB, created by
solar (RETIRED)
on 2004-11-12 08:01:12 UTC
(
hide
)
Description:
unarj-path.diff
Filename:
MIME Type:
Creator:
solar (RETIRED)
Created:
2004-11-12 08:01:12 UTC
Size:
2.97 KB
patch
obsolete
>Index: unarj-2.65/sanitize.c >=================================================================== >--- /dev/null >+++ unarj-2.65/sanitize.c >@@ -0,0 +1,81 @@ >+/* >+ * Path sanitation code by Ludwig Nussel <ludwig.nussel@suse.de>. Public Domain. >+ */ >+ >+#include "unarj.h" >+ >+#include <string.h> >+#include <limits.h> >+#include <stdio.h> >+ >+#ifndef PATH_CHAR >+#define PATH_CHAR '/' >+#endif >+#ifndef MIN >+#define MIN(x,y) ((x)<(y)?(x):(y)) >+#endif >+ >+/* copy src into dest converting the path to a relative one inside the current >+ * directory. dest must hold at least len bytes */ >+void copy_path_relative(char *dest, char *src, size_t len) >+{ >+ char* o = dest; >+ char* p = src; >+ >+ *o = '\0'; >+ >+ while(*p && *p == PATH_CHAR) ++p; >+ for(; len && *p;) >+ { >+ src = p; >+ p = strchr(src, PATH_CHAR); >+ if(!p) p = src+strlen(src); >+ >+ /* . => skip */ >+ if(p-src == 1 && *src == '.' ) >+ { >+ if(*p) src = ++p; >+ } >+ /* .. => pop one */ >+ else if(p-src == 2 && *src == '.' && src[1] == '.') >+ { >+ if(o != dest) >+ { >+ char* tmp; >+ *o = '\0'; >+ tmp = strrchr(dest, PATH_CHAR); >+ if(!tmp) >+ { >+ len += o-dest; >+ o = dest; >+ if(*p) ++p; >+ } >+ else >+ { >+ len += o-tmp; >+ o = tmp; >+ if(*p) ++p; >+ } >+ } >+ else /* nothing to pop */ >+ if(*p) ++p; >+ } >+ else >+ { >+ size_t copy; >+ if(o != dest) >+ { >+ --len; >+ *o++ = PATH_CHAR; >+ } >+ copy = MIN(p-src,len); >+ memcpy(o, src, copy); >+ len -= copy; >+ src += copy; >+ o += copy; >+ if(*p) ++p; >+ } >+ while(*p && *p == PATH_CHAR) ++p; >+ } >+ o[len?0:-1] = '\0'; >+} >Index: unarj-2.65/unarj.c >=================================================================== >--- unarj-2.65.orig/unarj.c >+++ unarj-2.65/unarj.c >@@ -235,6 +235,8 @@ static UCRC crctable[UCHAR_MAX + 1]; > > /* Functions */ > >+void copy_path_relative(char *dest, char *src, size_t len); >+ > static void > make_crctable() > { >@@ -738,11 +740,11 @@ extract() > > no_output = 0; > if (command == 'E') >- strncopy(name, &filename[entry_pos], sizeof(name)); >+ copy_path_relative(name, &filename[entry_pos], sizeof(name)); > else > { > strcpy(name, DEFAULT_DIR); >- strncopy(name+strlen(name), filename, sizeof(name)-strlen(name)); >+ copy_path_relative(name+strlen(name), filename, sizeof(name)-strlen(name)); > } > > if (host_os != OS) >Index: unarj-2.65/Makefile >=================================================================== >--- unarj-2.65.orig/Makefile >+++ unarj-2.65/Makefile >@@ -6,8 +6,8 @@ CC = gcc > CFLAGS = -O2 -Wall -ansi -pedantic -DUNIX > INSTALLDIR=/usr/local/bin > >-unarj: unarj.o decode.o environ.o >- $(CC) $(CFLAGS) -o unarj unarj.o decode.o environ.o >+unarj: unarj.o decode.o environ.o sanitize.o >+ $(CC) $(CFLAGS) -o unarj unarj.o decode.o environ.o sanitize.o > strip unarj > > clean: >@@ -19,3 +19,4 @@ install: > unarj.o: unarj.c unarj.h Makefile > environ.o: environ.c unarj.h Makefile > decode.o: decode.c unarj.h Makefile >+sanitize.o: sanitize.c unarj.h Makefile
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 70966
:
43787
| 43788 |
44273
|
44274