Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 59339 Details for
Bug 93079
games-util/dzip is vulnerable to directory traversals
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
dzip-2.9-scrub-names.patch
dzip-2.9-scrub-names.patch (text/plain), 1.92 KB, created by
SpanKY
on 2005-05-19 18:38:52 UTC
(
hide
)
Description:
dzip-2.9-scrub-names.patch
Filename:
MIME Type:
Creator:
SpanKY
Created:
2005-05-19 18:38:52 UTC
Size:
1.92 KB
patch
obsolete
>diff -Nurp work.orig/main.c work/main.c >--- work.orig/main.c 2005-05-19 21:34:16.000000000 -0400 >+++ work/main.c 2005-05-19 21:36:18.000000000 -0400 >@@ -77,6 +77,48 @@ int dzRead (int inlen) > return 1; > } > >+#define IS_SEP(c) (c == '/' || c == ':' || c == '\\') >+void scrub_name(char *smee) >+{ >+ char *paths[] = { "../", "..\\", "..:", NULL}; >+ size_t p, i, len; >+ char scrubit, scrubbed; >+ >+ scrubbed = 0; >+ len = strlen(smee); >+ i = 0; >+ scrubit = 1; >+ >+ /* search the path and scrub out all relative paths */ >+ while (i + 3 < len) { >+ for (p = 0; paths[p]; ++p) { >+ if (scrubit && !strncmp(paths[p], smee+i, 3)) { >+ scrubbed = 1; >+ memset(smee+i, '\0', 3); >+ i += 2; >+ break; >+ } >+ } >+ scrubit = IS_SEP(smee[i]) || smee[i] == '\0'; >+ ++i; >+ } >+ >+ if (!scrubbed) >+ return; >+ >+ /* condense the string over all the scrubbed bits */ >+ p = 0; >+ for (i = 0; i < len; ++i) { >+ while (p < len && smee[p] == '\0') >+ ++p; >+ if (p == len) { >+ smee[i] = '\0'; >+ break; >+ } >+ smee[i] = smee[p++]; >+ } >+} >+ > int dzReadDirectoryEntry (direntry_t *de) > { > char *s; >@@ -102,6 +144,7 @@ int dzReadDirectoryEntry (direntry_t *de > s = Dzip_malloc(de->len); > dzFile_Read(s, de->len); > de->name = s; >+ scrub_name(de->name); > if (de->pak && de->type != TYPE_PAK) > return 1; /* dont mess with dirchar inside pakfiles */ > do >@@ -244,4 +287,4 @@ char *FileExtension (char *in) > e = in++; > > return e; >-} >\ No newline at end of file >+} >diff -Nurp work.orig/v1code.c work/v1code.c >--- work.orig/v1code.c 2005-05-19 21:34:16.000000000 -0400 >+++ work/v1code.c 2005-05-19 21:34:59.000000000 -0400 >@@ -201,6 +201,7 @@ void demv1_dxentities(void) > > } > >+extern void scrub_name(char *smee); > void dzUncompressV1 (int testing) > { > int i, inlen = 0; >@@ -221,6 +222,7 @@ void dzUncompressV1 (int testing) > { > de = directory + i; > crcval = INITCRC; >+ scrub_name(de->name); > printf("%s %s",action,de->name); > fflush(stdout); >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 93079
:
59225
| 59339