Hello community, here is the log from the commit of package gcab for openSUSE:Factory checked in at 2015-01-08 23:02:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gcab (Old) and /work/SRC/openSUSE:Factory/.gcab.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gcab" Changes: -------- --- /work/SRC/openSUSE:Factory/gcab/gcab.changes 2013-03-14 10:57:09.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gcab.new/gcab.changes 2015-01-08 23:02:07.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Jan 6 11:08:14 UTC 2015 - [email protected] + +- Add gcab-CVE-2015-0552.patch: Avoid path traversal (boo#911814, + bgo#742331, CVE-2015-0552). + +------------------------------------------------------------------- New: ---- gcab-CVE-2015-0552.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gcab.spec ++++++ --- /var/tmp/diff_new_pack.ue2paY/_old 2015-01-08 23:02:08.000000000 +0100 +++ /var/tmp/diff_new_pack.ue2paY/_new 2015-01-08 23:02:08.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package +# spec file for package gcab # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,14 +15,17 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + Name: gcab Version: 0.4 Release: 0 -License: LGPL-2.1+ Summary: Cabinet file library and tool -Url: http://ftp.gnome.org/pub/GNOME/sources/gcab +License: LGPL-2.1+ Group: Productivity/Archiving/Compression +Url: http://ftp.gnome.org/pub/GNOME/sources/gcab Source: http://ftp.acc.umu.se/pub/GNOME/sources/gcab/0.4/gcab-0.4.tar.xz +# PATCH-FIX-UPSTREAM gcab-CVE-2015-0552.patch boo#911814 bgo#742331 CVE-2015-0552 [email protected] -- Avoid path traversal +Patch0: gcab-CVE-2015-0552.patch BuildRequires: gobject-introspection >= 0.9.4 BuildRequires: intltool >= 0.40.0 BuildRequires: vala >= 0.14 @@ -65,6 +68,7 @@ %lang_package %prep %setup -q +%patch0 -p1 %build %configure \ ++++++ gcab-CVE-2015-0552.patch ++++++ >From 0ccdf564b6a3e26522a8eb1858f1828844fa3536 Mon Sep 17 00:00:00 2001 From: Stephen Kitt <[email protected]> Date: Mon, 5 Jan 2015 06:28:00 +0000 Subject: Avoid path traversal gcab suffers from a directory traversal bug: it doesn't filter leading slashes from paths in CAB files. (see https://bugs.debian.org/774580) The attached patch fixes this, at the cost of ugly paths when faced with relative traversals. At least all the CAB's contents can be extracted, without overwriting anything outside the extraction path. https://bugzilla.gnome.org/show_bug.cgi?id=742331 diff --git a/libgcab/gcab-folder.c b/libgcab/gcab-folder.c index a140e2c..9510cf3 100644 --- a/libgcab/gcab-folder.c +++ b/libgcab/gcab-folder.c @@ -362,9 +362,25 @@ gcab_folder_extract (GCabFolder *self, fname[i] = '/'; GFile *gfile = g_file_resolve_relative_path (path, fname); - GFile *parent = g_file_get_parent (gfile); g_free (fname); + if (!g_file_has_prefix (gfile, path)) { + // "Rebase" the file in the given path, to ensure we never escape it + char *rawpath = g_file_get_path (gfile); + if (rawpath != NULL) { + char *newpath = rawpath; + while (*newpath != 0 && *newpath == G_DIR_SEPARATOR) { + newpath++; + } + GFile *newgfile = g_file_resolve_relative_path (path, newpath); + g_free (rawpath); + g_object_unref (gfile); + gfile = newgfile; + } + } + + GFile *parent = g_file_get_parent (gfile); + if (!g_file_make_directory_with_parents (parent, cancellable, &my_error)) { if (g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_EXISTS)) g_clear_error (&my_error); -- cgit v0.10.1 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
