Hello community, here is the log from the commit of package gcab.3368 for openSUSE:13.1:Update checked in at 2015-01-14 14:46:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/gcab.3368 (Old) and /work/SRC/openSUSE:13.1:Update/.gcab.3368.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gcab.3368" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.gcab.3368.new/gcab.changes 2015-01-14 14:46:01.000000000 +0100 @@ -0,0 +1,11 @@ +------------------------------------------------------------------- +Tue Jan 6 11:08:14 UTC 2015 - [email protected] + +- Add gcab-CVE-2015-0552.patch: Avoid path traversal (boo#911814, + bgo#742331, CVE-2015-0552). + +------------------------------------------------------------------- +Wed Mar 6 20:29:35 UTC 2013 - [email protected] + +- Initial package, version 0.4. + New: ---- gcab-0.4.tar.xz gcab-CVE-2015-0552.patch gcab.changes gcab.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gcab.spec ++++++ # # spec file for package gcab # # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: gcab Version: 0.4 Release: 0 Summary: Cabinet file library and tool License: LGPL-2.1+ Group: Productivity/Archiving/Compression Url: http://ftp.gnome.org/pub/GNOME/sources/gcab Source: http://ftp.acc.umu.se/pub/GNOME/sources/gcab/0.4/gcab-0.4.tar.xz # PATCH-FIX-UPSTREAM gcab-CVE-2015-0552.patch boo#911814 bgo#742331 CVE-2015-0552 [email protected] -- Avoid path traversal Patch0: gcab-CVE-2015-0552.patch BuildRequires: gobject-introspection >= 0.9.4 BuildRequires: intltool >= 0.40.0 BuildRequires: vala >= 0.14 BuildRequires: zlib-devel BuildRequires: pkgconfig(glib-2.0) >= 2.22.0 Recommends: %{name}-lang BuildRoot: %{_tmppath}/%{name}-%{version}-build %description gcab is a tool and library for manipulating cabinet files. It uses the GObject API and provides GIR bindings. It supports creation of archives with simple MSZIP compression. %package -n libgcab-1_0-0 Summary: Cabinet file library Group: System/Libraries %description -n libgcab-1_0-0 gcab is a tool and library for manipulating cabinet files. It uses the GObject API and provides GIR bindings. It supports creation of archives with simple MSZIP compression. This package provides a system library to access cab files %package devel Summary: Cabinet file library -- Development files Group: Development/Languages/C and C++ Requires: libgcab-1_0-0 = %{version} %description devel gcab is a tool and library for manipulating cabinet files. It uses the GObject API and provides GIR bindings. It supports creation of archives with simple MSZIP compression. This package provides development files to build code against libgcab %lang_package %prep %setup -q %patch0 -p1 %build %configure \ --disable-static make %{?_smp_mflags} %install %make_install find %{buildroot} -type f -name '*.la' -delete -print %find_lang %{name} %post -n libgcab-1_0-0 -p /sbin/ldconfig %postun -n libgcab-1_0-0 -p /sbin/ldconfig %files %defattr(-,root,root) %doc COPYING %{_bindir}/%{name} %{_mandir}/man1/%{name}.1%{?ext_man} %files lang -f %{name}.lang %files -n libgcab-1_0-0 %defattr(-,root,root) %{_libdir}/libgcab-1.0.so.* %files devel %defattr(-,root,root) %doc %{_datadir}/gtk-doc/html/%{name}/ %{_includedir}/libgcab-1.0/ %{_libdir}/libgcab-1.0.so %{_libdir}/pkgconfig/libgcab-1.0.pc %changelog ++++++ gcab-CVE-2015-0552.patch ++++++ >From 0ccdf564b6a3e26522a8eb1858f1828844fa3536 Mon Sep 17 00:00:00 2001 From: Stephen Kitt <[email protected]> Date: Mon, 5 Jan 2015 06:28:00 +0000 Subject: Avoid path traversal gcab suffers from a directory traversal bug: it doesn't filter leading slashes from paths in CAB files. (see https://bugs.debian.org/774580) The attached patch fixes this, at the cost of ugly paths when faced with relative traversals. At least all the CAB's contents can be extracted, without overwriting anything outside the extraction path. https://bugzilla.gnome.org/show_bug.cgi?id=742331 diff --git a/libgcab/gcab-folder.c b/libgcab/gcab-folder.c index a140e2c..9510cf3 100644 --- a/libgcab/gcab-folder.c +++ b/libgcab/gcab-folder.c @@ -362,9 +362,25 @@ gcab_folder_extract (GCabFolder *self, fname[i] = '/'; GFile *gfile = g_file_resolve_relative_path (path, fname); - GFile *parent = g_file_get_parent (gfile); g_free (fname); + if (!g_file_has_prefix (gfile, path)) { + // "Rebase" the file in the given path, to ensure we never escape it + char *rawpath = g_file_get_path (gfile); + if (rawpath != NULL) { + char *newpath = rawpath; + while (*newpath != 0 && *newpath == G_DIR_SEPARATOR) { + newpath++; + } + GFile *newgfile = g_file_resolve_relative_path (path, newpath); + g_free (rawpath); + g_object_unref (gfile); + gfile = newgfile; + } + } + + GFile *parent = g_file_get_parent (gfile); + if (!g_file_make_directory_with_parents (parent, cancellable, &my_error)) { if (g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_EXISTS)) g_clear_error (&my_error); -- cgit v0.10.1 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
