commit fastjar for openSUSE:Factory

Tue, 27 Jul 2021 05:33:55 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package fastjar for openSUSE:Factory checked 
in at 2021-07-27 14:32:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/fastjar (Old)
 and      /work/SRC/openSUSE:Factory/.fastjar.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "fastjar"

Tue Jul 27 14:32:08 2021 rev:21 rq:908510 version:0.98

Changes:
--------
--- /work/SRC/openSUSE:Factory/fastjar/fastjar.changes  2017-05-31 
13:30:16.315880634 +0200
+++ /work/SRC/openSUSE:Factory/.fastjar.new.1899/fastjar.changes        
2021-07-27 14:32:27.507460542 +0200
@@ -1,0 +2,17 @@
+Mon Jul 26 16:37:44 UTC 2021 - Fridrich Strba <[email protected]>
+
+- Little fixes to be able to build on CentOS
+
+-------------------------------------------------------------------
+Fri Jul 23 07:12:47 UTC 2021 - Pedro Monreal <[email protected]>
+
+- Add reference for CVE-2010-2322 [bsc#1188517, CVE-2010-2322]
+  * Directory traversal vulnerabilities
+  * Rename jartool.diff to fastjar-CVE-2010-2322.patch
+
+-------------------------------------------------------------------
+Fri Jul 23 07:09:56 UTC 2021 - Pedro Monreal <[email protected]>
+
+- Update spec file with spec-cleaner
+
+-------------------------------------------------------------------

Old:
----
  jartool.diff

New:
----
  fastjar-CVE-2010-2322.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ fastjar.spec ++++++
--- /var/tmp/diff_new_pack.YNzNnn/_old  2021-07-27 14:32:28.059459995 +0200
+++ /var/tmp/diff_new_pack.YNzNnn/_new  2021-07-27 14:32:28.063459991 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package fastjar
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -20,19 +20,21 @@
 Version:        0.98
 Release:        0
 Summary:        Java package archiver
-License:        GPL-2.0+
+License:        GPL-2.0-or-later
 Group:          Development/Languages/Java
-Url:            http://savannah.nongnu.org/projects/fastjar/
+URL:            https://savannah.nongnu.org/projects/fastjar/
 Source0:        
http://download.savannah.gnu.org/releases/%{name}/%{name}-%{version}.tar.gz
 # Current signing key has expired
 #Source1:        
http://download.savannah.gnu.org/releases/%{name}/%{name}-%{version}.tar.gz.sig
 #Source2:        
http://savannah.nongnu.org/project/memberlist-gpgkeys.php?group=%{name}&download=1#/%{name}.keyring
 Patch2:         fix-update-mode.diff
-Patch3:         jartool.diff
+# PATCH-FIX-UPSTREAM bsc#1188517 CVE-2010-2322 directory traversal 
vulnerabilities
+Patch3:         fastjar-CVE-2010-2322.patch
 BuildRequires:  zlib-devel
+%if 0%{?suse_version}
 Requires(post): %{install_info_prereq}
-Requires(preun): %{install_info_prereq}
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+Requires(preun):%{install_info_prereq}
+%endif
 
 %description
 Fastjar is an implementation of Sun's jar utility that comes with the
@@ -45,7 +47,7 @@
 
 %build
 %configure
-make %{?_smp_mflags}
+%make_build
 
 %install
 %make_install
@@ -57,12 +59,14 @@
 %install_info_delete --info-dir=%{_infodir} %{_infodir}/%{name}.info%{ext_info}
 
 %files
-%defattr(-,root,root)
 %doc AUTHORS README NEWS ChangeLog
-%{_mandir}/man1/fastjar.1%{ext_man}
-%{_mandir}/man1/grepjar.1%{ext_man}
-%{_infodir}/fastjar.info%{ext_info}
+%{_mandir}/man1/fastjar.1%{?ext_man}
+%{_mandir}/man1/grepjar.1%{?ext_man}
+%{_infodir}/fastjar.info%{?ext_info}
 %{_bindir}/fastjar
 %{_bindir}/grepjar
+%if ! 0%{?suse_version}
+%exclude %{_infodir}/dir
+%endif
 
 %changelog

++++++ fastjar-CVE-2010-2322.patch ++++++
--- fastjar-0.98.orig/jartool.c
+++ fastjar-0.98/jartool.c
@@ -790,6 +790,7 @@ int read_entries (int fd)
                   progname, jarfile);
          return 1;
        }
+      ze->filename[len] = '\0';
       len = UNPACK_UB4(header, CEN_EFLEN);
       len += UNPACK_UB4(header, CEN_COMLEN);
       if (lseek (fd, len, SEEK_CUR) == -1)
@@ -1257,7 +1258,7 @@ int add_file_to_jar(int jfd, int ffd, co
       exit_on_error("write");
 
   /* write the file name to the zip file */
-  if (1 == write(jfd, fname, file_name_length))
+  if (-1 == write(jfd, fname, file_name_length))
     exit_on_error("write");
 
   if(verbose){
@@ -1730,7 +1731,17 @@ int extract_jar(int fd, const char **fil
       struct stat sbuf;
       int depth = 0;
 
-      tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
+      if(*filename == '/'){
+       fprintf(stderr, "Absolute path names are not allowed.\n");
+       exit(EXIT_FAILURE);
+      }
+
+      tmp_buff = malloc(strlen((const char *)filename));
+
+      if(tmp_buff == NULL) {
+       fprintf(stderr, "Out of memory.\n");
+       exit(EXIT_FAILURE);
+      }
 
       for(;;){
         const ub1 *idx = (const unsigned char *)strchr((const char *)start, 
'/');
@@ -1738,25 +1749,28 @@ int extract_jar(int fd, const char **fil
         if(idx == NULL)
           break;
         else if(idx == start){
+         tmp_buff[idx - filename] = '/';
           start++;
           continue;
         }
-        start = idx + 1;
 
-        strncpy(tmp_buff, (const char *)filename, (idx - filename));
-        tmp_buff[(idx - filename)] = '\0';
+       memcpy(tmp_buff + (start - filename), (const char *)start, (idx - 
start));
+       tmp_buff[idx - filename] = '\0';
 
 #ifdef DEBUG    
         printf("checking the existance of %s\n", tmp_buff);
 #endif
-       if(strcmp(tmp_buff, "..") == 0){
+       if(idx - start == 2 && memcmp(start, "..", 2) == 0){
          --depth;
          if (depth < 0){
            fprintf(stderr, "Traversal to parent directories during 
unpacking!\n");
            exit(EXIT_FAILURE);
          }
-       } else if (strcmp(tmp_buff, ".") != 0)
+       } else if (idx - start != 1 || *start != '.')
          ++depth;
+
+        start = idx + 1;
+
         if(stat(tmp_buff, &sbuf) < 0){
           if(errno != ENOENT)
             exit_on_error("stat");
@@ -1765,6 +1779,7 @@ int extract_jar(int fd, const char **fil
 #ifdef DEBUG    
           printf("Directory exists\n");
 #endif
+         tmp_buff[idx - filename] = '/';
           continue;
         }else {
           fprintf(stderr, "Hmmm.. %s exists but isn't a directory!\n",
@@ -1781,10 +1796,11 @@ int extract_jar(int fd, const char **fil
         if(verbose && handle)
           printf("%10s: %s/\n", "created", tmp_buff);
 
+       tmp_buff[idx - filename] = '/';
       }
 
       /* only a directory */
-      if(strlen((const char *)start) == 0)
+      if(*start == '\0')
         dir = TRUE;
 
 #ifdef DEBUG    
@@ -1792,7 +1808,7 @@ int extract_jar(int fd, const char **fil
 #endif
 
       /* If the entry was just a directory, don't write to file, etc */
-      if(strlen((const char *)start) == 0)
+      if(*start == '\0')
         f_fd = -1;
 
       free(tmp_buff);
@@ -1876,7 +1892,8 @@ int extract_jar(int fd, const char **fil
       exit(EXIT_FAILURE);
     }
 
-    close(f_fd);
+    if (f_fd != -1)
+      close(f_fd);
 
     if(verbose && dir == FALSE && handle)
       printf("%10s: %s\n",

Reply via email to