idella4 15/07/21 05:36:23 Added: CVE-2013-4420.patch Log: revbump; sec. patch from Bug 487686, sourced, prepared and runtested by proxy maintainer (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)
Revision Changes Path 1.1 dev-libs/libtar/files/CVE-2013-4420.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libtar/files/CVE-2013-4420.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/libtar/files/CVE-2013-4420.patch?rev=1.1&content-type=text/plain Index: CVE-2013-4420.patch =================================================================== --- a/libtar/lib/decode.c 2013-10-09 09:59:44.000000000 -0700 +++ b/libtar/lib/decode.c 2015-07-20 20:57:58.331945962 -0700 @@ -21,24 +21,55 @@ # include <string.h> #endif +char * +safer_name_suffix (char const *file_name) +{ + char const *p, *t; + p = t = file_name; + while (*p) + { + if (p[0] == '.' && p[0] == p[1] && p[2] == '/') + { + p += 3; + t = p; + } + /* advance pointer past the next slash */ + while (*p && (p++)[0] != '/'); + } + + if (!*t) + { + t = "."; + } + + if (t != file_name) + { + /* TODO: warn somehow that the path was modified */ + } + return (char*)t; +} + /* determine full path name */ char * th_get_pathname(TAR *t) { static TLS_THREAD char filename[MAXPATHLEN]; + char *safer_name; if (t->th_buf.gnu_longname) - return t->th_buf.gnu_longname; + return safer_name_suffix(t->th_buf.gnu_longname); + + safer_name = safer_name_suffix(t->th_buf.name); if (t->th_buf.prefix[0] != '\0') { snprintf(filename, sizeof(filename), "%.155s/%.100s", - t->th_buf.prefix, t->th_buf.name); + t->th_buf.prefix, safer_name); return filename; } - snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name); + snprintf(filename, sizeof(filename), "%.100s", safer_name); return filename; } --- a/libtar/lib/extract.c 2013-10-09 09:59:44.000000000 -0700 +++ b/libtar/lib/extract.c 2015-07-20 21:00:16.560956122 -0700 @@ -305,7 +305,7 @@ linktgt = &lnp[strlen(lnp) + 1]; } else - linktgt = th_get_linkname(t); + linktgt = safer_name_suffix(th_get_linkname(t)); #ifdef DEBUG printf(" ==> extracting: %s (link to %s)\n", filename, linktgt); @@ -343,9 +343,9 @@ #ifdef DEBUG printf(" ==> extracting: %s (symlink to %s)\n", - filename, th_get_linkname(t)); + filename, safer_name_suffix(th_get_linkname(t))); #endif - if (symlink(th_get_linkname(t), filename) == -1) + if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1) { #ifdef DEBUG perror("symlink()"); --- a/libtar/lib/internal.h 2013-10-09 09:59:44.000000000 -0700 +++ b/libtar/lib/internal.h 2015-07-20 21:00:51.258958673 -0700 @@ -15,6 +15,7 @@ #include <libtar.h> +char* safer_name_suffix(char const*); #ifdef TLS #define TLS_THREAD TLS #else
