Re: Enscript Security Patch

Tue, 11 Apr 2006 07:16:58 -0700 

Randy McMurchy wrote:

Hi Alexander,


Hello!


Could you look at http://wiki.linuxfromscratch.org/blfs/ticket/1799
and review the report I put in it yesterday? Thanks.


When trying to recreate and reatach the patch, I got:

===========================================
Trac detected an internal error:

SQL logic error or missing database
===========================================

(manifestation of Ticket 1879?)

So please find the patch attached to this mail. Sorry for the inconvenience.


Origin: Debian, the descriptions of the vulnerabilities can be retrieved from 
http://wiki.linuxfromscratch.org/blfs/wiki/Enscript


--
Alexander E. Patrakov

--- enscript-1.6.4/src/gsint.h  2003-03-05 08:37:06.000000000 +0100
+++ enscript-1.6.4/src/gsint.h  2005-01-20 19:54:57.000000000 +0100
@@ -701,4 +701,9 @@
  */
 void printer_close ___P ((void *context));
 
+/*
+ * Escape filenames for shell usage
+ */
+char *shell_escape ___P ((const char *fn));
+
 #endif /* not GSINT_H */
--- enscript-1.6.4/src/main.c   2005-01-20 19:54:40.000000000 +0100
+++ enscript-1.6.4/src/main.c   2005-01-20 19:54:57.000000000 +0100
@@ -1556,9 +1556,13 @@
       buffer_append (&cmd, intbuf);
       buffer_append (&cmd, " ");
 
-      buffer_append (&cmd, "-Ddocument_title=\"");
-      buffer_append (&cmd, title);
-      buffer_append (&cmd, "\" ");
+      buffer_append (&cmd, "-Ddocument_title=\'");
+      if ((cp = shell_escape (title)) != NULL)
+       {
+         buffer_append (&cmd, cp);
+         free (cp);
+       }
+      buffer_append (&cmd, "\' ");
 
       buffer_append (&cmd, "-Dtoc=");
       buffer_append (&cmd, toc ? "1" : "0");
@@ -1575,8 +1579,14 @@
       /* Append input files. */
       for (i = optind; i < argc; i++)
        {
-         buffer_append (&cmd, " ");
-         buffer_append (&cmd, argv[i]);
+         char *cp;
+         if ((cp = shell_escape (argv[i])) != NULL)
+           {
+             buffer_append (&cmd, " \'");
+             buffer_append (&cmd, cp);
+             buffer_append (&cmd, "\'");
+             free (cp);
+           }
        }
 
       /* And do the job. */
@@ -1637,7 +1647,7 @@
                                 buffer_ptr (opts), buffer_len (opts));
            }
 
-         buffer_append (&buffer, " \"%s\"");
+         buffer_append (&buffer, " \'%s\'");
 
          input_filter = buffer_copy (&buffer);
          input_filter_stdin = "-";
--- enscript-1.6.4/src/util.c   2003-03-05 08:26:32.000000000 +0100
+++ enscript-1.6.4/src/util.c   2005-01-20 19:54:57.000000000 +0100
@@ -1239,6 +1239,8 @@
 
   /* Create result. */
   cp = xmalloc (len + 1);
+  if (cp == NULL)
+      return NULL;
   for (i = 0, j = 0; string[i]; i++)
     switch (string[i])
       {
@@ -1879,6 +1881,7 @@
       char *cmd = NULL;
       int cmdlen;
       int i, pos;
+      char *cp;
 
       is->is_pipe = 1;
 
@@ -1902,12 +1905,16 @@
                {
                case 's':
                  /* Expand cmd-buffer. */
-                 cmdlen += strlen (fname);
-                 cmd = xrealloc (cmd, cmdlen);
+                 if ((cp = shell_escape (fname)) != NULL)
+                   {
+                     cmdlen += strlen (cp);
+                     cmd = xrealloc (cmd, cmdlen);
 
-                 /* Paste filename. */
-                 strcpy (cmd + pos, fname);
-                 pos += strlen (fname);
+                     /* Paste filename. */
+                     strcpy (cmd + pos, cp);
+                     pos += strlen (cp);
+                     free (cp);
+                   }
 
                  i++;
                  break;
@@ -2116,3 +2123,36 @@
 {
   return buffer->len;
 }
+
+/*
+ * Escapes the name of a file so that the shell groks it in 'single'
+ * quotation marks.  The resulting pointer has to be free()ed when not
+ * longer used.
+*/
+char *
+shell_escape(const char *fn)
+{
+  size_t len = 0;
+  const char *inp;
+  char *retval, *outp;
+
+  for(inp = fn; *inp; ++inp)
+    switch(*inp)
+    {
+      case '\'': len += 4; break;
+      default:   len += 1; break;
+    }
+
+  outp = retval = malloc(len + 1);
+  if(!outp)
+    return NULL; /* perhaps one should do better error handling here */
+  for(inp = fn; *inp; ++inp)
+    switch(*inp)
+    {
+      case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ = 
'\''; break;
+      default:   *outp++ = *inp; break;
+    }
+  *outp = 0;
+
+  return retval;
+}
--- enscript-1.6.4/src/psgen.c  2005-01-20 19:56:16.000000000 +0100
+++ enscript-1.6.4/src/psgen.c  2005-01-20 19:56:28.000000000 +0100
@@ -2385,9 +2385,10 @@
   MESSAGE (2, (stderr, "[EMAIL PROTECTED]"%s\"\n", token->u.epsf.filename));
 
   i = strlen (token->u.epsf.filename);
+  /*
   if (i > 0 && token->u.epsf.filename[i - 1] == '|')
     {
-      /* Read EPS data from pipe. */
+      / * Read EPS data from pipe. * /
       token->u.epsf.pipe = 1;
       token->u.epsf.filename[i - 1] = '\0';
       token->u.epsf.fp = popen (token->u.epsf.filename, "r");
@@ -2400,6 +2401,7 @@
        }
     }
   else
+  */
     {
       char *filename;
 
--- enscript-1.6.4/src/psgen.c  2005-01-20 19:59:18.000000000 +0100
+++ enscript-1.6.4/src/psgen.c  2005-01-20 19:59:30.000000000 +0100
@@ -2034,8 +2034,9 @@
   else
     {
       ftail++;
-      strncpy (buf, fname, ftail - fname);
-      buf[ftail - fname] = '\0';
+      i = ftail - fname >= sizeof (buf)-1 ? sizeof (buf)-1 : ftail - fname;
+      strncpy (buf, fname, i);
+      buf[i] = '\0';
     }
 
   if (nup > 1)

-- 
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page





















					Reply via email to