On Mon, Jan 12, 2015 at 19:58, Daniel Cegiełka wrote:
> http://www.openwall.com/lists/oss-security/2015/01/07/5
>
> Does someone can confirm this vulnerability? It's probably the problem
> of "OpenBSD-derived (?) pax".
The following is incomplete I think (doesn't handle arcn->ln_name),
but seems to do the right thing with a few test archives I've created.
Index: pat_rep.c
===================================================================
RCS file: /cvs/src/bin/pax/pat_rep.c,v
retrieving revision 1.34
diff -u -p -r1.34 pat_rep.c
--- pat_rep.c 24 May 2014 18:51:00 -0000 1.34
+++ pat_rep.c 12 Jan 2015 19:45:17 -0000
@@ -632,6 +632,32 @@ mod_name(ARCHD *arcn)
paxwarn(0, "Removing leading / from absolute path names
in the archive");
}
}
+ if (rmleadslash) {
+ char *p, *prev;
+
+ while ((p = strstr(arcn->name, "/../"))) {
+ *p = 0; /* overwrite for benefit of strrchr */
+ prev = strrchr(arcn->name, '/');
+ if (prev) {
+ memmove(prev, p + 4, strlen(p + 4) + 1);
+ arcn->nlen -= p + 4 - prev;
+ } else {
+ memmove(arcn->name, p + 4, strlen(p + 4) + 1);
+ }
+ if (rmleadslash < 3) {
+ rmleadslash = 3;
+ paxwarn(0, "Removing /../ from path names in
the archive");
+ }
+ }
+ while (strstr(arcn->name, "../") == arcn->name) {
+ memmove(arcn->name, arcn->name + 3, strlen(arcn->name +
3) + 1);
+ arcn->nlen -= 3;
+ if (rmleadslash < 3) {
+ rmleadslash = 3;
+ paxwarn(0, "Removing leading .. from path names
in the archive");
+ }
+ }
+ }
/*
* IMPORTANT: We have a problem. what do we do with symlinks?
