[CVS] OpenPKG: OPENPKG_2_2_SOLID: openpkg-src/cabextract/ cabextract.p...

Fri, 22 Oct 2004 02:43:40 -0700 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src                      Date:   22-Oct-2004 11:43:41
  Branch: OPENPKG_2_2_SOLID                Handle: 2004102210434000

  Added files:              (Branch: OPENPKG_2_2_SOLID)
    openpkg-src/cabextract  cabextract.patch
  Modified files:           (Branch: OPENPKG_2_2_SOLID)
    openpkg-src/cabextract  cabextract.spec

  Log:
    CAN-2004-0916: directory traversal in cabextract

  Summary:
    Revision    Changes     Path
    1.1.2.1     +21 -0      openpkg-src/cabextract/cabextract.patch
    1.7.4.2     +3  -1      openpkg-src/cabextract/cabextract.spec
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/cabextract/cabextract.patch
  ============================================================================
  $ cvs diff -u -r0 -r1.1.2.1 cabextract.patch
  --- /dev/null 2004-10-22 11:43:41 +0200
  +++ cabextract.patch  2004-10-22 11:43:41 +0200
  @@ -0,0 +1,21 @@
  +Fix Security Bug (CAN-2004-0916)
  +
  +--- src/cabextract.c 2004-03-09 20:05:04 +0100
  ++++ src/cabextract.c 2004-10-17 22:16:23 +0200
  +@@ -727,6 +752,16 @@
  +       else if (lower)      c = (unsigned char) tolower((int) c);
  +     } while ((*p++ = c));
  +   }
  ++
  ++  /* search for "../" in cab filename part and change to "xx/".  This
  ++   * prevents any unintended directory traversal. */
  ++  for (p = &name[dir ? strlen(dir)+1 : 0]; *p; p++) {
  ++    if ((p[0] == '.') && (p[1] == '.') && (p[2] == '/')) {
  ++      p[0] = p[1] = 'x';
  ++      p += 2;
  ++    }
  ++  }
  ++
  +   return (char *) name;
  + }
  + 
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/cabextract/cabextract.spec
  ============================================================================
  $ cvs diff -u -r1.7.4.1 -r1.7.4.2 cabextract.spec
  --- openpkg-src/cabextract/cabextract.spec    11 Oct 2004 18:54:16 -0000      1.7.4.1
  +++ openpkg-src/cabextract/cabextract.spec    22 Oct 2004 09:43:40 -0000      1.7.4.2
  @@ -34,10 +34,11 @@
   Group:        Archiver
   License:      GPL
   Version:      1.0
  -Release:      2.2.0
  +Release:      2.2.1
   
   #   list of sources
   Source0:      http://www.kyz.uklinux.net/downloads/cabextract-%{version}.tar.gz
  +Patch0:       cabextract.patch
   
   #   build information
   Prefix:       %{l_prefix}
  @@ -59,6 +60,7 @@
   
   %prep
       %setup -q
  +    %patch -p0
   
   %build
       CC="%{l_cc}" \
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to