OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Herbert Schmid
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 17-Jan-2005 12:43:10
Branch: HEAD Handle: 2005011711431000
Modified files:
openpkg-src/a2ps a2ps.patch a2ps.spec
Log:
patch implemented for security issue CAN-2004-1170
OpenPKG-SA-2005.003-a2ps
Summary:
Revision Changes Path
1.3 +63 -0 openpkg-src/a2ps/a2ps.patch
1.31 +1 -1 openpkg-src/a2ps/a2ps.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/a2ps/a2ps.patch
============================================================================
$ cvs diff -u -r1.2 -r1.3 a2ps.patch
--- openpkg-src/a2ps/a2ps.patch 18 Aug 2004 18:00:00 -0000 1.2
+++ openpkg-src/a2ps/a2ps.patch 17 Jan 2005 11:43:10 -0000 1.3
@@ -36,3 +36,66 @@
#ifndef DIRECTORY_SEPARATOR
# define DIRECTORY_SEPARATOR '/'
#endif
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1170
+ a2ps 4.13 allows remote attackers to execute arbitrary commands via
+ shell metacharacters in the filename.
+source:
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain
+
+--- src/select.c.orig Thu Dec 16 02:04:56 1999
++++ src/select.c Sat Aug 21 12:05:31 2004
+@@ -131,6 +131,36 @@
+ return 1;
+ }
+ �
++/* escapes the name of a file so that the shell groks it in 'single'
q.marks.
++ The resulting pointer has to be free()ed when not longer used. */
++char *
++shell_escape(const char *fn)
++{
++ size_t len = 0;
++ const char *inp;
++ char *retval, *outp;
++
++ for(inp = fn; *inp; ++inp)
++ switch(*inp)
++ {
++ case '\'': len += 4; break;
++ default: len += 1; break;
++ }
++
++ outp = retval = malloc(len + 1);
++ if(!outp)
++ return NULL; /* perhaps one should do better error handling here */
++ for(inp = fn; *inp; ++inp)
++ switch(*inp)
++ {
++ case '\'': *outp++ = '\''; *outp++ = '\\'; *outp++ = '\'', *outp++ =
'\''; break;
++ default: *outp++ = *inp; break;
++ }
++ *outp = 0;
++
++ return retval;
++}
++�
+ /* What says file about the type of a file (result is malloc'd). NULL
+ if could not be run. */
+
+@@ -144,11 +174,15 @@
+ if (IS_EMPTY (job->file_command))
+ return NULL;
+
++ filename = shell_escape(filename);
++ if(filename == NULL)
++ return NULL;
+ /* Call file(1) with the correct option */
+- command = ALLOCA (char, (2
++ command = ALLOCA (char, (4
+ + strlen (job->file_command)
+ + ustrlen (filename)));
+- sprintf (command, "%s %s", job->file_command, (const char *) filename);
++ sprintf (command, "%s '%s'", job->file_command, (const char *) filename);
++ free(filename);
+ message (msg_tool, (stderr, "Reading pipe: `%s'\n", command));
+ file_out = popen (command, "r");
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/a2ps/a2ps.spec
============================================================================
$ cvs diff -u -r1.30 -r1.31 a2ps.spec
--- openpkg-src/a2ps/a2ps.spec 1 Jan 2005 10:47:37 -0000 1.30
+++ openpkg-src/a2ps/a2ps.spec 17 Jan 2005 11:43:10 -0000 1.31
@@ -38,7 +38,7 @@
Group: Converter
License: GPL
Version: %{V_major}%{V_minor}
-Release: 20040818
+Release: 20050117
# list of sources
Source0:
ftp://ftp.enst.fr/pub/unix/a2ps/a2ps-%{V_major}%{V_minor}.tar.gz
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
