OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 10-Jul-2003 11:54:30
Branch: HEAD Handle: 2003071010543000
Modified files:
openpkg-src/infozip infozip.patch
Log:
SA-2003.033-infozip; CAN-2003-0282
Summary:
Revision Changes Path
1.3 +87 -0 openpkg-src/infozip/infozip.patch
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/infozip/infozip.patch
============================================================================
$ cvs diff -u -r1.2 -r1.3 infozip.patch
--- openpkg-src/infozip/infozip.patch 10 Jul 2003 09:11:05 -0000 1.2
+++ openpkg-src/infozip/infozip.patch 10 Jul 2003 09:54:30 -0000 1.3
@@ -9,3 +9,90 @@
[ $? -eq 0 ] && CPP="${CPP} -DNO_UNDERLINE"
if eval "$CPP crc_i386.S > _crc_i386.s 2>/dev/null"; then
if eval "$CC -c _crc_i386.s >/dev/null 2>/dev/null" && [ -f _crc_i386.o ]
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282
+ Directory traversal vulnerability in UnZip 5.50 allows attackers to
+ overwrite arbitrary files via invalid characters between two . (dot)
+ characters, which are filtered and result in a ".." sequence.
+
+--- unzip-5.50/unix/unix.c.orig 2002-01-21 17:54:42.000000000 -0500
++++ unzip-5.50/unix/unix.c 2003-06-11 18:35:38.000000000 -0400
+@@ -421,7 +421,8 @@
+ */
+ {
+ char pathcomp[FILNAMSIZ]; /* path-component buffer */
+- char *pp, *cp=(char *)NULL; /* character pointers */
++ char *pp, *cp=(char *)NULL, /* character pointers */
++ *dp=(char *)NULL;
+ char *lastsemi=(char *)NULL; /* pointer to last semi-colon in pathcomp */
+ #ifdef ACORN_FTYPE_NFS
+ char *lastcomma=(char *)NULL; /* pointer to last comma in pathcomp */
+@@ -429,6 +430,7 @@
+ #endif
+ int quote = FALSE; /* flags */
+ int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */
++ int snarf_ddot = FALSE; /* Is set while scanning for "../" */
+ int error = MPN_OK;
+ register unsigned workch; /* hold the character being tested */
+
+@@ -467,6 +469,9 @@
+ while ((workch = (uch)*cp++) != 0) {
+
+ if (quote) { /* if character quoted, */
++ if ((pp == pathcomp) && (workch == '.'))
++ /* Oh no you don't... */
++ goto ddot_hack;
+ *pp++ = (char)workch; /* include it literally */
+ quote = FALSE;
+ } else
+@@ -481,15 +486,44 @@
+ break;
+
+ case '.':
+- if (pp == pathcomp) { /* nothing appended yet... */
++ if (pp == pathcomp) {
++ddot_hack:
++ /* nothing appended yet... */
+ if (*cp == '/') { /* don't bother appending "./" to */
+ ++cp; /* the path: skip behind the '/' */
+ break;
+- } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
+- /* "../" dir traversal detected */
+- cp += 2; /* skip over behind the '/' */
+- killed_ddot = TRUE; /* set "show message" flag */
+- break;
++ } else if (!uO.ddotflag) {
++
++ /*
++ * SECURITY: Skip past control characters if the user
++ * didn't OK use of absolute pathnames. lhh - this is
++ * a very quick, ugly, inefficient fix.
++ */
++ dp = cp;
++ do {
++ workch = (uch)(*dp);
++ if (workch == '/' && snarf_ddot) {
++ /* "../" dir traversal detected */
++ cp = dp + 1; /* skip past the '/' */
++ killed_ddot = TRUE; /* set "show msg" flag */
++ break;
++ } else if (workch == '.' && !snarf_ddot) {
++ snarf_ddot = TRUE;
++ } else if (isprint(workch) ||
++ ((workch > 127) && (workch <= 254))) {
++ /*
++ * Since we found a printable, non-ctrl char,
++ * we can stop looking for '../', the amount
++ * in ../!
++ */
++ break;
++ }
++
++ dp++;
++ } while (*dp != 0);
++
++ if (killed_ddot)
++ break;
+ }
+ }
+ *pp++ = '.';
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
