On Mon, Jan 12, 2015 at 19:58, Daniel Cegiełka wrote:
http://www.openwall.com/lists/oss-security/2015/01/07/5
Does someone can confirm this vulnerability? It's probably the problem
of OpenBSD-derived (?) pax.
The following is incomplete I think (doesn't handle arcn-ln_name),
but seems to do the right thing with a few test archives I've created.
Index: pat_rep.c
===
RCS file: /cvs/src/bin/pax/pat_rep.c,v
retrieving revision 1.34
diff -u -p -r1.34 pat_rep.c
--- pat_rep.c 24 May 2014 18:51:00 - 1.34
+++ pat_rep.c 12 Jan 2015 19:45:17 -
@@ -632,6 +632,32 @@ mod_name(ARCHD *arcn)
paxwarn(0, Removing leading / from absolute path names
in the archive);
}
}
+ if (rmleadslash) {
+ char *p, *prev;
+
+ while ((p = strstr(arcn-name, /../))) {
+ *p = 0; /* overwrite for benefit of strrchr */
+ prev = strrchr(arcn-name, '/');
+ if (prev) {
+ memmove(prev, p + 4, strlen(p + 4) + 1);
+ arcn-nlen -= p + 4 - prev;
+ } else {
+ memmove(arcn-name, p + 4, strlen(p + 4) + 1);
+ }
+ if (rmleadslash 3) {
+ rmleadslash = 3;
+ paxwarn(0, Removing /../ from path names in
the archive);
+ }
+ }
+ while (strstr(arcn-name, ../) == arcn-name) {
+ memmove(arcn-name, arcn-name + 3, strlen(arcn-name +
3) + 1);
+ arcn-nlen -= 3;
+ if (rmleadslash 3) {
+ rmleadslash = 3;
+ paxwarn(0, Removing leading .. from path names
in the archive);
+ }
+ }
+ }
/*
* IMPORTANT: We have a problem. what do we do with symlinks?