2015-01-12 20:48 GMT+01:00 Ted Unangst <t...@tedunangst.com>: > On Mon, Jan 12, 2015 at 19:58, Daniel Cegiełka wrote: >> http://www.openwall.com/lists/oss-security/2015/01/07/5 >> >> Does someone can confirm this vulnerability? It's probably the problem >> of "OpenBSD-derived (?) pax". > > The following is incomplete I think (doesn't handle arcn->ln_name), > but seems to do the right thing with a few test archives I've created. > > Index: pat_rep.c > =================================================================== > RCS file: /cvs/src/bin/pax/pat_rep.c,v > retrieving revision 1.34 > diff -u -p -r1.34 pat_rep.c > --- pat_rep.c 24 May 2014 18:51:00 -0000 1.34 > +++ pat_rep.c 12 Jan 2015 19:45:17 -0000 > @@ -632,6 +632,32 @@ mod_name(ARCHD *arcn) > paxwarn(0, "Removing leading / from absolute path > names in the archive"); > } > } > + if (rmleadslash) { > + char *p, *prev; > + > + while ((p = strstr(arcn->name, "/../"))) { > + *p = 0; /* overwrite for benefit of strrchr */ > + prev = strrchr(arcn->name, '/'); > + if (prev) { > + memmove(prev, p + 4, strlen(p + 4) + 1); > + arcn->nlen -= p + 4 - prev; > + } else { > + memmove(arcn->name, p + 4, strlen(p + 4) + 1); > + } > + if (rmleadslash < 3) { > + rmleadslash = 3; > + paxwarn(0, "Removing /../ from path names in > the archive"); > + } > + } > + while (strstr(arcn->name, "../") == arcn->name) { > + memmove(arcn->name, arcn->name + 3, strlen(arcn->name > + 3) + 1); > + arcn->nlen -= 3; > + if (rmleadslash < 3) { > + rmleadslash = 3; > + paxwarn(0, "Removing leading .. from path > names in the archive"); > + } > + } > + } > > /* > * IMPORTANT: We have a problem. what do we do with symlinks? > >
Eh .. I should send it directly to tech, so I removed the misc-list and addressed to the tech... and once again the link: http://www.openwall.com/lists/oss-security/2015/01/07/5 Thanks, Daniel
