Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Sep 2021 02:28:26 GMT
From:      Alex Kozlov <ak@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org
Subject:   git: e28d4d2d9db4 - 2021Q3 - archivers/ha: Fix CVE-2015-1198
Message-ID:  <202109300228.18U2SQWq019452@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch 2021Q3 has been updated by ak:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e28d4d2d9db45e93658e1e4684e4995ca0195e76

commit e28d4d2d9db45e93658e1e4684e4995ca0195e76
Author:     Alex Kozlov <ak@FreeBSD.org>
AuthorDate: 2021-09-27 17:42:12 +0000
Commit:     Alex Kozlov <ak@FreeBSD.org>
CommitDate: 2021-09-30 02:26:49 +0000

    archivers/ha: Fix CVE-2015-1198
    
    Fix directory traversal vulnerabilities (CVE-2015-1198)
    
    Reported by:    decke
    
    (cherry picked from commit 0e6da3c2e1f0ca151be9e6428dcc9c0b7f19d170)
---
 archivers/ha/Makefile                  |   4 +-
 archivers/ha/files/patch-CVE-2015-1198 | 123 +++++++++++++++++++++++++++++++++
 archivers/ha/files/patch-nix_machine.c |  11 ---
 3 files changed, 126 insertions(+), 12 deletions(-)

diff --git a/archivers/ha/Makefile b/archivers/ha/Makefile
index 3e69951b4d82..c962ec8732e4 100644
--- a/archivers/ha/Makefile
+++ b/archivers/ha/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	ha
 PORTVERSION=	0.999b
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	archivers
 MASTER_SITES=	https://aklv.github.io/distfiles/
 DISTNAME=	ha0999
@@ -25,6 +25,8 @@ post-patch:
 		-e 's|LDFLAGS = -O2||' \
 		-e 's|CFLAGS = -Wall -O2|CFLAGS += -Wall|' \
 		${WRKSRC}/makefile.nix
+	@${REINPLACE_CMD} -e 's|OBJS =  machine.o info.o|OBJS = machine.o info.o sanitize.o|' \
+		${WRKSRC}/nix/makefile
 
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/ha ${STAGEDIR}${PREFIX}/bin
diff --git a/archivers/ha/files/patch-CVE-2015-1198 b/archivers/ha/files/patch-CVE-2015-1198
new file mode 100644
index 000000000000..2e3a3898573a
--- /dev/null
+++ b/archivers/ha/files/patch-CVE-2015-1198
@@ -0,0 +1,123 @@
+- Fix unchecked path extraction problem (CAN-2015-1198)
+
+Index: nix/sanitize.c
+@@ -0,0 +1,79 @@
++/*
++ * Path sanitation code by Ludwig Nussel <ludwig.nussel@suse.de>. Public Domain.
++ */
++
++#include <string.h>
++#include <limits.h>
++#include <stdio.h>
++
++#ifndef PATH_CHAR
++#define PATH_CHAR '/'
++#endif
++#ifndef MIN
++#define MIN(x,y) ((x)<(y)?(x):(y))
++#endif
++
++/* copy src into dest converting the path to a relative one inside the current
++ * directory. dest must hold at least len bytes */
++void copy_path_relative(char *dest, char *src, size_t len)
++{
++    char* o = dest;
++    char* p = src;
++
++    *o = '\0';
++
++    while(*p && *p == PATH_CHAR) ++p;
++    for(; len && *p;)
++    {
++	src = p;
++	p = strchr(src, PATH_CHAR);
++	if(!p) p = src+strlen(src);
++
++	/* . => skip */
++	if(p-src == 1 && *src == '.' )
++	{
++	    if(*p) src = ++p;
++	}
++	/* .. => pop one */
++	else if(p-src == 2 && *src == '.' && src[1] == '.')
++	{
++	    if(o != dest)
++	    {
++		char* tmp;
++		*o = '\0';
++		tmp = strrchr(dest, PATH_CHAR);
++		if(!tmp)
++		{
++		    len += o-dest;
++		    o = dest;
++		    if(*p) ++p;
++		}
++		else
++		{
++		    len += o-tmp;
++		    o = tmp;
++		    if(*p) ++p;
++		}
++	    }
++	    else /* nothing to pop */
++		if(*p) ++p;
++	}
++	else
++	{
++	    size_t copy;
++	    if(o != dest)
++	    {
++		--len;
++		*o++ = PATH_CHAR;
++	    }
++	    copy = MIN(p-src,len);
++	    memcpy(o, src, copy);
++	    len -= copy;
++	    src += copy;
++	    o += copy;
++	    if(*p) ++p;
++	}
++	while(*p && *p == PATH_CHAR) ++p;
++    }
++    o[len?0:-1] = '\0';
++}
+Index: nix/machine.c
+@@ -22,6 +22,7 @@
+ #include <stdlib.h>
+ #include <ctype.h>
+ #include <stdio.h>
++#include <string.h>
+ #include <sys/types.h>
+ #include <utime.h>
+ #include <time.h>
+@@ -68,6 +69,8 @@
+ static Mdhd mdhd;
+ struct stat filestat;
+ 	
++void copy_path_relative(char *dest, char *src, size_t len);
++
+ static void sig_handler(int signo) {
+ 
+     error(1,ERR_INT,signo);
+@@ -375,7 +378,7 @@
+     if (i==0) skipemptypath=1; 
+     else skipemptypath=0;
+     if ((hapath=malloc(j+1-i))==NULL) error(1,ERR_MEM,"md_tohapath()");
+-    strcpy(hapath,mdpath+i);
++    copy_path_relative(hapath, mdpath+i, sizeof(hapath));
+     for (i=0;hapath[i];++i) if (hapath[i]=='/') hapath[i]=0xff;
+     return md_strcase(hapath);
+ }
+@@ -388,8 +391,10 @@
+     if (mdpath!=NULL) free(mdpath),mdpath=NULL;
+     if ((mdpath=malloc(strlen(hapath)+1))==NULL) 
+       error(1,ERR_MEM,"md_tomdpath()");
+-    strcpy(mdpath,hapath);
+-    for (i=0;mdpath[i];++i) if ((unsigned char)mdpath[i]==0xff) mdpath[i]='/';
++    /* Kludge to avoid temp string allocation */
++    for (i=0;hapath[i];++i) if (hapath[i]==0xff) hapath[i]='/';
++    copy_path_relative(mdpath, hapath, sizeof(mdpath));
++    for (i=0;hapath[i];++i) if (hapath[i]=='/') hapath[i]=0xff;
+     return mdpath;
+ }
+ 
diff --git a/archivers/ha/files/patch-nix_machine.c b/archivers/ha/files/patch-nix_machine.c
deleted file mode 100644
index 735343ea7fd5..000000000000
--- a/archivers/ha/files/patch-nix_machine.c
+++ /dev/null
@@ -1,11 +0,0 @@
---- nix/machine.c.orig	1995-01-12 06:53:00 UTC
-+++ nix/machine.c
-@@ -417,7 +417,7 @@ char *md_stripname(char *mdfullpath) {
-     if (plainname!=NULL) free(plainname),plainname=NULL;
-     if ((plainname=malloc(strlen(mdfullpath)+1))==NULL) 
-       error(1,ERR_MEM,"md_stripname()");
--    for (i=strlen(mdfullpath)-1;i>0;i--) {
-+    for (i=strlen(mdfullpath)-1;i>=0;i--) {
- 	if (mdfullpath[i]=='/') {
- 	    i++;
- 	    break;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109300228.18U2SQWq019452>