Date: Thu, 30 Sep 2021 02:28:26 GMT From: Alex Kozlov <ak@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: e28d4d2d9db4 - 2021Q3 - archivers/ha: Fix CVE-2015-1198 Message-ID: <202109300228.18U2SQWq019452@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch 2021Q3 has been updated by ak: URL: https://cgit.FreeBSD.org/ports/commit/?id=e28d4d2d9db45e93658e1e4684e4995ca0195e76 commit e28d4d2d9db45e93658e1e4684e4995ca0195e76 Author: Alex Kozlov <ak@FreeBSD.org> AuthorDate: 2021-09-27 17:42:12 +0000 Commit: Alex Kozlov <ak@FreeBSD.org> CommitDate: 2021-09-30 02:26:49 +0000 archivers/ha: Fix CVE-2015-1198 Fix directory traversal vulnerabilities (CVE-2015-1198) Reported by: decke (cherry picked from commit 0e6da3c2e1f0ca151be9e6428dcc9c0b7f19d170) --- archivers/ha/Makefile | 4 +- archivers/ha/files/patch-CVE-2015-1198 | 123 +++++++++++++++++++++++++++++++++ archivers/ha/files/patch-nix_machine.c | 11 --- 3 files changed, 126 insertions(+), 12 deletions(-) diff --git a/archivers/ha/Makefile b/archivers/ha/Makefile index 3e69951b4d82..c962ec8732e4 100644 --- a/archivers/ha/Makefile +++ b/archivers/ha/Makefile @@ -2,7 +2,7 @@ PORTNAME= ha PORTVERSION= 0.999b -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= archivers MASTER_SITES= https://aklv.github.io/distfiles/ DISTNAME= ha0999 @@ -25,6 +25,8 @@ post-patch: -e 's|LDFLAGS = -O2||' \ -e 's|CFLAGS = -Wall -O2|CFLAGS += -Wall|' \ ${WRKSRC}/makefile.nix + @${REINPLACE_CMD} -e 's|OBJS = machine.o info.o|OBJS = machine.o info.o sanitize.o|' \ + ${WRKSRC}/nix/makefile do-install: ${INSTALL_PROGRAM} ${WRKSRC}/ha ${STAGEDIR}${PREFIX}/bin diff --git a/archivers/ha/files/patch-CVE-2015-1198 b/archivers/ha/files/patch-CVE-2015-1198 new file mode 100644 index 000000000000..2e3a3898573a --- /dev/null +++ b/archivers/ha/files/patch-CVE-2015-1198 @@ -0,0 +1,123 @@ +- Fix unchecked path extraction problem (CAN-2015-1198) + +Index: nix/sanitize.c +@@ -0,0 +1,79 @@ ++/* ++ * Path sanitation code by Ludwig Nussel <ludwig.nussel@suse.de>. Public Domain. ++ */ ++ ++#include <string.h> ++#include <limits.h> ++#include <stdio.h> ++ ++#ifndef PATH_CHAR ++#define PATH_CHAR '/' ++#endif ++#ifndef MIN ++#define MIN(x,y) ((x)<(y)?(x):(y)) ++#endif ++ ++/* copy src into dest converting the path to a relative one inside the current ++ * directory. dest must hold at least len bytes */ ++void copy_path_relative(char *dest, char *src, size_t len) ++{ ++ char* o = dest; ++ char* p = src; ++ ++ *o = '\0'; ++ ++ while(*p && *p == PATH_CHAR) ++p; ++ for(; len && *p;) ++ { ++ src = p; ++ p = strchr(src, PATH_CHAR); ++ if(!p) p = src+strlen(src); ++ ++ /* . => skip */ ++ if(p-src == 1 && *src == '.' ) ++ { ++ if(*p) src = ++p; ++ } ++ /* .. => pop one */ ++ else if(p-src == 2 && *src == '.' && src[1] == '.') ++ { ++ if(o != dest) ++ { ++ char* tmp; ++ *o = '\0'; ++ tmp = strrchr(dest, PATH_CHAR); ++ if(!tmp) ++ { ++ len += o-dest; ++ o = dest; ++ if(*p) ++p; ++ } ++ else ++ { ++ len += o-tmp; ++ o = tmp; ++ if(*p) ++p; ++ } ++ } ++ else /* nothing to pop */ ++ if(*p) ++p; ++ } ++ else ++ { ++ size_t copy; ++ if(o != dest) ++ { ++ --len; ++ *o++ = PATH_CHAR; ++ } ++ copy = MIN(p-src,len); ++ memcpy(o, src, copy); ++ len -= copy; ++ src += copy; ++ o += copy; ++ if(*p) ++p; ++ } ++ while(*p && *p == PATH_CHAR) ++p; ++ } ++ o[len?0:-1] = '\0'; ++} +Index: nix/machine.c +@@ -22,6 +22,7 @@ + #include <stdlib.h> + #include <ctype.h> + #include <stdio.h> ++#include <string.h> + #include <sys/types.h> + #include <utime.h> + #include <time.h> +@@ -68,6 +69,8 @@ + static Mdhd mdhd; + struct stat filestat; + ++void copy_path_relative(char *dest, char *src, size_t len); ++ + static void sig_handler(int signo) { + + error(1,ERR_INT,signo); +@@ -375,7 +378,7 @@ + if (i==0) skipemptypath=1; + else skipemptypath=0; + if ((hapath=malloc(j+1-i))==NULL) error(1,ERR_MEM,"md_tohapath()"); +- strcpy(hapath,mdpath+i); ++ copy_path_relative(hapath, mdpath+i, sizeof(hapath)); + for (i=0;hapath[i];++i) if (hapath[i]=='/') hapath[i]=0xff; + return md_strcase(hapath); + } +@@ -388,8 +391,10 @@ + if (mdpath!=NULL) free(mdpath),mdpath=NULL; + if ((mdpath=malloc(strlen(hapath)+1))==NULL) + error(1,ERR_MEM,"md_tomdpath()"); +- strcpy(mdpath,hapath); +- for (i=0;mdpath[i];++i) if ((unsigned char)mdpath[i]==0xff) mdpath[i]='/'; ++ /* Kludge to avoid temp string allocation */ ++ for (i=0;hapath[i];++i) if (hapath[i]==0xff) hapath[i]='/'; ++ copy_path_relative(mdpath, hapath, sizeof(mdpath)); ++ for (i=0;hapath[i];++i) if (hapath[i]=='/') hapath[i]=0xff; + return mdpath; + } + diff --git a/archivers/ha/files/patch-nix_machine.c b/archivers/ha/files/patch-nix_machine.c deleted file mode 100644 index 735343ea7fd5..000000000000 --- a/archivers/ha/files/patch-nix_machine.c +++ /dev/null @@ -1,11 +0,0 @@ ---- nix/machine.c.orig 1995-01-12 06:53:00 UTC -+++ nix/machine.c -@@ -417,7 +417,7 @@ char *md_stripname(char *mdfullpath) { - if (plainname!=NULL) free(plainname),plainname=NULL; - if ((plainname=malloc(strlen(mdfullpath)+1))==NULL) - error(1,ERR_MEM,"md_stripname()"); -- for (i=strlen(mdfullpath)-1;i>0;i--) { -+ for (i=strlen(mdfullpath)-1;i>=0;i--) { - if (mdfullpath[i]=='/') { - i++; - break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109300228.18U2SQWq019452>