Date: Fri, 04 Jul 2003 00:36:54 +0900 (JST) From: ITO Tsuyoshi <tsuyoshi@is.s.u-tokyo.ac.jp> To: freebsd-ports@freebsd.org Cc: temac@yahoo.com Subject: Re: vulnerability in unzip 5.50? Message-ID: <20030704.003654.41648984.tsuyoshi@is.s.u-tokyo.ac.jp> In-Reply-To: <20030701221123.27692.qmail@web14202.mail.yahoo.com> References: <20030701221123.27692.qmail@web14202.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----Next_Part(Fri_Jul__4_00:36:54_2003_757)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
> [RHSA-2003:199-01] Updated unzip packages fix trojan vulnerability
Can anyone try the attached patch? Note that I MAKE NO WARRANTY.
Usage: Save the patch under a name like patch-unofficial and put it in
/usr/ports/archivers/unzip/files directory. After that,
make and reinstall unzip from the port.
Best regards,
Tsuyoshi
--- ITO Tsuyoshi <tsuyoshi@is.s.u-tokyo.ac.jp> ---
--- Dept. of Computer Science, University of Tokyo. ---
----Next_Part(Fri_Jul__4_00:36:54_2003_757)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename=patch-unofficial
--- unix/unix.c.orig Tue Jan 22 07:54:42 2002
+++ unix/unix.c Fri Jul 4 00:07:04 2003
@@ -431,6 +431,7 @@
int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */
int error = MPN_OK;
register unsigned workch; /* hold the character being tested */
+ int ignore_pathcomp;
/*---------------------------------------------------------------------------
@@ -466,33 +467,34 @@
while ((workch = (uch)*cp++) != 0) {
- if (quote) { /* if character quoted, */
- *pp++ = (char)workch; /* include it literally */
+ if (quote) { /* if character quoted, include it literally */
+ /* unless it is a slash */
+ /* A slash should be converted to an underscore */
+ *pp++ = (workch == '/' ? '_' : (char)workch);
quote = FALSE;
} else
switch (workch) {
case '/': /* can assume -j flag not given */
*pp = '\0';
- if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK)
- > MPN_INF_TRUNC)
- return error;
- pp = pathcomp; /* reset conversion buffer for next piece */
- lastsemi = (char *)NULL; /* leave directory semi-colons alone */
- break;
-
- case '.':
- if (pp == pathcomp) { /* nothing appended yet... */
- if (*cp == '/') { /* don't bother appending "./" to */
- ++cp; /* the path: skip behind the '/' */
- break;
- } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
+ ignore_pathcomp = FALSE;
+ if (*pathcomp == '.') {
+ if (pathcomp[1] == '\0') {
+ /* don't bother appending "./" to the path */
+ ignore_pathcomp = TRUE;
+ }
+ else if (pathcomp[1] == '.' && pathcomp[2] == '\0' && !uO.ddotflag) {
/* "../" dir traversal detected */
- cp += 2; /* skip over behind the '/' */
+ ignore_pathcomp = TRUE;
killed_ddot = TRUE; /* set "show message" flag */
- break;
}
}
- *pp++ = '.';
+ if (!ignore_pathcomp) {
+ if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK)
+ > MPN_INF_TRUNC)
+ return error;
+ }
+ pp = pathcomp; /* reset conversion buffer for next piece */
+ lastsemi = (char *)NULL; /* leave directory semi-colons alone */
break;
case ';': /* VMS version (or DEC-20 attrib?) */
----Next_Part(Fri_Jul__4_00:36:54_2003_757)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030704.003654.41648984.tsuyoshi>