Date: Fri, 04 Jul 2003 00:36:54 +0900 (JST) From: ITO Tsuyoshi <tsuyoshi@is.s.u-tokyo.ac.jp> To: freebsd-ports@freebsd.org Cc: temac@yahoo.com Subject: Re: vulnerability in unzip 5.50? Message-ID: <20030704.003654.41648984.tsuyoshi@is.s.u-tokyo.ac.jp> In-Reply-To: <20030701221123.27692.qmail@web14202.mail.yahoo.com> References: <20030701221123.27692.qmail@web14202.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----Next_Part(Fri_Jul__4_00:36:54_2003_757)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit > [RHSA-2003:199-01] Updated unzip packages fix trojan vulnerability Can anyone try the attached patch? Note that I MAKE NO WARRANTY. Usage: Save the patch under a name like patch-unofficial and put it in /usr/ports/archivers/unzip/files directory. After that, make and reinstall unzip from the port. Best regards, Tsuyoshi --- ITO Tsuyoshi <tsuyoshi@is.s.u-tokyo.ac.jp> --- --- Dept. of Computer Science, University of Tokyo. --- ----Next_Part(Fri_Jul__4_00:36:54_2003_757)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename=patch-unofficial --- unix/unix.c.orig Tue Jan 22 07:54:42 2002 +++ unix/unix.c Fri Jul 4 00:07:04 2003 @@ -431,6 +431,7 @@ int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */ int error = MPN_OK; register unsigned workch; /* hold the character being tested */ + int ignore_pathcomp; /*--------------------------------------------------------------------------- @@ -466,33 +467,34 @@ while ((workch = (uch)*cp++) != 0) { - if (quote) { /* if character quoted, */ - *pp++ = (char)workch; /* include it literally */ + if (quote) { /* if character quoted, include it literally */ + /* unless it is a slash */ + /* A slash should be converted to an underscore */ + *pp++ = (workch == '/' ? '_' : (char)workch); quote = FALSE; } else switch (workch) { case '/': /* can assume -j flag not given */ *pp = '\0'; - if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK) - > MPN_INF_TRUNC) - return error; - pp = pathcomp; /* reset conversion buffer for next piece */ - lastsemi = (char *)NULL; /* leave directory semi-colons alone */ - break; - - case '.': - if (pp == pathcomp) { /* nothing appended yet... */ - if (*cp == '/') { /* don't bother appending "./" to */ - ++cp; /* the path: skip behind the '/' */ - break; - } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') { + ignore_pathcomp = FALSE; + if (*pathcomp == '.') { + if (pathcomp[1] == '\0') { + /* don't bother appending "./" to the path */ + ignore_pathcomp = TRUE; + } + else if (pathcomp[1] == '.' && pathcomp[2] == '\0' && !uO.ddotflag) { /* "../" dir traversal detected */ - cp += 2; /* skip over behind the '/' */ + ignore_pathcomp = TRUE; killed_ddot = TRUE; /* set "show message" flag */ - break; } } - *pp++ = '.'; + if (!ignore_pathcomp) { + if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK) + > MPN_INF_TRUNC) + return error; + } + pp = pathcomp; /* reset conversion buffer for next piece */ + lastsemi = (char *)NULL; /* leave directory semi-colons alone */ break; case ';': /* VMS version (or DEC-20 attrib?) */ ----Next_Part(Fri_Jul__4_00:36:54_2003_757)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030704.003654.41648984.tsuyoshi>