From owner-freebsd-ports@FreeBSD.ORG  Thu Jul  3 08:36:58 2003
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8348337B401
	for <freebsd-ports@freebsd.org>; Thu,  3 Jul 2003 08:36:58 -0700 (PDT)
Received: from ms.is.s.u-tokyo.ac.jp (ms.is.s.u-tokyo.ac.jp [133.11.8.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D2EA043FA3
	for <freebsd-ports@freebsd.org>; Thu,  3 Jul 2003 08:36:56 -0700 (PDT)
	(envelope-from tsuyoshi@is.s.u-tokyo.ac.jp)
Received: from localhost (san.is.s.u-tokyo.ac.jp [133.11.28.66])
	by ms.is.s.u-tokyo.ac.jp (8.11.6+Sun/3.7W) with ESMTP id h63FNCM02524;
	Fri, 4 Jul 2003 00:23:12 +0900 (JST)
Date: Fri, 04 Jul 2003 00:36:54 +0900 (JST)
Message-Id: <20030704.003654.41648984.tsuyoshi@is.s.u-tokyo.ac.jp>
To: freebsd-ports@freebsd.org
From: ITO Tsuyoshi <tsuyoshi@is.s.u-tokyo.ac.jp>
In-Reply-To: <20030701221123.27692.qmail@web14202.mail.yahoo.com>
References: <20030701221123.27692.qmail@web14202.mail.yahoo.com>
X-Mailer: Mew version 3.2 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Fri_Jul__4_00:36:54_2003_757)--"
Content-Transfer-Encoding: 7bit
cc: temac@yahoo.com
Subject: Re: vulnerability in unzip 5.50?
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2003 15:36:58 -0000

----Next_Part(Fri_Jul__4_00:36:54_2003_757)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

> [RHSA-2003:199-01] Updated unzip packages fix trojan vulnerability

Can anyone try the attached patch?  Note that I MAKE NO WARRANTY.

Usage: Save the patch under a name like patch-unofficial and put it in
       /usr/ports/archivers/unzip/files directory.  After that,
       make and reinstall unzip from the port.

Best regards,
Tsuyoshi

---   ITO Tsuyoshi  <tsuyoshi@is.s.u-tokyo.ac.jp>   ---
--- Dept. of Computer Science, University of Tokyo. ---

----Next_Part(Fri_Jul__4_00:36:54_2003_757)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename=patch-unofficial

--- unix/unix.c.orig	Tue Jan 22 07:54:42 2002
+++ unix/unix.c	Fri Jul  4 00:07:04 2003
@@ -431,6 +431,7 @@
     int killed_ddot = FALSE;       /* is set when skipping "../" pathcomp */
     int error = MPN_OK;
     register unsigned workch;      /* hold the character being tested */
+    int ignore_pathcomp;
 
 
 /*---------------------------------------------------------------------------
@@ -466,33 +467,34 @@
 
     while ((workch = (uch)*cp++) != 0) {
 
-        if (quote) {                 /* if character quoted, */
-            *pp++ = (char)workch;    /*  include it literally */
+        if (quote) {  /* if character quoted, include it literally */
+                      /* unless it is a slash */
+                      /* A slash should be converted to an underscore */
+            *pp++ = (workch == '/' ? '_' : (char)workch);
             quote = FALSE;
         } else
             switch (workch) {
             case '/':             /* can assume -j flag not given */
                 *pp = '\0';
-                if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK)
-                     > MPN_INF_TRUNC)
-                    return error;
-                pp = pathcomp;    /* reset conversion buffer for next piece */
-                lastsemi = (char *)NULL; /* leave directory semi-colons alone */
-                break;
-
-            case '.':
-                if (pp == pathcomp) {   /* nothing appended yet... */
-                    if (*cp == '/') {   /* don't bother appending "./" to */
-                        ++cp;           /*  the path: skip behind the '/' */
-                        break;
-                    } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
+                ignore_pathcomp = FALSE;
+                if (*pathcomp == '.') {
+                    if (pathcomp[1] == '\0') {
+                        /* don't bother appending "./" to the path */
+                        ignore_pathcomp = TRUE;
+                    }
+                    else if (pathcomp[1] == '.' && pathcomp[2] == '\0' && !uO.ddotflag) {
                         /* "../" dir traversal detected */
-                        cp += 2;        /*  skip over behind the '/' */
+                        ignore_pathcomp = TRUE;
                         killed_ddot = TRUE; /*  set "show message" flag */
-                        break;
                     }
                 }
-                *pp++ = '.';
+                if (!ignore_pathcomp) {
+                    if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK)
+                        > MPN_INF_TRUNC)
+                        return error;
+                }
+                pp = pathcomp;    /* reset conversion buffer for next piece */
+                lastsemi = (char *)NULL; /* leave directory semi-colons alone */
                 break;
 
             case ';':             /* VMS version (or DEC-20 attrib?) */

----Next_Part(Fri_Jul__4_00:36:54_2003_757)----