4.4.4-8

.cvsignore

@@ -1,2 +1,2 @@
 fastjar-0.97.tar.gz
-gcc-4.4.4-20100608.tar.bz2
+gcc-4.4.4-20100611.tar.bz2

fastjar-0.97-filename0.patch

@@ -0,0 +1,14 @@
+2010-03-01  Richard Guenther  <rguenther@suse.de>
+
+	* jartool.c (read_entries): Properly zero-terminate filename.
+
+--- fastjar-0.97/jartool.c	6 Sep 2009 22:16:00 -0000	1.59
++++ fastjar-0.97/jartool.c	1 Mar 2010 15:38:43 -0000	1.60
+@@ -790,6 +790,7 @@ int read_entries (int fd)
+ 		   progname, jarfile);
+ 	  return 1;
+ 	}
++      ze->filename[len] = '\0';
+       len = UNPACK_UB4(header, CEN_EFLEN);
+       len += UNPACK_UB4(header, CEN_COMLEN);
+       if (lseek (fd, len, SEEK_CUR) == -1)

fastjar-CVE-2010-0831.patch

@@ -0,0 +1,102 @@
+2010-06-10  Jakub Jelinek  <jakub@redhat.com>
+	    Dan Rosenberg  <dan.j.rosenberg@gmail.com>
+
+	* jartool.c (extract_jar): Fix up checks for traversal to parent
+	directories, disallow absolute paths, make the code slightly more
+	efficient.
+
+--- fastjar-0.97/jartool.c.jj	2009-09-07 00:10:47.000000000 +0200
++++ fastjar-0.97/jartool.c	2010-06-08 20:00:29.000000000 +0200
+@@ -1730,7 +1730,17 @@ int extract_jar(int fd, const char **fil
+       struct stat sbuf;
+       int depth = 0;
+ 
+-      tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
++      if(*filename == '/'){
++	fprintf(stderr, "Absolute path names are not allowed.\n");
++	exit(EXIT_FAILURE);
++      }
++
++      tmp_buff = malloc(strlen((const char *)filename));
++
++      if(tmp_buff == NULL) {
++	fprintf(stderr, "Out of memory.\n");
++	exit(EXIT_FAILURE);
++      }
+ 
+       for(;;){
+         const ub1 *idx = (const unsigned char *)strchr((const char *)start, '/');
+@@ -1738,25 +1748,28 @@ int extract_jar(int fd, const char **fil
+         if(idx == NULL)
+           break;
+         else if(idx == start){
++	  tmp_buff[idx - filename] = '/';
+           start++;
+           continue;
+         }
+-        start = idx + 1;
+ 
+-        strncpy(tmp_buff, (const char *)filename, (idx - filename));
+-        tmp_buff[(idx - filename)] = '\0';
++	memcpy(tmp_buff + (start - filename), (const char *)start, (idx - start));
++	tmp_buff[idx - filename] = '\0';
+ 
+ #ifdef DEBUG    
+         printf("checking the existance of %s\n", tmp_buff);
+ #endif
+-	if(strcmp(tmp_buff, "..") == 0){
++	if(idx - start == 2 && memcmp(start, "..", 2) == 0){
+ 	  --depth;
+ 	  if (depth < 0){
+ 	    fprintf(stderr, "Traversal to parent directories during unpacking!\n");
+ 	    exit(EXIT_FAILURE);
+ 	  }
+-	} else if (strcmp(tmp_buff, ".") != 0)
++	} else if (idx - start != 1 || *start != '.')
+ 	  ++depth;
++
++        start = idx + 1;
++
+         if(stat(tmp_buff, &sbuf) < 0){
+           if(errno != ENOENT)
+             exit_on_error("stat");
+@@ -1765,6 +1778,7 @@ int extract_jar(int fd, const char **fil
+ #ifdef DEBUG    
+           printf("Directory exists\n");
+ #endif
++	  tmp_buff[idx - filename] = '/';
+           continue;
+         }else {
+           fprintf(stderr, "Hmmm.. %s exists but isn't a directory!\n",
+@@ -1781,10 +1795,11 @@ int extract_jar(int fd, const char **fil
+         if(verbose && handle)
+           printf("%10s: %s/\n", "created", tmp_buff);
+ 
++	tmp_buff[idx - filename] = '/';
+       }
+ 
+       /* only a directory */
+-      if(strlen((const char *)start) == 0)
++      if(*start == '\0')
+         dir = TRUE;
+ 
+ #ifdef DEBUG    
+@@ -1792,7 +1807,7 @@ int extract_jar(int fd, const char **fil
+ #endif
+ 
+       /* If the entry was just a directory, don't write to file, etc */
+-      if(strlen((const char *)start) == 0)
++      if(*start == '\0')
+         f_fd = -1;
+ 
+       free(tmp_buff);
+@@ -1876,7 +1891,8 @@ int extract_jar(int fd, const char **fil
+       exit(EXIT_FAILURE);
+     }
+ 
+-    close(f_fd);
++    if (f_fd != -1)
++      close(f_fd);
+ 
+     if(verbose && dir == FALSE && handle)
+       printf("%10s: %s\n",

gcc.spec

@@ -1,9 +1,9 @@
-%global DATE 20100608
-%global SVNREV 160426
+%global DATE 20100611
+%global SVNREV 160596
 %global gcc_version 4.4.4
 # Note, gcc_release must be integer, if you want to add suffixes to
 # %{release}, append them after %{gcc_release} on Release: line.
-%global gcc_release 7
+%global gcc_release 8
 %global _unpackaged_files_terminate_build 0
 %global multilib_64_archs sparc64 ppc64 s390x x86_64
 %if 0%{?fedora} >= 13 || 0%{?rhel} >= 6
@@ -178,6 +178,8 @@ Patch20: gcc44-no-add-needed.patch
 
 Patch1000: fastjar-0.97-segfault.patch
 Patch1001: fastjar-0.97-len1.patch
+Patch1002: fastjar-0.97-filename0.patch
+Patch1003: fastjar-CVE-2010-0831.patch
 
 # On ARM EABI systems, we do want -gnueabi to be part of the
 # target triple.
@@ -519,6 +521,8 @@ tar xzf %{SOURCE4}
 
 %patch1000 -p0 -b .fastjar-0.97-segfault~
 %patch1001 -p0 -b .fastjar-0.97-len1~
+%patch1002 -p0 -b .fastjar-0.97-filename0~
+%patch1003 -p0 -b .fastjar-CVE-2010-0831~
 
 %if %{bootstrap_java}
 tar xjf %{SOURCE10}
@@ -1994,6 +1998,15 @@ fi
 %endif
 
 %changelog
+* Fri Jun 11 2010 Jakub Jelinek <jakub@redhat.com> 4.4.4-8
+- update from gcc-4_4-branch
+  - fix demangler (PR other/43838)
+- VTA backports
+  - further var-tracking speedup (#598310, PR debug/41371)
+- for typedefs in non-template classes adjust underlying type to
+  emit proper debug info (#601893)
+- fix up fastjar directory traversal bugs (CVE-2010-0831)
+
 * Tue Jun  8 2010 Jakub Jelinek <jakub@redhat.com> 4.4.4-7
 - update from gcc-4_4-branch
   - PRs c++/43555, fortran/42900, fortran/44360, libfortran/41169,

import.log

@@ -25,3 +25,4 @@ gcc-4_4_4-3_fc13:F-13:gcc-4.4.4-3.fc13.src.rpm:1273873717
 gcc-4_4_4-4_fc13:F-13:gcc-4.4.4-4.fc13.src.rpm:1274217265
 gcc-4_4_4-5_fc13:F-13:gcc-4.4.4-5.fc13.src.rpm:1274827909
 gcc-4_4_4-7_fc13:F-13:gcc-4.4.4-7.fc13.src.rpm:1275991168
+gcc-4_4_4-8_fc13:F-13:gcc-4.4.4-8.fc13.src.rpm:1276244305

sources

@@ -1,2 +1,2 @@
 2659f09c2e43ef8b7d4406321753f1b2  fastjar-0.97.tar.gz
-e1a2819e9a9daad24662476f4a29d704  gcc-4.4.4-20100608.tar.bz2
+a896e6090fb9f4ef74a8b292fda42af4  gcc-4.4.4-20100611.tar.bz2