This commit is contained in:
Jakub Jelinek 2010-06-11 08:22:29 +00:00
parent fd1b3bc669
commit 52e0713736
6 changed files with 135 additions and 5 deletions

View File

@ -1,2 +1,2 @@
fastjar-0.97.tar.gz
gcc-4.4.4-20100608.tar.bz2
gcc-4.4.4-20100611.tar.bz2

View File

@ -0,0 +1,14 @@
2010-03-01 Richard Guenther <rguenther@suse.de>
* jartool.c (read_entries): Properly zero-terminate filename.
--- fastjar-0.97/jartool.c 6 Sep 2009 22:16:00 -0000 1.59
+++ fastjar-0.97/jartool.c 1 Mar 2010 15:38:43 -0000 1.60
@@ -790,6 +790,7 @@ int read_entries (int fd)
progname, jarfile);
return 1;
}
+ ze->filename[len] = '\0';
len = UNPACK_UB4(header, CEN_EFLEN);
len += UNPACK_UB4(header, CEN_COMLEN);
if (lseek (fd, len, SEEK_CUR) == -1)

102
fastjar-CVE-2010-0831.patch Normal file
View File

@ -0,0 +1,102 @@
2010-06-10 Jakub Jelinek <jakub@redhat.com>
Dan Rosenberg <dan.j.rosenberg@gmail.com>
* jartool.c (extract_jar): Fix up checks for traversal to parent
directories, disallow absolute paths, make the code slightly more
efficient.
--- fastjar-0.97/jartool.c.jj 2009-09-07 00:10:47.000000000 +0200
+++ fastjar-0.97/jartool.c 2010-06-08 20:00:29.000000000 +0200
@@ -1730,7 +1730,17 @@ int extract_jar(int fd, const char **fil
struct stat sbuf;
int depth = 0;
- tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
+ if(*filename == '/'){
+ fprintf(stderr, "Absolute path names are not allowed.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ tmp_buff = malloc(strlen((const char *)filename));
+
+ if(tmp_buff == NULL) {
+ fprintf(stderr, "Out of memory.\n");
+ exit(EXIT_FAILURE);
+ }
for(;;){
const ub1 *idx = (const unsigned char *)strchr((const char *)start, '/');
@@ -1738,25 +1748,28 @@ int extract_jar(int fd, const char **fil
if(idx == NULL)
break;
else if(idx == start){
+ tmp_buff[idx - filename] = '/';
start++;
continue;
}
- start = idx + 1;
- strncpy(tmp_buff, (const char *)filename, (idx - filename));
- tmp_buff[(idx - filename)] = '\0';
+ memcpy(tmp_buff + (start - filename), (const char *)start, (idx - start));
+ tmp_buff[idx - filename] = '\0';
#ifdef DEBUG
printf("checking the existance of %s\n", tmp_buff);
#endif
- if(strcmp(tmp_buff, "..") == 0){
+ if(idx - start == 2 && memcmp(start, "..", 2) == 0){
--depth;
if (depth < 0){
fprintf(stderr, "Traversal to parent directories during unpacking!\n");
exit(EXIT_FAILURE);
}
- } else if (strcmp(tmp_buff, ".") != 0)
+ } else if (idx - start != 1 || *start != '.')
++depth;
+
+ start = idx + 1;
+
if(stat(tmp_buff, &sbuf) < 0){
if(errno != ENOENT)
exit_on_error("stat");
@@ -1765,6 +1778,7 @@ int extract_jar(int fd, const char **fil
#ifdef DEBUG
printf("Directory exists\n");
#endif
+ tmp_buff[idx - filename] = '/';
continue;
}else {
fprintf(stderr, "Hmmm.. %s exists but isn't a directory!\n",
@@ -1781,10 +1795,11 @@ int extract_jar(int fd, const char **fil
if(verbose && handle)
printf("%10s: %s/\n", "created", tmp_buff);
+ tmp_buff[idx - filename] = '/';
}
/* only a directory */
- if(strlen((const char *)start) == 0)
+ if(*start == '\0')
dir = TRUE;
#ifdef DEBUG
@@ -1792,7 +1807,7 @@ int extract_jar(int fd, const char **fil
#endif
/* If the entry was just a directory, don't write to file, etc */
- if(strlen((const char *)start) == 0)
+ if(*start == '\0')
f_fd = -1;
free(tmp_buff);
@@ -1876,7 +1891,8 @@ int extract_jar(int fd, const char **fil
exit(EXIT_FAILURE);
}
- close(f_fd);
+ if (f_fd != -1)
+ close(f_fd);
if(verbose && dir == FALSE && handle)
printf("%10s: %s\n",

View File

@ -1,9 +1,9 @@
%global DATE 20100608
%global SVNREV 160426
%global DATE 20100611
%global SVNREV 160596
%global gcc_version 4.4.4
# Note, gcc_release must be integer, if you want to add suffixes to
# %{release}, append them after %{gcc_release} on Release: line.
%global gcc_release 7
%global gcc_release 8
%global _unpackaged_files_terminate_build 0
%global multilib_64_archs sparc64 ppc64 s390x x86_64
%if 0%{?fedora} >= 13 || 0%{?rhel} >= 6
@ -178,6 +178,8 @@ Patch20: gcc44-no-add-needed.patch
Patch1000: fastjar-0.97-segfault.patch
Patch1001: fastjar-0.97-len1.patch
Patch1002: fastjar-0.97-filename0.patch
Patch1003: fastjar-CVE-2010-0831.patch
# On ARM EABI systems, we do want -gnueabi to be part of the
# target triple.
@ -519,6 +521,8 @@ tar xzf %{SOURCE4}
%patch1000 -p0 -b .fastjar-0.97-segfault~
%patch1001 -p0 -b .fastjar-0.97-len1~
%patch1002 -p0 -b .fastjar-0.97-filename0~
%patch1003 -p0 -b .fastjar-CVE-2010-0831~
%if %{bootstrap_java}
tar xjf %{SOURCE10}
@ -1994,6 +1998,15 @@ fi
%endif
%changelog
* Fri Jun 11 2010 Jakub Jelinek <jakub@redhat.com> 4.4.4-8
- update from gcc-4_4-branch
- fix demangler (PR other/43838)
- VTA backports
- further var-tracking speedup (#598310, PR debug/41371)
- for typedefs in non-template classes adjust underlying type to
emit proper debug info (#601893)
- fix up fastjar directory traversal bugs (CVE-2010-0831)
* Tue Jun 8 2010 Jakub Jelinek <jakub@redhat.com> 4.4.4-7
- update from gcc-4_4-branch
- PRs c++/43555, fortran/42900, fortran/44360, libfortran/41169,

View File

@ -19,3 +19,4 @@ gcc-4_4_4-3_fc14:HEAD:gcc-4.4.4-3.fc14.src.rpm:1273873902
gcc-4_4_4-4_fc14:HEAD:gcc-4.4.4-4.fc14.src.rpm:1274217418
gcc-4_4_4-5_fc14:HEAD:gcc-4.4.4-5.fc14.src.rpm:1274827803
gcc-4_4_4-7_fc14:HEAD:gcc-4.4.4-7.fc14.src.rpm:1275991256
gcc-4_4_4-8_fc14:HEAD:gcc-4.4.4-8.fc14.src.rpm:1276244517

View File

@ -1,2 +1,2 @@
2659f09c2e43ef8b7d4406321753f1b2 fastjar-0.97.tar.gz
e1a2819e9a9daad24662476f4a29d704 gcc-4.4.4-20100608.tar.bz2
a896e6090fb9f4ef74a8b292fda42af4 gcc-4.4.4-20100611.tar.bz2