wok-next diff arj/stuff/patches/CVE-2015-0556-symlink-traversal.patch @ rev 21727
created recipe for vbindiff
author | Hans-G?nter Theisgen |
---|---|
date | Sat Nov 21 14:32:44 2020 +0100 (2020-11-21) |
parents | |
children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/arj/stuff/patches/CVE-2015-0556-symlink-traversal.patch Sat Nov 21 14:32:44 2020 +0100 1.3 @@ -0,0 +1,85 @@ 1.4 +Description: Fix symlink directory traversal. 1.5 + Do not allow symlinks that traverse the current directoru, nor absolute 1.6 + symlinks. 1.7 + . 1.8 + Fixes CVE-2015-0556. 1.9 +Author: Guillem Jover <guillem@debian.org> 1.10 +Origin: vendor 1.11 +Bug-Debian: https://bugs.debian.org/774434 1.12 +Forwarded: no 1.13 +Last-Update: 2015-03-28 1.14 + 1.15 +--- 1.16 + uxspec.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1.17 + 1 file changed, 54 insertions(+) 1.18 + 1.19 +--- a/uxspec.c 1.20 ++++ b/uxspec.c 1.21 +@@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha 1.22 + } 1.23 + #endif 1.24 + 1.25 ++#if TARGET==UNIX 1.26 ++static int is_link_traversal(const char *name) 1.27 ++{ 1.28 ++ enum { 1.29 ++ STATE_NONE, 1.30 ++ STATE_DOTS, 1.31 ++ STATE_NAME, 1.32 ++ } state = STATE_NONE; 1.33 ++ int ndir = 0; 1.34 ++ int dots = 0; 1.35 ++ 1.36 ++ while(*name) { 1.37 ++ int c = *name++; 1.38 ++ 1.39 ++ if (c == '/') 1.40 ++ { 1.41 ++ if ((state == STATE_DOTS) && (dots == 2)) 1.42 ++ ndir--; 1.43 ++ if (ndir < 0) 1.44 ++ return 1; 1.45 ++ if ((state == STATE_DOTS && dots == 1) && ndir == 0) 1.46 ++ return 1; 1.47 ++ if (state == STATE_NONE && ndir == 0) 1.48 ++ return 1; 1.49 ++ if ((state == STATE_DOTS) && (dots > 2)) 1.50 ++ ndir++; 1.51 ++ state = STATE_NONE; 1.52 ++ dots = 0; 1.53 ++ } 1.54 ++ else if (c == '.') 1.55 ++ { 1.56 ++ if (state == STATE_NONE) 1.57 ++ state = STATE_DOTS; 1.58 ++ dots++; 1.59 ++ } 1.60 ++ else 1.61 ++ { 1.62 ++ if (state == STATE_NONE) 1.63 ++ ndir++; 1.64 ++ state = STATE_NAME; 1.65 ++ } 1.66 ++ } 1.67 ++ 1.68 ++ if ((state == STATE_DOTS) && (dots == 2)) 1.69 ++ ndir--; 1.70 ++ if ((state == STATE_DOTS) && (dots > 2)) 1.71 ++ ndir++; 1.72 ++ 1.73 ++ return ndir < 0; 1.74 ++} 1.75 ++#endif 1.76 ++ 1.77 + /* Restores the UNIX special file data */ 1.78 + 1.79 + int set_uxspecial(char FAR *storage, char *name) 1.80 +@@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha 1.81 + l=sizeof(tmp_name)-1; 1.82 + far_memmove((char FAR *)tmp_name, dptr, l); 1.83 + tmp_name[l]='\0'; 1.84 ++ if (is_link_traversal(tmp_name)) 1.85 ++ return(UXSPEC_RC_ERROR); 1.86 + rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name); 1.87 + if(!rc) 1.88 + return(0);