diff options
| author | Dirk Meyer <dinoex@FreeBSD.org> | 2004-05-03 14:30:45 +0000 |
|---|---|---|
| committer | Dirk Meyer <dinoex@FreeBSD.org> | 2004-05-03 14:30:45 +0000 |
| commit | fbfcd157fbe70b6d3a548161dfba40bf877b4450 (patch) | |
| tree | 427c41d6dbdcbfc1b6077eaff4f4e3a336e410b8 /archivers/lha | |
| parent | f75ab7e2f316ee89cc0a1b00bc4068b97b8910ee (diff) | |
| download | ports-fbfcd157fbe70b6d3a548161dfba40bf877b4450.tar.gz ports-fbfcd157fbe70b6d3a548161dfba40bf877b4450.zip | |
- Security Fix: two stack buffer overflows and two directory traversal flaws
patch from: Ulf Haernhammar
http://lists.netsys.com/pipermail/full-disclosure/2004-May/020776.html
CAN-2004-0234 CAN-2004-0235
Notes
Notes:
svn path=/head/; revision=108269
Diffstat (limited to 'archivers/lha')
| -rw-r--r-- | archivers/lha/files/patch-traversal | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/archivers/lha/files/patch-traversal b/archivers/lha/files/patch-traversal new file mode 100644 index 000000000000..b4f40163a435 --- /dev/null +++ b/archivers/lha/files/patch-traversal @@ -0,0 +1,75 @@ +--- src/header.c.old 2000-10-05 19:36:03.000000000 +0200 ++++ src/header.c 2004-04-17 23:55:54.000000000 +0200 +@@ -538,6 +538,10 @@ + /* + * filename + */ ++ if (header_size >= 256) { ++ fprintf(stderr, "Possible buffer overflow hack attack, type #1\n"); ++ exit(109); ++ } + for (i = 0; i < header_size - 3; i++) + hdr->name[i] = (char) get_byte(); + hdr->name[header_size - 3] = '\0'; +@@ -547,6 +551,10 @@ + /* + * directory + */ ++ if (header_size >= FILENAME_LENGTH) { ++ fprintf(stderr, "Possible buffer overflow hack attack, type #2\n"); ++ exit(110); ++ } + for (i = 0; i < header_size - 3; i++) + dirname[i] = (char) get_byte(); + dirname[header_size - 3] = '\0'; +--- src/lhext.c.old 2000-10-04 16:57:38.000000000 +0200 ++++ src/lhext.c 2004-04-18 01:27:44.000000000 +0200 +@@ -190,8 +190,13 @@ + q = (char *) rindex(hdr->name, '/') + 1; + } + else { ++ if (is_directory_traversal(q)) { ++ fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q); ++ exit(111); ++ } ++ + if (*q == '/') { +- q++; ++ while (*q == '/') { q++; } + /* + * if OSK then strip device name + */ +@@ -419,6 +424,33 @@ + return; + } + ++int ++is_directory_traversal(char *string) ++{ ++ unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */ ++ char *temp; ++ ++ temp = string; ++ ++ while (*temp != 0) { ++ if (temp[0] == '/') { ++ if (type == 1) { return 1; } ++ type = 0; ++ temp++; ++ continue; ++ } ++ ++ if ((temp[0] == '.') && (type < 2)) ++ type = 1; ++ if (temp[0] != '.') ++ type = 2; ++ ++ temp++; ++ } /* while */ ++ ++ return (type == 1); ++} ++ + /* Local Variables: */ + /* mode:c */ + /* tab-width:4 */ |