diff options
Diffstat (limited to 'system/arj/patches/security-traversal-symlink.patch')
| -rw-r--r-- | system/arj/patches/security-traversal-symlink.patch | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/system/arj/patches/security-traversal-symlink.patch b/system/arj/patches/security-traversal-symlink.patch new file mode 100644 index 0000000000..32481692b3 --- /dev/null +++ b/system/arj/patches/security-traversal-symlink.patch @@ -0,0 +1,85 @@ +Description: Fix symlink directory traversal. + Do not allow symlinks that traverse the current directoru, nor absolute + symlinks. + . + Fixes CVE-2015-0556. +Author: Guillem Jover <guillem@debian.org> +Origin: vendor +Bug-Debian: https://bugs.debian.org/774434 +Forwarded: no +Last-Update: 2015-03-28 + +--- + uxspec.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +--- a/uxspec.c ++++ b/uxspec.c +@@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha + } + #endif + ++#if TARGET==UNIX ++static int is_link_traversal(const char *name) ++{ ++ enum { ++ STATE_NONE, ++ STATE_DOTS, ++ STATE_NAME, ++ } state = STATE_NONE; ++ int ndir = 0; ++ int dots = 0; ++ ++ while(*name) { ++ int c = *name++; ++ ++ if (c == '/') ++ { ++ if ((state == STATE_DOTS) && (dots == 2)) ++ ndir--; ++ if (ndir < 0) ++ return 1; ++ if ((state == STATE_DOTS && dots == 1) && ndir == 0) ++ return 1; ++ if (state == STATE_NONE && ndir == 0) ++ return 1; ++ if ((state == STATE_DOTS) && (dots > 2)) ++ ndir++; ++ state = STATE_NONE; ++ dots = 0; ++ } ++ else if (c == '.') ++ { ++ if (state == STATE_NONE) ++ state = STATE_DOTS; ++ dots++; ++ } ++ else ++ { ++ if (state == STATE_NONE) ++ ndir++; ++ state = STATE_NAME; ++ } ++ } ++ ++ if ((state == STATE_DOTS) && (dots == 2)) ++ ndir--; ++ if ((state == STATE_DOTS) && (dots > 2)) ++ ndir++; ++ ++ return ndir < 0; ++} ++#endif ++ + /* Restores the UNIX special file data */ + + int set_uxspecial(char FAR *storage, char *name) +@@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha + l=sizeof(tmp_name)-1; + far_memmove((char FAR *)tmp_name, dptr, l); + tmp_name[l]='\0'; ++ if (is_link_traversal(tmp_name)) ++ return(UXSPEC_RC_ERROR); + rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name); + if(!rc) + return(0); |