diff options
author | dinoex <dinoex@FreeBSD.org> | 2004-05-03 14:30:45 +0000 |
---|---|---|
committer | dinoex <dinoex@FreeBSD.org> | 2004-05-03 14:30:45 +0000 |
commit | a131ba25eca0e1a3e184b928ad016ed8aad5caea (patch) | |
tree | 8ee533782863173cca78502e071bb1dd46756cdd /archivers/lha | |
parent | 843aba06f9e7a0b7a43296d7e53e4696f0b154d0 (diff) | |
download | FreeBSD-ports-a131ba25eca0e1a3e184b928ad016ed8aad5caea.zip FreeBSD-ports-a131ba25eca0e1a3e184b928ad016ed8aad5caea.tar.gz |
- Security Fix: two stack buffer overflows and two directory traversal flaws
patch from: Ulf Haernhammar
http://lists.netsys.com/pipermail/full-disclosure/2004-May/020776.html
CAN-2004-0234 CAN-2004-0235
Diffstat (limited to 'archivers/lha')
-rw-r--r-- | archivers/lha/files/patch-traversal | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/archivers/lha/files/patch-traversal b/archivers/lha/files/patch-traversal new file mode 100644 index 0000000..b4f4016 --- /dev/null +++ b/archivers/lha/files/patch-traversal @@ -0,0 +1,75 @@ +--- src/header.c.old 2000-10-05 19:36:03.000000000 +0200 ++++ src/header.c 2004-04-17 23:55:54.000000000 +0200 +@@ -538,6 +538,10 @@ + /* + * filename + */ ++ if (header_size >= 256) { ++ fprintf(stderr, "Possible buffer overflow hack attack, type #1\n"); ++ exit(109); ++ } + for (i = 0; i < header_size - 3; i++) + hdr->name[i] = (char) get_byte(); + hdr->name[header_size - 3] = '\0'; +@@ -547,6 +551,10 @@ + /* + * directory + */ ++ if (header_size >= FILENAME_LENGTH) { ++ fprintf(stderr, "Possible buffer overflow hack attack, type #2\n"); ++ exit(110); ++ } + for (i = 0; i < header_size - 3; i++) + dirname[i] = (char) get_byte(); + dirname[header_size - 3] = '\0'; +--- src/lhext.c.old 2000-10-04 16:57:38.000000000 +0200 ++++ src/lhext.c 2004-04-18 01:27:44.000000000 +0200 +@@ -190,8 +190,13 @@ + q = (char *) rindex(hdr->name, '/') + 1; + } + else { ++ if (is_directory_traversal(q)) { ++ fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q); ++ exit(111); ++ } ++ + if (*q == '/') { +- q++; ++ while (*q == '/') { q++; } + /* + * if OSK then strip device name + */ +@@ -419,6 +424,33 @@ + return; + } + ++int ++is_directory_traversal(char *string) ++{ ++ unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */ ++ char *temp; ++ ++ temp = string; ++ ++ while (*temp != 0) { ++ if (temp[0] == '/') { ++ if (type == 1) { return 1; } ++ type = 0; ++ temp++; ++ continue; ++ } ++ ++ if ((temp[0] == '.') && (type < 2)) ++ type = 1; ++ if (temp[0] != '.') ++ type = 2; ++ ++ temp++; ++ } /* while */ ++ ++ return (type == 1); ++} ++ + /* Local Variables: */ + /* mode:c */ + /* tab-width:4 */ |