summaryrefslogtreecommitdiffstats
path: root/archivers/lha
diff options
context:
space:
mode:
authordinoex <dinoex@FreeBSD.org>2004-05-03 14:30:45 +0000
committerdinoex <dinoex@FreeBSD.org>2004-05-03 14:30:45 +0000
commita131ba25eca0e1a3e184b928ad016ed8aad5caea (patch)
tree8ee533782863173cca78502e071bb1dd46756cdd /archivers/lha
parent843aba06f9e7a0b7a43296d7e53e4696f0b154d0 (diff)
downloadFreeBSD-ports-a131ba25eca0e1a3e184b928ad016ed8aad5caea.zip
FreeBSD-ports-a131ba25eca0e1a3e184b928ad016ed8aad5caea.tar.gz
- Security Fix: two stack buffer overflows and two directory traversal flaws
patch from: Ulf Haernhammar http://lists.netsys.com/pipermail/full-disclosure/2004-May/020776.html CAN-2004-0234 CAN-2004-0235
Diffstat (limited to 'archivers/lha')
-rw-r--r--archivers/lha/files/patch-traversal75
1 files changed, 75 insertions, 0 deletions
diff --git a/archivers/lha/files/patch-traversal b/archivers/lha/files/patch-traversal
new file mode 100644
index 0000000..b4f4016
--- /dev/null
+++ b/archivers/lha/files/patch-traversal
@@ -0,0 +1,75 @@
+--- src/header.c.old 2000-10-05 19:36:03.000000000 +0200
++++ src/header.c 2004-04-17 23:55:54.000000000 +0200
+@@ -538,6 +538,10 @@
+ /*
+ * filename
+ */
++ if (header_size >= 256) {
++ fprintf(stderr, "Possible buffer overflow hack attack, type #1\n");
++ exit(109);
++ }
+ for (i = 0; i < header_size - 3; i++)
+ hdr->name[i] = (char) get_byte();
+ hdr->name[header_size - 3] = '\0';
+@@ -547,6 +551,10 @@
+ /*
+ * directory
+ */
++ if (header_size >= FILENAME_LENGTH) {
++ fprintf(stderr, "Possible buffer overflow hack attack, type #2\n");
++ exit(110);
++ }
+ for (i = 0; i < header_size - 3; i++)
+ dirname[i] = (char) get_byte();
+ dirname[header_size - 3] = '\0';
+--- src/lhext.c.old 2000-10-04 16:57:38.000000000 +0200
++++ src/lhext.c 2004-04-18 01:27:44.000000000 +0200
+@@ -190,8 +190,13 @@
+ q = (char *) rindex(hdr->name, '/') + 1;
+ }
+ else {
++ if (is_directory_traversal(q)) {
++ fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q);
++ exit(111);
++ }
++
+ if (*q == '/') {
+- q++;
++ while (*q == '/') { q++; }
+ /*
+ * if OSK then strip device name
+ */
+@@ -419,6 +424,33 @@
+ return;
+ }
+
++int
++is_directory_traversal(char *string)
++{
++ unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */
++ char *temp;
++
++ temp = string;
++
++ while (*temp != 0) {
++ if (temp[0] == '/') {
++ if (type == 1) { return 1; }
++ type = 0;
++ temp++;
++ continue;
++ }
++
++ if ((temp[0] == '.') && (type < 2))
++ type = 1;
++ if (temp[0] != '.')
++ type = 2;
++
++ temp++;
++ } /* while */
++
++ return (type == 1);
++}
++
+ /* Local Variables: */
+ /* mode:c */
+ /* tab-width:4 */
OpenPOWER on IntegriCloud