[oe-commits] Henning Heinold : fastjar: apply fix for CVE-2010-0831
git version control
git at git.openembedded.org
Fri Jun 25 20:45:52 UTC 2010
Module: openembedded.git
Branch: org.openembedded.dev
Commit: 06cb3e1e79780fa911f57f4568c7dce95651cd25
URL: http://gitweb.openembedded.net/?p=openembedded.git&a=commit;h=06cb3e1e79780fa911f57f4568c7dce95651cd25
Author: Henning Heinold <heinold at inf.fu-berlin.de>
Date: Fri Jun 25 22:42:27 2010 +0200
fastjar: apply fix for CVE-2010-0831
* bump PR
---
recipes/fastjar/fastjar_0.98.bb | 4 +-
recipes/fastjar/files/jartool.patch | 112 +++++++++++++++++++++++++++++++++++
2 files changed, 115 insertions(+), 1 deletions(-)
diff --git a/recipes/fastjar/fastjar_0.98.bb b/recipes/fastjar/fastjar_0.98.bb
index e9be4e1..bbfb445 100644
--- a/recipes/fastjar/fastjar_0.98.bb
+++ b/recipes/fastjar/fastjar_0.98.bb
@@ -1,6 +1,8 @@
require fastjar.inc
-PR = "${INC_PR}.1"
+PR = "${INC_PR}.2"
+
+SRC_URI += "file://jartool.patch"
SRC_URI[md5sum] = "d2d264d343d4d0e1575832cc1023c3bf"
SRC_URI[sha256sum] = "f156abc5de8658f22ee8f08d7a72c88f9409ebd8c7933e9466b0842afeb2f145"
diff --git a/recipes/fastjar/files/jartool.patch b/recipes/fastjar/files/jartool.patch
new file mode 100644
index 0000000..b589b62
--- /dev/null
+++ b/recipes/fastjar/files/jartool.patch
@@ -0,0 +1,112 @@
+--- a/jartool.c 2009/09/06 22:16:00 1.59
++++ b/jartool.c 2010/06/10 11:32:48 1.62
+@@ -790,6 +790,7 @@
+ progname, jarfile);
+ return 1;
+ }
++ ze->filename[len] = '\0';
+ len = UNPACK_UB4(header, CEN_EFLEN);
+ len += UNPACK_UB4(header, CEN_COMLEN);
+ if (lseek (fd, len, SEEK_CUR) == -1)
+@@ -1257,7 +1258,7 @@
+ exit_on_error("write");
+
+ /* write the file name to the zip file */
+- if (1 == write(jfd, fname, file_name_length))
++ if (-1 == write(jfd, fname, file_name_length))
+ exit_on_error("write");
+
+ if(verbose){
+@@ -1730,7 +1731,17 @@
+ struct stat sbuf;
+ int depth = 0;
+
+- tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
++ if(*filename == '/'){
++ fprintf(stderr, "Absolute path names are not allowed.\n");
++ exit(EXIT_FAILURE);
++ }
++
++ tmp_buff = malloc(strlen((const char *)filename));
++
++ if(tmp_buff == NULL) {
++ fprintf(stderr, "Out of memory.\n");
++ exit(EXIT_FAILURE);
++ }
+
+ for(;;){
+ const ub1 *idx = (const unsigned char *)strchr((const char *)start, '/');
+@@ -1738,25 +1749,28 @@
+ if(idx == NULL)
+ break;
+ else if(idx == start){
++ tmp_buff[idx - filename] = '/';
+ start++;
+ continue;
+ }
+- start = idx + 1;
+
+- strncpy(tmp_buff, (const char *)filename, (idx - filename));
+- tmp_buff[(idx - filename)] = '\0';
++ memcpy(tmp_buff + (start - filename), (const char *)start, (idx - start));
++ tmp_buff[idx - filename] = '\0';
+
+ #ifdef DEBUG
+ printf("checking the existance of %s\n", tmp_buff);
+ #endif
+- if(strcmp(tmp_buff, "..") == 0){
++ if(idx - start == 2 && memcmp(start, "..", 2) == 0){
+ --depth;
+ if (depth < 0){
+ fprintf(stderr, "Traversal to parent directories during unpacking!\n");
+ exit(EXIT_FAILURE);
+ }
+- } else if (strcmp(tmp_buff, ".") != 0)
++ } else if (idx - start != 1 || *start != '.')
+ ++depth;
++
++ start = idx + 1;
++
+ if(stat(tmp_buff, &sbuf) < 0){
+ if(errno != ENOENT)
+ exit_on_error("stat");
+@@ -1765,6 +1779,7 @@
+ #ifdef DEBUG
+ printf("Directory exists\n");
+ #endif
++ tmp_buff[idx - filename] = '/';
+ continue;
+ }else {
+ fprintf(stderr, "Hmmm.. %s exists but isn't a directory!\n",
+@@ -1781,10 +1796,11 @@
+ if(verbose && handle)
+ printf("%10s: %s/\n", "created", tmp_buff);
+
++ tmp_buff[idx - filename] = '/';
+ }
+
+ /* only a directory */
+- if(strlen((const char *)start) == 0)
++ if(*start == '\0')
+ dir = TRUE;
+
+ #ifdef DEBUG
+@@ -1792,7 +1808,7 @@
+ #endif
+
+ /* If the entry was just a directory, don't write to file, etc */
+- if(strlen((const char *)start) == 0)
++ if(*start == '\0')
+ f_fd = -1;
+
+ free(tmp_buff);
+@@ -1876,7 +1892,8 @@
+ exit(EXIT_FAILURE);
+ }
+
+- close(f_fd);
++ if (f_fd != -1)
++ close(f_fd);
+
+ if(verbose && dir == FALSE && handle)
+ printf("%10s: %s\n",
More information about the Openembedded-commits
mailing list