>Number:         29040
>Category:       bin
>Synopsis:       pax-as-tar: -s does not handle invalid patterns properly
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 21 19:46:00 +0000 2005
>Originator:     Christian Biere
>Release:        NetBSD 2.99.11
>Environment:
System: NetBSD cyclonus 2.99.11 NetBSD 2.99.11 (STARSCREAM) #4: Fri Jan 7 14:02:19 CET 2005 bin@cyclonus:/usr/obj/sys/arch/i386/compile/STARSCREAM i386
Architecture: i386
Machine: i386
>Description:

I've run tar with -version as argument and noticed that it prints parts
of the environment in the error message. I've reduced the arguments to
-sio and then single stepped with gdb to the code in question. The code
performs a NULL pointer check instead of checking for a NUL character
which causes invalid patterns to pass this stage. After that the pointer
points to argv[argc + 1] which is (at least here) identical to ``envp''.

>How-To-Repeat:

$ tar -sio
tar: Invalid replacement string option ioiSHELL=/bin/bash
usage: tar [-]{crtux}[-befhjlmopqvwzHLOPXZ014578] [archive] [blocksize]
           [-C directory] [-T file] [-s replstr] [file ...]

Note the "iSHELL=..." in the output above.

>Fix:

Index: pat_rep.c
===================================================================
RCS file: /cvsroot/src/bin/pax/pat_rep.c,v
retrieving revision 1.21
diff -u -u -r1.21 pat_rep.c
--- pat_rep.c	27 Oct 2003 00:12:41 -0000	1.21
+++ pat_rep.c	21 Jan 2005 19:30:48 -0000
@@ -136,7 +136,7 @@
 		if (*pt1 == *str)
 			break;
 	}
-	if (pt1 == NULL) {
+	if ('\0' == *pt1) {
 		tty_warn(1, "Invalid replacement string %s", str);
 		return(-1);
 	}