pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2004Q4]: pkgsrc/archivers/unace Pullup ticket 323 - requested ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/c8006f36d89c
branches: pkgsrc-2004Q4
changeset: 485945:c8006f36d89c
user: snj <snj%pkgsrc.org@localhost>
date: Tue Mar 01 20:32:37 2005 +0000
description:
Pullup ticket 323 - requested by Thomas Klausner
security fix for unace
Revisions pulled up:
- pkgsrc/archivers/unace/Makefile 1.14
- pkgsrc/archivers/unace/distinfo 1.6
- pkgsrc/archivers/unace/patches/patch-ad 1.2
- pkgsrc/archivers/unace/patches/patch-ae 1.1
- pkgsrc/archivers/unace/patches/patch-af 1.1
Module Name: pkgsrc
Committed By: wiz
Date: Tue Mar 1 14:53:41 UTC 2005
Modified Files:
pkgsrc/archivers/unace: Makefile distinfo
pkgsrc/archivers/unace/patches: patch-ad
Added Files:
pkgsrc/archivers/unace/patches: patch-ae patch-af
Log Message:
Apply fix for CAN-2005-0160 and CAN-2005-0161.
Bump PKGREVISION.
diffstat:
archivers/unace/Makefile | 3 +-
archivers/unace/distinfo | 6 +-
archivers/unace/patches/patch-ad | 69 ++++++++++++++++++++++++++--
archivers/unace/patches/patch-ae | 97 ++++++++++++++++++++++++++++++++++++++++
archivers/unace/patches/patch-af | 13 +++++
5 files changed, 180 insertions(+), 8 deletions(-)
diffs (236 lines):
diff -r 854983188b62 -r c8006f36d89c archivers/unace/Makefile
--- a/archivers/unace/Makefile Tue Mar 01 12:47:06 2005 +0000
+++ b/archivers/unace/Makefile Tue Mar 01 20:32:37 2005 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.13 2004/12/03 15:14:51 wiz Exp $
+# $NetBSD: Makefile,v 1.13.2.1 2005/03/01 20:32:37 snj Exp $
#
DISTNAME= unace-1.2b
PKGNAME= unace-1.2.2
+PKGREVISION= 1
CATEGORIES= archivers
MASTER_SITES= ${MASTER_SITE_SUNSITE:=utils/compress/}
diff -r 854983188b62 -r c8006f36d89c archivers/unace/distinfo
--- a/archivers/unace/distinfo Tue Mar 01 12:47:06 2005 +0000
+++ b/archivers/unace/distinfo Tue Mar 01 20:32:37 2005 +0000
@@ -1,8 +1,10 @@
-$NetBSD: distinfo,v 1.4 2001/10/31 14:44:42 tv Exp $
+$NetBSD: distinfo,v 1.4.18.1 2005/03/01 20:32:37 snj Exp $
SHA1 (unace-1.2b.tar.gz) = 7a0cc01105551a84f15897b75749dd9bb2a26184
Size (unace-1.2b.tar.gz) = 43423 bytes
SHA1 (patch-aa) = bba4226db32be4f0e2217aad6ae38dabf9038ed1
SHA1 (patch-ab) = f450aa34f650525ae36d90609393990ed650766a
SHA1 (patch-ac) = bdf7ef7e3cd0e531ca88f465b2c3fc5b55dbfb03
-SHA1 (patch-ad) = 4e9b0a0bbcf6c673f7847048b015e0c488c52b0f
+SHA1 (patch-ad) = 5184341ef9a79564232ae3014e54d200b1e6d72d
+SHA1 (patch-ae) = 4cdce637e1df11d3909f3e7ed18d7846c074d1be
+SHA1 (patch-af) = 6f229e92b2f42b269115166cc5d9b898deaeca88
diff -r 854983188b62 -r c8006f36d89c archivers/unace/patches/patch-ad
--- a/archivers/unace/patches/patch-ad Tue Mar 01 12:47:06 2005 +0000
+++ b/archivers/unace/patches/patch-ad Tue Mar 01 20:32:37 2005 +0000
@@ -1,8 +1,57 @@
-$NetBSD: patch-ad,v 1.1 2001/10/31 14:44:43 tv Exp $
+$NetBSD: patch-ad,v 1.1.18.1 2005/03/01 20:32:38 snj Exp $
---- unace.c.orig Mon Oct 8 10:49:26 2001
-+++ unace.c Mon Oct 8 10:50:15 2001
-@@ -512,7 +512,7 @@
+--- unace.c.orig 1998-07-01 10:29:00.000000000 +0200
++++ unace.c
+@@ -240,6 +240,7 @@ INT read_arc_head(void) // searc
+ INT open_archive(INT print_err) // opens archive (or volume)
+ {
+ CHAR av_str[80];
++ unsigned int copylen;
+
+ archan = open(aname, O_RDONLY | O_BINARY); // open file
+
+@@ -263,8 +264,11 @@ INT open_archive(INT print_err)
+ sprintf(av_str, "\ncreated on %d.%d.%d by ",
+ ts_day(adat.time_cr), ts_month(adat.time_cr), ts_year(adat.time_cr));
+ printf(av_str);
+- strncpy(av_str, mhead.AV, mhead.AV_SIZE);
+- av_str[mhead.AV_SIZE] = 0;
++ copylen = mhead.AV_SIZE;
++ if (copylen > 79)
++ copylen = 79;
++ strncpy(av_str, mhead.AV, copylen);
++ av_str[copylen] = 0;
+ printf("%s\n\n", av_str);
+ }
+ comment_out("Main comment:"); // print main comment
+@@ -300,7 +304,7 @@ void get_next_volname(void)
+ INT proc_vol(void) // opens volume
+ {
+ INT i;
+- CHAR s[80];
++ CHAR s[PATH_MAX + 80];
+
+ // if f_allvol_pr is 2 we have -y and should never ask
+ if ((!fileexists_insense(aname) && f_allvol_pr != 2) || !f_allvol_pr)
+@@ -428,7 +432,7 @@ void extract_files(int nopath, int test)
+ if (head.HEAD_TYPE == FILE_BLK)
+ {
+ comment_out("File comment:"); // show file comment
+- ace_fname(file, &head, nopath); // get file name
++ ace_fname(file, &head, nopath, sizeof(file)); // get file name
+ printf("\n%s", file);
+ flush;
+ dcpr_init_file(); // initialize decompression of file
+@@ -496,7 +500,7 @@ void list_files(int verbose)
+ if (head.HEAD_TYPE == FILE_BLK)
+ {
+ ULONG ti=fhead.FTIME;
+- ace_fname(file, &head, verbose ? 0 : 1); // get file name
++ ace_fname(file, &head, verbose ? 0 : 1, sizeof(file)); // get file name
+
+ size += fhead.SIZE;
+ psize +=
+@@ -512,7 +516,7 @@ void list_files(int verbose)
tpsize+= fhead.PSIZE;
}
if (!f_err)
@@ -11,7 +60,7 @@
ts_day (ti), ts_month(ti), ts_year(ti)%100,
ts_hour(ti), ts_min (ti),
fhead.HEAD_FLAGS & ACE_SP_BEF ? '<' : ' ',
-@@ -525,7 +525,7 @@
+@@ -525,7 +529,7 @@ void list_files(int verbose)
}
if (!f_err)
{
@@ -20,3 +69,13 @@
psize,
size,
percentage(psize, size),
+@@ -588,7 +592,8 @@ int main(INT argc, CHAR * argv[])
+
+ init_unace(); // initialize unace
+
+- strcpy(aname, argv[arg_cnt]); // get archive name
++ strncpy(aname, argv[arg_cnt], sizeof(aname) - 4); // get archive name
++ aname[sizeof(aname) - 5] = '\0';
+ if (!(s = (CHAR *) strrchr(aname, DIRSEP)))
+ s = aname;
+ if (!strrchr(s, '.'))
diff -r 854983188b62 -r c8006f36d89c archivers/unace/patches/patch-ae
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/archivers/unace/patches/patch-ae Tue Mar 01 20:32:37 2005 +0000
@@ -0,0 +1,97 @@
+$NetBSD: patch-ae,v 1.1.2.2 2005/03/01 20:32:38 snj Exp $
+
+--- uac_crt.c.orig 1998-07-01 10:29:00.000000000 +0200
++++ uac_crt.c
+@@ -33,12 +33,15 @@
+
+ /* gets file name from header
+ */
+-CHAR *ace_fname(CHAR * s, thead * head, INT nopath)
++CHAR *ace_fname(CHAR * s, thead * head, INT nopath, unsigned int size)
+ {
+- INT i;
++ unsigned int i;
+ char *cp;
+
+- strncpy(s, (*(tfhead *) head).FNAME, i = (*(tfhead *) head).FNAME_SIZE);
++ i = (*(tfhead *) head).FNAME_SIZE;
++ if (i > (size - 1))
++ i = size - 1;
++ strncpy(s, (*(tfhead *) head).FNAME, i);
+ s[i] = 0;
+
+ if (nopath)
+@@ -56,22 +59,72 @@ CHAR *ace_fname(CHAR * s, thead * head,
+ }
+ #endif
+
++ cp = s;
++ while (*cp == '/') cp++;
++ if (cp != s)
++ memmove(s, cp, strlen(cp) + 1);
++
+ return s;
+ }
+
++int is_directory_traversal(char *str)
++{
++ unsigned int mode, countdots;
++ /* mode 0 = fresh, 1 = just dots, 2 = not just dots */
++ char ch;
++
++ mode = countdots = 0;
++
++ while (ch = *str++)
++ {
++ if ((ch == '/') && (mode == 1) && (countdots > 1))
++ return 1;
++
++ if (ch == '/')
++ {
++ mode = countdots = 0;
++ continue;
++ }
++
++ if (ch == '.')
++ {
++ if (mode == 0)
++ mode = 1;
++
++ countdots++;
++ }
++ else
++ mode = 2;
++ }
++
++ if ((mode == 1) && (countdots > 1))
++ return 1;
++
++ return 0;
++}
++
+ void check_ext_dir(CHAR * f) // checks/creates path of file
+ {
+ CHAR *cp,
+ d[PATH_MAX];
+- INT i;
++ unsigned int i;
+
+ d[0] = 0;
+
++ if (is_directory_traversal(f))
++ {
++ f_err = ERR_WRITE;
++ printf("\n Directory traversal attempt: %s\n", f);
++ return;
++ }
++
+ for (;;)
+ {
+ if ((cp = (CHAR *) strchr(&f[strlen(d) + 1], DIRSEP))!=NULL)
+ {
+ i = cp - f;
++ if (i > (PATH_MAX - 1))
++ i = PATH_MAX - 1;
+ strncpy(d, f, i);
+ d[i] = 0;
+ }
diff -r 854983188b62 -r c8006f36d89c archivers/unace/patches/patch-af
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/archivers/unace/patches/patch-af Tue Mar 01 20:32:37 2005 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-af,v 1.1.2.2 2005/03/01 20:32:38 snj Exp $
+
+--- uac_crt.h.orig 1998-07-01 10:29:00.000000000 +0200
++++ uac_crt.h
+@@ -4,7 +4,7 @@
+
+ #include "acestruc.h"
+
+-CHAR *ace_fname(CHAR * s, thead * head, INT nopath);
++CHAR *ace_fname(CHAR * s, thead * head, INT nopath, unsigned int size);
+ INT create_dest_file(CHAR * file, INT a);
+
+ #ifdef UNIX
Home |
Main Index |
Thread Index |
Old Index