From 06cb3e1e79780fa911f57f4568c7dce95651cd25 Mon Sep 17 00:00:00 2001 From: Henning Heinold Date: Fri, 25 Jun 2010 22:42:27 +0200 Subject: fastjar: apply fix for CVE-2010-0831 * bump PR --- recipes/fastjar/fastjar_0.98.bb | 4 +- recipes/fastjar/files/jartool.patch | 112 ++++++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 recipes/fastjar/files/jartool.patch diff --git a/recipes/fastjar/fastjar_0.98.bb b/recipes/fastjar/fastjar_0.98.bb index e9be4e14a9..bbfb44523f 100644 --- a/recipes/fastjar/fastjar_0.98.bb +++ b/recipes/fastjar/fastjar_0.98.bb @@ -1,6 +1,8 @@ require fastjar.inc -PR = "${INC_PR}.1" +PR = "${INC_PR}.2" + +SRC_URI += "file://jartool.patch" SRC_URI[md5sum] = "d2d264d343d4d0e1575832cc1023c3bf" SRC_URI[sha256sum] = "f156abc5de8658f22ee8f08d7a72c88f9409ebd8c7933e9466b0842afeb2f145" diff --git a/recipes/fastjar/files/jartool.patch b/recipes/fastjar/files/jartool.patch new file mode 100644 index 0000000000..b589b626f6 --- /dev/null +++ b/recipes/fastjar/files/jartool.patch @@ -0,0 +1,112 @@ +--- a/jartool.c 2009/09/06 22:16:00 1.59 ++++ b/jartool.c 2010/06/10 11:32:48 1.62 +@@ -790,6 +790,7 @@ + progname, jarfile); + return 1; + } ++ ze->filename[len] = '\0'; + len = UNPACK_UB4(header, CEN_EFLEN); + len += UNPACK_UB4(header, CEN_COMLEN); + if (lseek (fd, len, SEEK_CUR) == -1) +@@ -1257,7 +1258,7 @@ + exit_on_error("write"); + + /* write the file name to the zip file */ +- if (1 == write(jfd, fname, file_name_length)) ++ if (-1 == write(jfd, fname, file_name_length)) + exit_on_error("write"); + + if(verbose){ +@@ -1730,7 +1731,17 @@ + struct stat sbuf; + int depth = 0; + +- tmp_buff = malloc(sizeof(char) * strlen((const char *)filename)); ++ if(*filename == '/'){ ++ fprintf(stderr, "Absolute path names are not allowed.\n"); ++ exit(EXIT_FAILURE); ++ } ++ ++ tmp_buff = malloc(strlen((const char *)filename)); ++ ++ if(tmp_buff == NULL) { ++ fprintf(stderr, "Out of memory.\n"); ++ exit(EXIT_FAILURE); ++ } + + for(;;){ + const ub1 *idx = (const unsigned char *)strchr((const char *)start, '/'); +@@ -1738,25 +1749,28 @@ + if(idx == NULL) + break; + else if(idx == start){ ++ tmp_buff[idx - filename] = '/'; + start++; + continue; + } +- start = idx + 1; + +- strncpy(tmp_buff, (const char *)filename, (idx - filename)); +- tmp_buff[(idx - filename)] = '\0'; ++ memcpy(tmp_buff + (start - filename), (const char *)start, (idx - start)); ++ tmp_buff[idx - filename] = '\0'; + + #ifdef DEBUG + printf("checking the existance of %s\n", tmp_buff); + #endif +- if(strcmp(tmp_buff, "..") == 0){ ++ if(idx - start == 2 && memcmp(start, "..", 2) == 0){ + --depth; + if (depth < 0){ + fprintf(stderr, "Traversal to parent directories during unpacking!\n"); + exit(EXIT_FAILURE); + } +- } else if (strcmp(tmp_buff, ".") != 0) ++ } else if (idx - start != 1 || *start != '.') + ++depth; ++ ++ start = idx + 1; ++ + if(stat(tmp_buff, &sbuf) < 0){ + if(errno != ENOENT) + exit_on_error("stat"); +@@ -1765,6 +1779,7 @@ + #ifdef DEBUG + printf("Directory exists\n"); + #endif ++ tmp_buff[idx - filename] = '/'; + continue; + }else { + fprintf(stderr, "Hmmm.. %s exists but isn't a directory!\n", +@@ -1781,10 +1796,11 @@ + if(verbose && handle) + printf("%10s: %s/\n", "created", tmp_buff); + ++ tmp_buff[idx - filename] = '/'; + } + + /* only a directory */ +- if(strlen((const char *)start) == 0) ++ if(*start == '\0') + dir = TRUE; + + #ifdef DEBUG +@@ -1792,7 +1808,7 @@ + #endif + + /* If the entry was just a directory, don't write to file, etc */ +- if(strlen((const char *)start) == 0) ++ if(*start == '\0') + f_fd = -1; + + free(tmp_buff); +@@ -1876,7 +1892,8 @@ + exit(EXIT_FAILURE); + } + +- close(f_fd); ++ if (f_fd != -1) ++ close(f_fd); + + if(verbose && dir == FALSE && handle) + printf("%10s: %s\n", -- cgit v1.2.3