unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob cc64711ae9f836713f47ded0c9d5aa7cd18d3541 2949 bytes (raw)
name: patches/libtar-CVE-2013-4420.patch 	 # note: path name is non-authoritative(*)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
 
Author: Raphael Geissert <geissert@debian.org>
Bug-Debian: https://bugs.debian.org/731860
Description: Avoid directory traversal when extracting archives 
 by skipping over leading slashes and any prefix containing ".." components.
Forwarded: yes

--- a/lib/decode.c
+++ b/lib/decode.c
@@ -22,6 +22,36 @@
 #endif
 
 
+char *
+safer_name_suffix (char const *file_name)
+{
+	char const *p, *t;
+	p = t = file_name;
+	while (*p == '/') t = ++p;
+	while (*p)
+	{
+		while (p[0] == '.' && p[0] == p[1] && p[2] == '/')
+		{
+			p += 3;
+			t = p;
+		}
+		/* advance pointer past the next slash */
+		while (*p && (p++)[0] != '/');
+	}
+
+	if (!*t)
+	{
+		t = ".";
+	}
+
+	if (t != file_name)
+	{
+		/* TODO: warn somehow that the path was modified */
+	}
+	return (char*)t;
+}
+
+
 /* determine full path name */
 char *
 th_get_pathname(TAR *t)
@@ -29,17 +59,17 @@ th_get_pathname(TAR *t)
 	static char filename[MAXPATHLEN];
 
 	if (t->th_buf.gnu_longname)
-		return t->th_buf.gnu_longname;
+		return safer_name_suffix(t->th_buf.gnu_longname);
 
 	if (t->th_buf.prefix[0] != '\0')
 	{
 		snprintf(filename, sizeof(filename), "%.155s/%.100s",
 			 t->th_buf.prefix, t->th_buf.name);
-		return filename;
+		return safer_name_suffix(filename);
 	}
 
 	snprintf(filename, sizeof(filename), "%.100s", t->th_buf.name);
-	return filename;
+	return safer_name_suffix(filename);
 }
 
 
--- a/lib/extract.c
+++ b/lib/extract.c
@@ -298,14 +298,14 @@ tar_extract_hardlink(TAR * t, char *real
 	if (mkdirhier(dirname(filename)) == -1)
 		return -1;
 	libtar_hashptr_reset(&hp);
-	if (libtar_hash_getkey(t->h, &hp, th_get_linkname(t),
+	if (libtar_hash_getkey(t->h, &hp, safer_name_suffix(th_get_linkname(t)),
 			       (libtar_matchfunc_t)libtar_str_match) != 0)
 	{
 		lnp = (char *)libtar_hashptr_data(&hp);
 		linktgt = &lnp[strlen(lnp) + 1];
 	}
 	else
-		linktgt = th_get_linkname(t);
+		linktgt = safer_name_suffix(th_get_linkname(t));
 
 #ifdef DEBUG
 	printf("  ==> extracting: %s (link to %s)\n", filename, linktgt);
@@ -343,9 +343,9 @@ tar_extract_symlink(TAR *t, char *realna
 
 #ifdef DEBUG
 	printf("  ==> extracting: %s (symlink to %s)\n",
-	       filename, th_get_linkname(t));
+	       filename, safer_name_suffix(th_get_linkname(t)));
 #endif
-	if (symlink(th_get_linkname(t), filename) == -1)
+	if (symlink(safer_name_suffix(th_get_linkname(t)), filename) == -1)
 	{
 #ifdef DEBUG
 		perror("symlink()");
--- a/lib/internal.h
+++ b/lib/internal.h
@@ -15,3 +15,4 @@
 
 #include <libtar.h>
 
+char* safer_name_suffix(char const*);
--- a/lib/output.c
+++ b/lib/output.c
@@ -123,9 +123,9 @@ th_print_long_ls(TAR *t)
 		else
 			printf(" link to ");
 		if ((t->options & TAR_GNU) && t->th_buf.gnu_longlink != NULL)
-			printf("%s", t->th_buf.gnu_longlink);
+			printf("%s", safer_name_suffix(t->th_buf.gnu_longlink));
 		else
-			printf("%.100s", t->th_buf.linkname);
+			printf("%.100s", safer_name_suffix(t->th_buf.linkname));
 	}
 
 	putchar('\n');

debug log:

solving cc64711ae9f836713f47ded0c9d5aa7cd18d3541 ...
found cc64711ae9f836713f47ded0c9d5aa7cd18d3541 in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).