rpms / patch

Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f7 f8 f9 main rawhide
  1.   f14
  2.   patch-CVE-2010-4651.patch
Blob Blame History Raw 
diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in
--- patch-2.6.1/Makefile.in.CVE-2010-4651	2009-12-30 12:56:30.000000000 +0000
+++ patch-2.6.1/Makefile.in	2011-02-10 12:29:32.926361705 +0000
@@ -192,6 +192,7 @@ installcheck::
 TESTS = \
 	tests/asymmetric-hunks \
 	tests/backup-prefix-suffix \
+	tests/bad-filenames \
 	tests/corrupt-reject-files \
 	tests/create-delete \
 	tests/crlf-handling \
diff -up patch-2.6.1/src/common.h.CVE-2010-4651 patch-2.6.1/src/common.h
--- patch-2.6.1/src/common.h.CVE-2010-4651	2011-02-10 12:30:29.142797627 +0000
+++ patch-2.6.1/src/common.h	2011-02-10 12:30:33.566989729 +0000
@@ -169,6 +169,7 @@ XTERN char *revision;			/* prerequisite 
 #endif
 
 void fatal_exit (int) __attribute__ ((noreturn));
+void validate_target_name (char const *n);
 
 #include <errno.h>
 #if !STDC_HEADERS && !defined errno
diff -up patch-2.6.1/src/patch.c.CVE-2010-4651 patch-2.6.1/src/patch.c
--- patch-2.6.1/src/patch.c.CVE-2010-4651	2011-02-10 12:30:20.721432124 +0000
+++ patch-2.6.1/src/patch.c	2011-02-10 12:30:33.567989772 +0000
@@ -34,6 +34,7 @@
 #include <util.h>
 #include <version.h>
 #include <xalloc.h>
+#include <dirname.h>
 
 /* procedures */
 
@@ -916,6 +917,26 @@ numeric_string (char const *string,
   return value;
 }
 
+void
+validate_target_name (char const *n)
+{
+  char const *p = n;
+  if (explicit_inname)
+    return;
+  if (IS_ABSOLUTE_FILE_NAME (p))
+    fatal ("rejecting absolute target file name: %s", quotearg (p));
+  while (*p)
+    {
+      if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p)))
+	fatal ("rejecting target file name with \"..\" component: %s",
+	       quotearg (n));
+      while (*p && ! ISSLASH (*p))
+	p++;
+      while (ISSLASH (*p))
+	p++;
+    }
+}
+
 /* Attempt to find the right place to apply this hunk of patch. */
 
 static LINENUM
diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c
--- patch-2.6.1/src/pch.c.CVE-2010-4651	2009-12-30 12:56:30.000000000 +0000
+++ patch-2.6.1/src/pch.c	2011-02-10 12:30:33.573990033 +0000
@@ -3,7 +3,7 @@
 /* Copyright (C) 1986, 1987, 1988 Larry Wall
 
    Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
-   2002, 2003, 2006, 2009 Free Software Foundation, Inc.
+   2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -199,6 +199,8 @@ maybe_reverse (char const *name, bool no
 {
   bool looks_reversed = (! is_empty) < p_says_nonexistent[reverse ^ is_empty];
 
+  validate_target_name (name);
+
   if (looks_reversed)
     reverse ^=
       ok_to_reverse ("The next patch%s would %s the file %s,\nwhich %s!",
@@ -725,6 +727,7 @@ intuit_diff_type (bool need_header)
 	inerrno = stat_errno[i];
 	invc = version_controlled[i];
 	instat = st[i];
+	validate_target_name (inname);
       }
 
     return retval;
diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-filenames
--- patch-2.6.1/tests/bad-filenames.CVE-2010-4651	2011-02-10 12:29:32.931361921 +0000
+++ patch-2.6.1/tests/bad-filenames	2011-02-10 12:30:33.576990163 +0000
@@ -0,0 +1,71 @@
+# Copyright (C) 2011 Free Software Foundation, Inc.
+#
+# Copying and distribution of this file, with or without modification,
+# in any medium, are permitted without royalty provided the copyright
+# notice and this notice are preserved.
+
+. $srcdir/test-lib.sh
+
+use_local_patch
+use_tmpdir
+
+# ================================================================
+
+emit_2()
+{
+cat <<EOF
+--- $1
++++ $2
+@@ -0,0 +1 @@
++x
+EOF
+}
+
+emit_patch() { emit_2 /dev/null "$1"; }
+
+# Ensure that patch rejects an output file name that is absolute
+# or that contains a ".." component.
+
+check 'emit_patch /absolute/path | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting absolute target file name: /absolute/path
+status: 2
+EOF
+
+check 'emit_patch a/../z | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting target file name with ".." component: a/../z
+status: 2
+EOF
+
+check 'emit_patch a/../z | patch -p1; echo status: $?' <<EOF
+$PATCH: **** rejecting target file name with ".." component: ../z
+status: 2
+EOF
+
+check 'emit_patch a/.. | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting target file name with ".." component: a/..
+status: 2
+EOF
+
+check 'emit_patch ../z | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting target file name with ".." component: ../z
+status: 2
+EOF
+
+check 'emit_2 /abs/path target | patch -p0; echo status: $?' <<EOF
+patching file target
+status: 0
+EOF
+
+echo x > target
+check 'emit_2 /abs/path target | patch -R -p0; echo status: $?' <<EOF
+patching file target
+status: 0
+EOF
+
+# Do not validate any file name from the input when the target
+# is specified on the command line:
+touch abs
+check 'emit_patch /absolute/path | patch `pwd`/abs; echo status: $?' <<EOF
+patching file `pwd`/abs
+status: 0
+EOF
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.