diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in --- patch-2.6.1/Makefile.in.CVE-2010-4651 2009-12-30 12:56:30.000000000 +0000 +++ patch-2.6.1/Makefile.in 2011-02-10 12:29:32.926361705 +0000 @@ -192,6 +192,7 @@ installcheck:: TESTS = \ tests/asymmetric-hunks \ tests/backup-prefix-suffix \ + tests/bad-filenames \ tests/corrupt-reject-files \ tests/create-delete \ tests/crlf-handling \ diff -up patch-2.6.1/src/common.h.CVE-2010-4651 patch-2.6.1/src/common.h --- patch-2.6.1/src/common.h.CVE-2010-4651 2011-02-10 12:30:29.142797627 +0000 +++ patch-2.6.1/src/common.h 2011-02-10 12:30:33.566989729 +0000 @@ -169,6 +169,7 @@ XTERN char *revision; /* prerequisite #endif void fatal_exit (int) __attribute__ ((noreturn)); +void validate_target_name (char const *n); #include #if !STDC_HEADERS && !defined errno diff -up patch-2.6.1/src/patch.c.CVE-2010-4651 patch-2.6.1/src/patch.c --- patch-2.6.1/src/patch.c.CVE-2010-4651 2011-02-10 12:30:20.721432124 +0000 +++ patch-2.6.1/src/patch.c 2011-02-10 12:30:33.567989772 +0000 @@ -34,6 +34,7 @@ #include #include #include +#include /* procedures */ @@ -916,6 +917,26 @@ numeric_string (char const *string, return value; } +void +validate_target_name (char const *n) +{ + char const *p = n; + if (explicit_inname) + return; + if (IS_ABSOLUTE_FILE_NAME (p)) + fatal ("rejecting absolute target file name: %s", quotearg (p)); + while (*p) + { + if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p))) + fatal ("rejecting target file name with \"..\" component: %s", + quotearg (n)); + while (*p && ! ISSLASH (*p)) + p++; + while (ISSLASH (*p)) + p++; + } +} + /* Attempt to find the right place to apply this hunk of patch. */ static LINENUM diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c --- patch-2.6.1/src/pch.c.CVE-2010-4651 2009-12-30 12:56:30.000000000 +0000 +++ patch-2.6.1/src/pch.c 2011-02-10 12:30:33.573990033 +0000 @@ -3,7 +3,7 @@ /* Copyright (C) 1986, 1987, 1988 Larry Wall Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001, - 2002, 2003, 2006, 2009 Free Software Foundation, Inc. + 2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -199,6 +199,8 @@ maybe_reverse (char const *name, bool no { bool looks_reversed = (! is_empty) < p_says_nonexistent[reverse ^ is_empty]; + validate_target_name (name); + if (looks_reversed) reverse ^= ok_to_reverse ("The next patch%s would %s the file %s,\nwhich %s!", @@ -725,6 +727,7 @@ intuit_diff_type (bool need_header) inerrno = stat_errno[i]; invc = version_controlled[i]; instat = st[i]; + validate_target_name (inname); } return retval; diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-filenames --- patch-2.6.1/tests/bad-filenames.CVE-2010-4651 2011-02-10 12:29:32.931361921 +0000 +++ patch-2.6.1/tests/bad-filenames 2011-02-10 12:30:33.576990163 +0000 @@ -0,0 +1,71 @@ +# Copyright (C) 2011 Free Software Foundation, Inc. +# +# Copying and distribution of this file, with or without modification, +# in any medium, are permitted without royalty provided the copyright +# notice and this notice are preserved. + +. $srcdir/test-lib.sh + +use_local_patch +use_tmpdir + +# ================================================================ + +emit_2() +{ +cat < target +check 'emit_2 /abs/path target | patch -R -p0; echo status: $?' <