Fix security problem of lha package applying patches by David Ahmad

< da at securityfocus dot com > on bugtraq mailing list. Bump pacakge revision to nb2.
NetBSD · May 13, 2004 · bb5daad · bb5daad
1 parent 822c75d
commit bb5daad
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 3 deletions.
diff --git a/archivers/lha/Makefile b/archivers/lha/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.19 2004/05/06 08:15:08 itojun Exp $
+# $NetBSD: Makefile,v 1.20 2004/05/13 11:42:43 taca Exp $
 
 DISTNAME=       lha-114i
 PKGNAME=	lha-114.9
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	archivers
 MASTER_SITES=   http://www2m.biglobe.ne.jp/~dolphin/lha/prog/ \
 		ftp://ftp.win.ne.jp/pub/misc/

diff --git a/archivers/lha/distinfo b/archivers/lha/distinfo
@@ -1,10 +1,12 @@
-$NetBSD: distinfo,v 1.5 2002/08/25 21:49:12 jlam Exp $
+$NetBSD: distinfo,v 1.6 2004/05/13 11:42:43 taca Exp $
 
 SHA1 (lha-114i.tar.gz) = 79e35271f2cf783f946db3f22e304fef72dbac99
 Size (lha-114i.tar.gz) = 64608 bytes
+SHA1 (patch-ad) = a3169c55c462d4eb54e52709744ef7084a94bcb4
 SHA1 (patch-ae) = a53647ccf72511ecd2b5306e23da1219fa5e7264
 SHA1 (patch-af) = 0c2f6d5bf23c3c98b102487abe3dd1190470f50c
 SHA1 (patch-ag) = 9ad3bc807a3cda4f71d8fbbbea19306f252f2489
 SHA1 (patch-ah) = cd44b40fa7e25a9996b2441d1b78a1a6570977b2
 SHA1 (patch-ai) = d988b7d048656080d14bfad1da89c9888c9ddf90
 SHA1 (patch-aj) = 6331fce7f55eef1c2003e693f165dd0565e7172e
+SHA1 (patch-ak) = fa6de630a7414b73dec8b75be0bfbb3493c4192f
diff --git a/archivers/lha/patches/patch-ad b/archivers/lha/patches/patch-ad
@@ -0,0 +1,53 @@
+$NetBSD: patch-ad,v 1.3 2004/05/13 11:42:43 taca Exp $
+
+--- src/lhext.c.orig	2000-10-04 23:57:38.000000000 +0900
++++ src/lhext.c
+@@ -190,8 +190,13 @@ extract_one(afp, hdr)
+ 		q = (char *) rindex(hdr->name, '/') + 1;
+ 	}
+ 	else {
++		if (is_directory_traversal(q)) {
++		  fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q);
++		  exit(111);
++		}
++
+ 		if (*q == '/') {
+-			q++;
++			while (*q == '/') { q++; }
+ 			/*
+ 			 * if OSK then strip device name
+ 			 */
+@@ -419,6 +424,33 @@ cmd_extract()
+ 	return;
+ }
+
++int
++is_directory_traversal(char *string)
++{
++  unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */
++  char *temp;
++
++  temp = string;
++
++  while (*temp != 0) {
++    if (temp[0] == '/') {
++      if (type == 1) { return 1; }
++      type = 0;
++      temp++;
++      continue;
++    }
++
++    if ((temp[0] == '.') && (type < 2))
++      type = 1;
++    if (temp[0] != '.')
++      type = 2;
++
++    temp++;
++  } /* while */
++
++  return (type == 1);
++}
++
+ /* Local Variables: */
+ /* mode:c */
+ /* tab-width:4 */
diff --git a/archivers/lha/patches/patch-ak b/archivers/lha/patches/patch-ak
@@ -0,0 +1,26 @@
+$NetBSD: patch-ak,v 1.1 2004/05/13 11:42:43 taca Exp $
+
+--- src/header.c.orig	2000-10-06 02:36:03.000000000 +0900
++++ src/header.c
+@@ -538,6 +538,10 @@ get_header(fp, hdr)
+ 				/*
+ 				 * filename
+ 				 */
++				if (header_size >= 256) {
++				  fprintf(stderr, "Possible buffer overflow hack attack, type #1\n");
++				  exit(109);
++				}
+ 				for (i = 0; i < header_size - 3; i++)
+ 					hdr->name[i] = (char) get_byte();
+ 				hdr->name[header_size - 3] = '\0';
+@@ -547,6 +551,10 @@ get_header(fp, hdr)
+ 				/*
+ 				 * directory
+ 				 */
++				if (header_size >= FILENAME_LENGTH) {
++				  fprintf(stderr, "Possible buffer overflow hack attack, type #2\n");
++				  exit(110);
++				}
+ 				for (i = 0; i < header_size - 3; i++)
+ 					dirname[i] = (char) get_byte();
+ 				dirname[header_size - 3] = '\0';