wallenstein/void-packages
1
0
Fork 0
mirror of https://github.com/void-linux/void-packages.git synced 2025-06-09 08:33:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fastjar: fix CVE-2010-2322

Browse source
This commit is contained in:
maxice8 2018-10-05 00:25:34 -03:00 committed by maxice8
parent 9edec8dee0
commit a5fb48151f
2 changed files with 52 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
srcpkgs/fastjar/patches/CVE-2010-2322.patch Normal file
View file

@ -0,0 +1,49 @@
Index: fastjar-0.98/jartool.c
===================================================================
--- jartool.c 2010-05-19 14:54:57.367665309 +0200
+++ jartool.c 2010-05-19 14:54:57.381665355 +0200
@@ -1731,8 +1731,18 @@
struct stat sbuf;
int depth = 0;
+ if(strncmp((const char *)filename, "/", 1) == 0){
+ fprintf(stderr, "Absolute path names are not allowed.\n");
+ exit(EXIT_FAILURE);
+ }
+
tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
+ if(tmp_buff == NULL) {
+ fprintf(stderr, "Out of memory.\n");
+ exit(EXIT_FAILURE);
+ }
+
for(;;){
const ub1 *idx = (const unsigned char *)strchr((const char *)start, '/');
@@ -1750,14 +1760,17 @@
#ifdef DEBUG
printf("checking the existance of %s\n", tmp_buff);
#endif
- if(strcmp(tmp_buff, "..") == 0){
- --depth;
- if (depth < 0){
- fprintf(stderr, "Traversal to parent directories during unpacking!\n");
- exit(EXIT_FAILURE);
- }
- } else if (strcmp(tmp_buff, ".") != 0)
- ++depth;
+ if(strcmp(tmp_buff, "..") == 0 || (strlen(tmp_buff) > 2 && strncmp(tmp_buff + strlen(tmp_buff) - 3, "/..", 3) == 0)){
+ --depth;
+ if (depth < 0){
+ fprintf(stderr, "Traversal to parent directories during unpacking!\n");
+ exit(EXIT_FAILURE);
+ }
+ } else if (strcmp(tmp_buff, ".") == 0 || (strlen(tmp_buff) > 1 && strncmp(tmp_buff + strlen(tmp_buff) - 2, "/.", 2) == 0)){
+ /* Do nothing, the current directory is "." */
+ } else
+ ++depth;
+
if(stat(tmp_buff, &sbuf) < 0){
if(errno != ENOENT)
exit_on_error("stat");

6
srcpkgs/fastjar/template
View file

@ -1,12 +1,12 @@
# Template file for 'fastjar' # Template file for 'fastjar'
pkgname=fastjar pkgname=fastjar
version=0.98 version=0.98
revision=1 revision=2
build_style=gnu-configure build_style=gnu-configure
makedepends="zlib-devel" makedepends="zlib-devel"
short_desc="C implementation of Oracle's jar utility." short_desc="C implementation of Oracle's jar utility"
maintainer="Enno Boland <gottox@voidlinux.eu>" maintainer="Enno Boland <gottox@voidlinux.eu>"
license="GPL-2" license="GPL-2"
homepage="http://savannah.nongnu.org/projects/fastjar" homepage="http://savannah.nongnu.org/projects/fastjar"
distfiles="http://download.savannah.gnu.org/releases/$pkgname/$pkgname-$version.tar.gz" distfiles="http://download.savannah.gnu.org/releases/${pkgname}/${pkgname}-${version}.tar.gz"
checksum=f156abc5de8658f22ee8f08d7a72c88f9409ebd8c7933e9466b0842afeb2f145 checksum=f156abc5de8658f22ee8f08d7a72c88f9409ebd8c7933e9466b0842afeb2f145