summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNed Ludd <solar@gentoo.org>2004-11-15 03:34:39 +0000
committerNed Ludd <solar@gentoo.org>2004-11-15 03:34:39 +0000
commit338ac4286081c68e2c14081c567a0135459bcc68 (patch)
tree8a9ad21c2f8f91b76d1db6e802012e1f6072299d /app-arch
parentError out when profile contains files owned by another user #67052 (and other... (diff)
downloadgentoo-2-338ac4286081c68e2c14081c567a0135459bcc68.tar.gz
gentoo-2-338ac4286081c68e2c14081c567a0135459bcc68.tar.bz2
gentoo-2-338ac4286081c68e2c14081c567a0135459bcc68.zip
security bump - CAN-2004-0947 - bug 70966
Diffstat (limited to 'app-arch')
-rw-r--r--app-arch/unarj/ChangeLog8
-rw-r--r--app-arch/unarj/Manifest4
-rw-r--r--app-arch/unarj/files/digest-unarj-2.63a-r21
-rw-r--r--app-arch/unarj/files/unarj-2.65-CAN-2004-0947.patch49
-rw-r--r--app-arch/unarj/files/unarj-2.65-sanitation.patch133
-rw-r--r--app-arch/unarj/unarj-2.63a-r2.ebuild31
6 files changed, 225 insertions, 1 deletions
diff --git a/app-arch/unarj/ChangeLog b/app-arch/unarj/ChangeLog
index d2bada0e8ce5..349b3506ad3d 100644
--- a/app-arch/unarj/ChangeLog
+++ b/app-arch/unarj/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for app-arch/unarj
# Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/unarj/ChangeLog,v 1.9 2004/06/24 21:37:28 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-arch/unarj/ChangeLog,v 1.10 2004/11/15 03:34:39 solar Exp $
+
+*unarj-2.63a-r2 (14 Nov 2004)
+
+ 14 Nov 2004; <solar@gentoo.org> +files/unarj-2.65-CAN-2004-0947.patch,
+ +files/unarj-2.65-sanitation.patch, +unarj-2.63a-r2.ebuild:
+ security bump - CAN-2004-0947 - bug 70966
24 Nov 2003; Aron Griffis <agriffis@gentoo.org> unarj-2.63a-r1.ebuild:
Mark stable on alpha
diff --git a/app-arch/unarj/Manifest b/app-arch/unarj/Manifest
index b599fc0a6caa..828c7b8ba933 100644
--- a/app-arch/unarj/Manifest
+++ b/app-arch/unarj/Manifest
@@ -1,3 +1,7 @@
MD5 416739c466fcd11a64bf83b0b905c486 unarj-2.63a-r1.ebuild 658
+MD5 3db1dd73e60c9d088058dda04be488a8 unarj-2.63a-r2.ebuild 788
MD5 d1e87deacbf6773fdc257d33a4934d09 ChangeLog 1246
+MD5 ff29e175029520a55c6bbe96c614370b files/unarj-2.65-sanitation.patch 3040
MD5 0fec2e24cfc04ee5279a349ea7ebc34b files/digest-unarj-2.63a-r1 62
+MD5 0fec2e24cfc04ee5279a349ea7ebc34b files/digest-unarj-2.63a-r2 62
+MD5 c690458b8e0e69d0988b7359b4c4efa7 files/unarj-2.65-CAN-2004-0947.patch 1523
diff --git a/app-arch/unarj/files/digest-unarj-2.63a-r2 b/app-arch/unarj/files/digest-unarj-2.63a-r2
new file mode 100644
index 000000000000..ea9a48b49669
--- /dev/null
+++ b/app-arch/unarj/files/digest-unarj-2.63a-r2
@@ -0,0 +1 @@
+MD5 a83d139c245f911f22cb1b611ec9768f unarj-2.63a.tar.gz 24979
diff --git a/app-arch/unarj/files/unarj-2.65-CAN-2004-0947.patch b/app-arch/unarj/files/unarj-2.65-CAN-2004-0947.patch
new file mode 100644
index 000000000000..f52af83ac2ca
--- /dev/null
+++ b/app-arch/unarj/files/unarj-2.65-CAN-2004-0947.patch
@@ -0,0 +1,49 @@
+Index: unarj-2.65/unarj.c
+===================================================================
+--- unarj-2.65.orig/unarj.c
++++ unarj-2.65/unarj.c
+@@ -217,7 +217,7 @@ static uchar arj_flags;
+ static short method;
+ static uint file_mode;
+ static ulong time_stamp;
+-static short entry_pos;
++static ushort entry_pos;
+ static ushort host_data;
+ static uchar *get_ptr;
+ static UCRC file_crc;
+@@ -608,6 +608,7 @@ char *name;
+ error(M_BADHEADR, "");
+
+ crc = CRC_MASK;
++ memset(header, 0, sizeof(header));
+ fread_crc(header, (int) headersize, fd);
+ header_crc = fget_crc(fd);
+ if ((crc ^ CRC_MASK) != header_crc)
+@@ -632,9 +633,13 @@ char *name;
+
+ if (origsize < 0 || compsize < 0)
+ error(M_HEADRCRC, "");
++ if(first_hdr_size > headersize-2) /* need two \0 for file and comment */
++ error(M_BADHEADR, "");
+
+ hdr_filename = (char *)&header[first_hdr_size];
+ strncopy(filename, hdr_filename, sizeof(filename));
++ if(entry_pos >= strlen(filename))
++ error(M_BADHEADR, "");
+ if (host_os != OS)
+ strparity((uchar *)filename);
+ if ((arj_flags & PATHSYM_FLAG) != 0)
+@@ -733,11 +738,11 @@ extract()
+
+ no_output = 0;
+ if (command == 'E')
+- strcpy(name, &filename[entry_pos]);
++ strncopy(name, &filename[entry_pos], sizeof(name));
+ else
+ {
+ strcpy(name, DEFAULT_DIR);
+- strcat(name, filename);
++ strncopy(name+strlen(name), filename, sizeof(name)-strlen(name));
+ }
+
+ if (host_os != OS)
diff --git a/app-arch/unarj/files/unarj-2.65-sanitation.patch b/app-arch/unarj/files/unarj-2.65-sanitation.patch
new file mode 100644
index 000000000000..e8b36f050815
--- /dev/null
+++ b/app-arch/unarj/files/unarj-2.65-sanitation.patch
@@ -0,0 +1,133 @@
+Index: unarj-2.65/sanitize.c
+===================================================================
+--- /dev/null
++++ unarj-2.65/sanitize.c
+@@ -0,0 +1,81 @@
++/*
++ * Path sanitation code by Ludwig Nussel <ludwig.nussel@suse.de>. Public Domain.
++ */
++
++#include "unarj.h"
++
++#include <string.h>
++#include <limits.h>
++#include <stdio.h>
++
++#ifndef PATH_CHAR
++#define PATH_CHAR '/'
++#endif
++#ifndef MIN
++#define MIN(x,y) ((x)<(y)?(x):(y))
++#endif
++
++/* copy src into dest converting the path to a relative one inside the current
++ * directory. dest must hold at least len bytes */
++void copy_path_relative(char *dest, char *src, size_t len)
++{
++ char* o = dest;
++ char* p = src;
++
++ *o = '\0';
++
++ while(*p && *p == PATH_CHAR) ++p;
++ for(; len && *p;)
++ {
++ src = p;
++ p = strchr(src, PATH_CHAR);
++ if(!p) p = src+strlen(src);
++
++ /* . => skip */
++ if(p-src == 1 && *src == '.' )
++ {
++ if(*p) src = ++p;
++ }
++ /* .. => pop one */
++ else if(p-src == 2 && *src == '.' && src[1] == '.')
++ {
++ if(o != dest)
++ {
++ char* tmp;
++ *o = '\0';
++ tmp = strrchr(dest, PATH_CHAR);
++ if(!tmp)
++ {
++ len += o-dest;
++ o = dest;
++ if(*p) ++p;
++ }
++ else
++ {
++ len += o-tmp;
++ o = tmp;
++ if(*p) ++p;
++ }
++ }
++ else /* nothing to pop */
++ if(*p) ++p;
++ }
++ else
++ {
++ size_t copy;
++ if(o != dest)
++ {
++ --len;
++ *o++ = PATH_CHAR;
++ }
++ copy = MIN(p-src,len);
++ memcpy(o, src, copy);
++ len -= copy;
++ src += copy;
++ o += copy;
++ if(*p) ++p;
++ }
++ while(*p && *p == PATH_CHAR) ++p;
++ }
++ o[len?0:-1] = '\0';
++}
+Index: unarj-2.65/unarj.c
+===================================================================
+--- unarj-2.65.orig/unarj.c
++++ unarj-2.65/unarj.c
+@@ -235,6 +235,8 @@ static UCRC crctable[UCHAR_MAX + 1];
+
+ /* Functions */
+
++void copy_path_relative(char *dest, char *src, size_t len);
++
+ static void
+ make_crctable()
+ {
+@@ -738,11 +740,11 @@ extract()
+
+ no_output = 0;
+ if (command == 'E')
+- strncopy(name, &filename[entry_pos], sizeof(name));
++ copy_path_relative(name, &filename[entry_pos], sizeof(name));
+ else
+ {
+ strcpy(name, DEFAULT_DIR);
+- strncopy(name+strlen(name), filename, sizeof(name)-strlen(name));
++ copy_path_relative(name+strlen(name), filename, sizeof(name)-strlen(name));
+ }
+
+ if (host_os != OS)
+Index: unarj-2.65/Makefile
+===================================================================
+--- unarj-2.65.orig/Makefile
++++ unarj-2.65/Makefile
+@@ -6,8 +6,8 @@ CC = gcc
+ CFLAGS = -O2 -Wall -ansi -pedantic -DUNIX
+ INSTALLDIR=/usr/local/bin
+
+-unarj: unarj.o decode.o environ.o
+- $(CC) $(CFLAGS) -o unarj unarj.o decode.o environ.o
++unarj: unarj.o decode.o environ.o sanitize.o
++ $(CC) $(CFLAGS) -o unarj unarj.o decode.o environ.o sanitize.o
+ strip unarj
+
+ clean:
+@@ -19,3 +19,4 @@ install:
+ unarj.o: unarj.c unarj.h Makefile
+ environ.o: environ.c unarj.h Makefile
+ decode.o: decode.c unarj.h Makefile
++sanitize.o: sanitize.c unarj.h Makefile
diff --git a/app-arch/unarj/unarj-2.63a-r2.ebuild b/app-arch/unarj/unarj-2.63a-r2.ebuild
new file mode 100644
index 000000000000..1c5bf003e56e
--- /dev/null
+++ b/app-arch/unarj/unarj-2.63a-r2.ebuild
@@ -0,0 +1,31 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/unarj/unarj-2.63a-r2.ebuild,v 1.1 2004/11/15 03:34:39 solar Exp $
+
+inherit eutils
+
+DESCRIPTION="Utility for opening arj archives"
+HOMEPAGE="http://ibiblio.org/pub/Linux/utils/compress/"
+SRC_URI="http://ibiblio.org/pub/Linux/utils/compress/${P}.tar.gz"
+
+LICENSE="arj"
+SLOT="0"
+KEYWORDS="~x86 ~ppc ~sparc ~alpha ~arm ~amd64"
+IUSE=""
+
+src_unpack() {
+ unpack ${A}
+ cd ${S}
+ sed -i "/^CFLAGS/s:-O2:${CFLAGS}:" ${S}/Makefile
+ epatch ${FILESDIR}/unarj-2.65-CAN-2004-0947.patch
+ epatch ${FILESDIR}/unarj-2.65-sanitation.patch
+}
+
+src_compile() {
+ emake || die
+}
+
+src_install() {
+ dobin unarj || die
+ dodoc unarj.txt technote.txt readme.txt
+}