[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-patch] [PATCH] do not let a malicious patch create files above
From: |
Bert Wesarg |
Subject: |
Re: [bug-patch] [PATCH] do not let a malicious patch create files above current directory |
Date: |
Tue, 1 Feb 2011 12:18:01 +0100 |
On Tue, Feb 1, 2011 at 11:31, Jim Meyering <address@hidden> wrote:
> Surprised that no one has posted a patch for this yet, I wrote my own:
>
> From aeed44154b388210f0e70dbe802a78949224aa97 Mon Sep 17 00:00:00 2001
> From: Jim Meyering <address@hidden>
> Date: Tue, 1 Feb 2011 11:21:15 +0100
> Subject: [PATCH] do not let a malicious patch create files above current
> directory
>
> This addresses CVE-2010-4651, reported by Jakub Wilk.
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
> * src/pch.c (intuit_diff_type): Reject any file name containing a
> component of "..".
> * tests/dot-dot: New file. Test for this.
> * tests/Makefile.am (TESTS): Add it.
>
> 2002, 2009, 2010, 2011 Free Software Foundation, Inc.
> ---
> ChangeLog | 12 +++++++++++-
> src/pch.c | 14 +++++++++++++-
> tests/Makefile.am | 3 ++-
> tests/dot-dot | 45 +++++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 71 insertions(+), 3 deletions(-)
> create mode 100644 tests/dot-dot
>
> diff --git a/ChangeLog b/ChangeLog
> index bbe5fe7..88db61c 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,13 @@
> +2011-02-01 Jim Meyering <address@hidden>
> +
> + do not let a malicious patch create files above current directory
> + This addresses CVE-2010-4651, reported by Jakub Wilk.
> + https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
> + * src/pch.c (intuit_diff_type): Reject any file name containing a
> + component of "..".
> + * tests/dot-dot: New file. Test for this.
> + * tests/Makefile.am (TESTS): Add it.
> +
> 2010-12-04 Andreas Gruenbacher <address@hidden>
>
> * src/util.c (make_tempfile): Create missing directories when
> @@ -3594,7 +3604,7 @@ Sun Dec 17 17:29:48 1989 Jim Kingdon (kingdon at
> hobbes.ai.mit.edu)
> Copyright (C) 1984, 1985, 1986, 1987, 1988 Larry Wall.
>
> Copyright (C) 1989, 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
> -2002, 2009, 2010 Free Software Foundation, Inc.
> +2002, 2009, 2010, 2011 Free Software Foundation, Inc.
>
> This file is part of GNU Patch.
>
> diff --git a/src/pch.c b/src/pch.c
> index 1653ee4..54a9acc 100644
> --- a/src/pch.c
> +++ b/src/pch.c
> @@ -3,7 +3,7 @@
> /* Copyright (C) 1986, 1987, 1988 Larry Wall
>
> Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
> - 2002, 2003, 2006, 2009, 2010 Free Software Foundation, Inc.
> + 2002, 2003, 2006, 2009, 2010, 2011 Free Software Foundation, Inc.
>
> This program is free software: you can redistribute it and/or modify
> it under the terms of the GNU General Public License as published by
> @@ -935,6 +935,18 @@ intuit_diff_type (bool need_header, mode_t *p_file_type)
> instat = st[i];
> }
>
> + if (inname)
> + {
> + /* If inname starts with "../" ends with "/.." or contains
> + "/../", then issue a fatal error. */
> + size_t len = strlen (inname);
> + if (strnEQ (inname, "../", 3)
> + || strnEQ (inname + len - 3, "/..", 3)
I miss a check, that len is at least 3.
Bert
Re: [bug-patch] [PATCH] do not let a malicious patch create files above current directory, Jim Meyering, 2011/02/01