[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-patch] [PATCH] do not let a malicious patch create files above
From: |
Jim Meyering |
Subject: |
Re: [bug-patch] [PATCH] do not let a malicious patch create files above current directory |
Date: |
Tue, 01 Feb 2011 12:25:55 +0100 |
Bert Wesarg wrote:
>> + {
>> + /* If inname starts with "../" ends with "/.." or contains
>> + "/../", then issue a fatal error. */
>> + size_t len = strlen (inname);
>> + if (strnEQ (inname, "../", 3)
>> + || strnEQ (inname + len - 3, "/..", 3)
>
> I miss a check, that len is at least 3.
Good catch. That's why I stored the length in "len",
but then I forgot to add it. Thanks!
Here's the corrected patch (removed stray last line from the log, too):
>From da345c4d84348c339a3c794b8427aaf0ce7ff805 Mon Sep 17 00:00:00 2001
From: Jim Meyering <address@hidden>
Date: Tue, 1 Feb 2011 11:21:15 +0100
Subject: [PATCH] do not let a malicious patch create files above current
directory
This addresses CVE-2010-4651, reported by Jakub Wilk.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
* src/pch.c (intuit_diff_type): Reject any file name containing a
component of "..".
* tests/dot-dot: New file. Test for this.
* tests/Makefile.am (TESTS): Add it.
---
ChangeLog | 12 +++++++++++-
src/pch.c | 15 ++++++++++++++-
tests/Makefile.am | 3 ++-
tests/dot-dot | 45 +++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 72 insertions(+), 3 deletions(-)
create mode 100644 tests/dot-dot
diff --git a/ChangeLog b/ChangeLog
index bbe5fe7..88db61c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2011-02-01 Jim Meyering <address@hidden>
+
+ do not let a malicious patch create files above current directory
+ This addresses CVE-2010-4651, reported by Jakub Wilk.
+ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
+ * src/pch.c (intuit_diff_type): Reject any file name containing a
+ component of "..".
+ * tests/dot-dot: New file. Test for this.
+ * tests/Makefile.am (TESTS): Add it.
+
2010-12-04 Andreas Gruenbacher <address@hidden>
* src/util.c (make_tempfile): Create missing directories when
@@ -3594,7 +3604,7 @@ Sun Dec 17 17:29:48 1989 Jim Kingdon (kingdon at
hobbes.ai.mit.edu)
Copyright (C) 1984, 1985, 1986, 1987, 1988 Larry Wall.
Copyright (C) 1989, 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
-2002, 2009, 2010 Free Software Foundation, Inc.
+2002, 2009, 2010, 2011 Free Software Foundation, Inc.
This file is part of GNU Patch.
diff --git a/src/pch.c b/src/pch.c
index 1653ee4..1f4b926 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -3,7 +3,7 @@
/* Copyright (C) 1986, 1987, 1988 Larry Wall
Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
- 2002, 2003, 2006, 2009, 2010 Free Software Foundation, Inc.
+ 2002, 2003, 2006, 2009, 2010, 2011 Free Software Foundation, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -935,6 +935,19 @@ intuit_diff_type (bool need_header, mode_t *p_file_type)
instat = st[i];
}
+ if (inname)
+ {
+ /* If inname starts with "../" ends with "/.." or contains
+ "/../", then issue a fatal error. */
+ size_t len = strlen (inname);
+ if (len >= 3
+ && (strnEQ (inname, "../", 3)
+ || strnEQ (inname + len - 3, "/..", 3)
+ || strstr (inname, "/../")))
+ fatal ("rejecting file name with \"..\" component: %s",
+ quotearg (inname));
+ }
+
return retval;
}
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ffe02af..69d8ea1 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,5 +1,5 @@
# Copyright (C) 1989, 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2002,
-# 2003, 2006, 2009, 2010 Free Software Foundation, Inc.
+# 2003, 2006, 2009, 2010, 2011 Free Software Foundation, Inc.
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -24,6 +24,7 @@ TESTS = \
create-delete \
criss-cross \
crlf-handling \
+ dot-dot \
dash-o-append \
empty-files \
file-modes \
diff --git a/tests/dot-dot b/tests/dot-dot
new file mode 100644
index 0000000..41cf917
--- /dev/null
+++ b/tests/dot-dot
@@ -0,0 +1,45 @@
+# Copyright (C) 2011 Free Software Foundation, Inc.
+#
+# Copying and distribution of this file, with or without modification,
+# in any medium, are permitted without royalty provided the copyright
+# notice and this notice are preserved.
+
+# Don't recognize hunks before a filename has been specified/seen
+
+. $srcdir/test-lib.sh
+
+require_cat
+use_local_patch
+use_tmpdir
+
+# ==============================================================
+
+emit_patch()
+{
+cat <<EOF
+--- /dev/null
++++ $1
+@@ -0,0 +1 @@
++x
+EOF
+}
+
+check 'emit_patch a/../z | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting file name with ".." component: a/../z
+status: 2
+EOF
+
+check 'emit_patch a/../z | patch -p1; echo status: $?' <<EOF
+$PATCH: **** rejecting file name with ".." component: ../z
+status: 2
+EOF
+
+check 'emit_patch a/.. | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting file name with ".." component: a/..
+status: 2
+EOF
+
+check 'emit_patch ../z | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting file name with ".." component: ../z
+status: 2
+EOF
--
1.7.3.5.44.g960a
Re: [bug-patch] [PATCH] do not let a malicious patch create files above current directory, Jim Meyering, 2011/02/01