diff --git a/iniparser-3.1-Fix-crash-with-crafted-ini-files.patch b/iniparser-3.1-Fix-crash-with-crafted-ini-files.patch new file mode 100644 index 0000000..8af9500 --- /dev/null +++ b/iniparser-3.1-Fix-crash-with-crafted-ini-files.patch @@ -0,0 +1,40 @@ +From 654ea5fae25f0863d958e3ecd0bc0672603e0b4c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 10 Jan 2014 11:15:43 +0100 +Subject: [PATCH] Fix crash with crafted ini files. + +If the key or value is bigger than 1024 we will end up in a buffer +overflow. The overflow is caught by _FORTIFY_SOURCE, so it's definitely +DoS-only. Curiously, because of ample space in the stack frame, it does +not result in a crash without _FORTIFY_SOURCE in all cases. + +Signed-off-by: Andreas Schneider +--- + src/iniparser.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/iniparser.c b/src/iniparser.c +index 4430032..18dbbbe 100644 +--- a/src/iniparser.c ++++ b/src/iniparser.c +@@ -633,7 +633,7 @@ dictionary * iniparser_load(const char * ininame) + char line [ASCIILINESZ+1] ; + char section [ASCIILINESZ+1] ; + char key [ASCIILINESZ+1] ; +- char tmp [ASCIILINESZ+1] ; ++ char tmp [(ASCIILINESZ * 2) + 1] ; + char val [ASCIILINESZ+1] ; + + int last=0 ; +@@ -699,7 +699,7 @@ dictionary * iniparser_load(const char * ininame) + break ; + + case LINE_VALUE: +- sprintf(tmp, "%s:%s", section, key); ++ snprintf(tmp, sizeof(tmp), "%s:%s", section, key); + errs = dictionary_set(dict, tmp, val) ; + break ; + +-- +1.8.4.2 + diff --git a/iniparser-3.1-fix_long_line_crash.patch b/iniparser-3.1-fix_long_line_crash.patch new file mode 100644 index 0000000..e0e4c8f --- /dev/null +++ b/iniparser-3.1-fix_long_line_crash.patch @@ -0,0 +1,22 @@ +Index: iniparser/src/iniparser.c +=================================================================== +--- iniparser.orig/src/iniparser.c ++++ iniparser/src/iniparser.c +@@ -633,7 +633,7 @@ dictionary * iniparser_load(const char * + char line [ASCIILINESZ+1] ; + char section [ASCIILINESZ+1] ; + char key [ASCIILINESZ+1] ; +- char tmp [ASCIILINESZ+1] ; ++ char tmp [(ASCIILINESZ * 2) + 1] ; + char val [ASCIILINESZ+1] ; + + int last=0 ; +@@ -699,7 +699,7 @@ dictionary * iniparser_load(const char * + break ; + + case LINE_VALUE: +- sprintf(tmp, "%s:%s", section, key); ++ snprintf(tmp, sizeof(tmp), "%s:%s", section, key); + errs = dictionary_set(dict, tmp, val) ; + break ; + diff --git a/iniparser.spec b/iniparser.spec index b9a8a36..cf8ee5e 100644 --- a/iniparser.spec +++ b/iniparser.spec @@ -3,13 +3,14 @@ Name: iniparser Version: 3.1 -Release: 3%{?dist} +Release: 4%{?dist} Summary: C library for parsing "INI-style" files Group: System Environment/Libraries License: MIT URL: http://ndevilla.free.fr/%{name}/ Source0: http://ndevilla.free.fr/%{name}/%{name}-%{version}.tar.gz +Patch0: iniparser-3.1-Fix-crash-with-crafted-ini-files.patch %description iniParser is an ANSI C library to parse "INI-style" files, often used to @@ -27,6 +28,7 @@ you will need to install %{name}-devel. %prep %setup -q -n %{name} +%patch0 -p1 -b .iniparser-3.1-Fix-crash-with-crafted-ini-files.patch %build # remove library rpath from Makefile @@ -64,6 +66,9 @@ make check %{_includedir}/*.h %changelog +* Fri Jan 10 2014 - Andreas Schneider - 3.1-4 +- resolves: #1031119 - Fix possible crash with crafted ini files. + * Sat Aug 03 2013 Fedora Release Engineering - 3.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild