Merge branch 'f13' into f14

2011-02-08 11:36:18 +00:00 · 2011-02-08 11:36:18 +00:00 · b11ad96980
commit b11ad96980
parent 40f33bcfae 68f90bed20
3 changed files with 159 additions and 16 deletions
--- a/patch-CVE-2010-4651.patch
+++ b/patch-CVE-2010-4651.patch
@ -0,0 +1,132 @@
+diff -U0 patch-2.6.1/ChangeLog.CVE-2010-4651 patch-2.6.1/ChangeLog
+diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in
+--- patch-2.6.1/Makefile.in.CVE-2010-4651	2011-02-08 11:26:21.782503673 +0000
+++ patch-2.6.1/Makefile.in	2011-02-08 11:26:56.004078346 +0000
+@@ -192,6 +192,7 @@ installcheck::
+ TESTS = \
+ 	tests/asymmetric-hunks \
+ 	tests/backup-prefix-suffix \
+	tests/bad-filenames \
+ 	tests/corrupt-reject-files \
+ 	tests/create-delete \
+ 	tests/crlf-handling \
+diff -up patch-2.6.1/NEWS.CVE-2010-4651 patch-2.6.1/NEWS
+diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c
+--- patch-2.6.1/src/pch.c.CVE-2010-4651	2009-12-30 12:56:30.000000000 +0000
+++ patch-2.6.1/src/pch.c	2011-02-08 11:25:53.821034698 +0000
+@@ -3,7 +3,7 @@
+ /* Copyright (C) 1986, 1987, 1988 Larry Wall
+ 
+    Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
+-   2002, 2003, 2006, 2009 Free Software Foundation, Inc.
+   2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc.
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+@@ -194,11 +194,31 @@ grow_hunkmax (void)
+     return false;
+ }
+ 
+static void
+validate_target_name (char const *n)
+{
+  char const *p = n;
+  if (IS_ABSOLUTE_FILE_NAME (p))
+    fatal ("rejecting absolute target file name: %s", quotearg (p));
+  while (*p)
+    {
+      if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p)))
+	fatal ("rejecting target file name with \"..\" component: %s",
+	       quotearg (n));
+      while (*p && ! ISSLASH (*p))
+	p++;
+      while (ISSLASH (*p))
+	p++;
+    }
+}
+
+ static bool
+ maybe_reverse (char const *name, bool nonexistent, bool is_empty)
+ {
+   bool looks_reversed = (! is_empty) < p_says_nonexistent[reverse ^ is_empty];
+ 
+  validate_target_name (name);
+
+   if (looks_reversed)
+     reverse ^=
+       ok_to_reverse ("The next patch%s would %s the file %s,\nwhich %s!",
+@@ -725,6 +745,7 @@ intuit_diff_type (bool need_header)
+ 	inerrno = stat_errno[i];
+ 	invc = version_controlled[i];
+ 	instat = st[i];
+	validate_target_name (inname);
+       }
+ 
+     return retval;
+diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-filenames
+--- patch-2.6.1/tests/bad-filenames.CVE-2010-4651	2011-02-08 11:24:57.517092060 +0000
+++ patch-2.6.1/tests/bad-filenames	2011-02-08 11:24:57.518092076 +0000
+@@ -0,0 +1,63 @@
+# Copyright (C) 2011 Free Software Foundation, Inc.
+#
+# Copying and distribution of this file, with or without modification,
+# in any medium, are permitted without royalty provided the copyright
+# notice and this notice are preserved.
+
+. $srcdir/test-lib.sh
+
+use_local_patch
+use_tmpdir
+
+# ================================================================
+
+emit_2()
+{
+cat <<EOF
+--- $1
++++ $2
+@@ -0,0 +1 @@
++x
+EOF
+}
+
+emit_patch() { emit_2 /dev/null "$1"; }
+
+# Ensure that patch rejects an output file name that is absolute
+# or that contains a ".." component.
+
+check 'emit_patch /absolute/path | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting absolute target file name: /absolute/path
+status: 2
+EOF
+
+check 'emit_patch a/../z | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting target file name with ".." component: a/../z
+status: 2
+EOF
+
+check 'emit_patch a/../z | patch -p1; echo status: $?' <<EOF
+$PATCH: **** rejecting target file name with ".." component: ../z
+status: 2
+EOF
+
+check 'emit_patch a/.. | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting target file name with ".." component: a/..
+status: 2
+EOF
+
+check 'emit_patch ../z | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting target file name with ".." component: ../z
+status: 2
+EOF
+
+check 'emit_2 /abs/path target | patch -p0; echo status: $?' <<EOF
+patching file target
+status: 0
+EOF
+
+echo x > target
+check 'emit_2 /abs/path target | patch -R -p0; echo status: $?' <<EOF
+patching file target
+status: 0
+EOF
--- a/patch-selinux.patch
+++ b/patch-selinux.patch
@ -1,6 +1,6 @@
 diff -up patch-2.6.1/Makefile.in.selinux patch-2.6.1/Makefile.in
--- patch-2.6.1/Makefile.in.selinux	2009-12-30 12:56:30.000000000 +0000
-+++ patch-2.6.1/Makefile.in	2010-08-16 17:36:31.778174077 +0100
+--- patch-2.6.1/Makefile.in.selinux	2011-02-08 11:29:34.590271489 +0000
+++ patch-2.6.1/Makefile.in	2011-02-08 11:29:34.602271607 +0000
@@ -40,7 +40,7 @@ EXEEXT = @EXEEXT@
 LDFLAGS = @LDFLAGS@
 LIBOBJDIR = gl/lib/
@ -12,7 +12,7 @@ diff -up patch-2.6.1/Makefile.in.selinux patch-2.6.1/Makefile.in
 PACKAGE_VERSION = @PACKAGE_VERSION@
 diff -up patch-2.6.1/src/common.h.selinux patch-2.6.1/src/common.h
 --- patch-2.6.1/src/common.h.selinux	2009-12-30 12:56:30.000000000 +0000
-+++ patch-2.6.1/src/common.h	2010-08-16 17:36:31.779174533 +0100
+++ patch-2.6.1/src/common.h	2011-02-08 11:29:34.602271607 +0000
@@ -32,6 +32,8 @@
 #include <sys/types.h>
 #include <time.h>
@ -31,8 +31,8 @@ diff -up patch-2.6.1/src/common.h.selinux patch-2.6.1/src/common.h
 XTERN bool posixly_correct;
 
 diff -up patch-2.6.1/src/inp.c.selinux patch-2.6.1/src/inp.c
--- patch-2.6.1/src/inp.c.selinux	2010-08-16 17:36:31.767177911 +0100
-+++ patch-2.6.1/src/inp.c	2010-08-16 17:36:59.356174175 +0100
+--- patch-2.6.1/src/inp.c.selinux	2011-02-08 11:29:34.576271352 +0000
+++ patch-2.6.1/src/inp.c	2011-02-08 11:29:34.604271627 +0000
@@ -152,8 +152,18 @@ get_input_file (char const *filename, ch
     char *diffbuf;
     char *getbuf;
@ -72,8 +72,8 @@ diff -up patch-2.6.1/src/inp.c.selinux patch-2.6.1/src/inp.c
     else if (! S_ISREG (instat.st_mode))
       fatal ("File %s is not a regular file -- can't patch",
 diff -up patch-2.6.1/src/patch.c.selinux patch-2.6.1/src/patch.c
--- patch-2.6.1/src/patch.c.selinux	2010-08-16 17:36:31.775174023 +0100
-+++ patch-2.6.1/src/patch.c	2010-08-16 17:36:31.782174240 +0100
+--- patch-2.6.1/src/patch.c.selinux	2011-02-08 11:29:34.586271450 +0000
+++ patch-2.6.1/src/patch.c	2011-02-08 11:29:34.606271646 +0000
@@ -421,6 +421,21 @@ main (int argc, char **argv)
 			      /* Fails if we are not in group instat.st_gid.  */
 			      chown (outname, -1, instat.st_gid);
@ -97,9 +97,9 @@ diff -up patch-2.6.1/src/patch.c.selinux patch-2.6.1/src/patch.c
 			}
 		    }
 diff -up patch-2.6.1/src/pch.c.selinux patch-2.6.1/src/pch.c
--- patch-2.6.1/src/pch.c.selinux	2009-12-30 12:56:30.000000000 +0000
-+++ patch-2.6.1/src/pch.c	2010-08-16 17:36:31.786174283 +0100
-@@ -287,7 +287,12 @@ there_is_another_patch (bool need_header
+--- patch-2.6.1/src/pch.c.selinux	2011-02-08 11:29:34.591271499 +0000
+++ patch-2.6.1/src/pch.c	2011-02-08 11:30:08.810621570 +0000
+@@ -307,7 +307,12 @@ there_is_another_patch (bool need_header
 	    inname[t - buf - 1] = 0;
 	    if (stat (inname, &instat) == 0)
 	      {
@ -113,7 +113,7 @@ diff -up patch-2.6.1/src/pch.c.selinux patch-2.6.1/src/pch.c
 		invc = -1;
 	      }
 	    else
-@@ -661,7 +666,7 @@ intuit_diff_type (bool need_header)
+@@ -681,7 +686,7 @@ intuit_diff_type (bool need_header)
 			  if (cs)
 			    {
 			      if (version_get (p_name[i], cs, false, readonly,
@ -122,17 +122,17 @@ diff -up patch-2.6.1/src/pch.c.selinux patch-2.6.1/src/pch.c
 				stat_errno[i] = 0;
 			      else
 				version_controlled[i] = 0;
-@@ -725,6 +730,7 @@ intuit_diff_type (bool need_header)
- 	inerrno = stat_errno[i];
+@@ -746,6 +751,7 @@ intuit_diff_type (bool need_header)
 	invc = version_controlled[i];
 	instat = st[i];
+ 	validate_target_name (inname);
 +	getfilecon (inname, &incontext);
       }
 
     return retval;
 diff -up patch-2.6.1/src/util.c.selinux patch-2.6.1/src/util.c
 --- patch-2.6.1/src/util.c.selinux	2009-11-02 19:09:57.000000000 +0000
-+++ patch-2.6.1/src/util.c	2010-08-16 17:36:31.794173938 +0100
+++ patch-2.6.1/src/util.c	2011-02-08 11:29:34.613271715 +0000
@@ -574,7 +574,8 @@ version_controller (char const *filename
    Return true if successful.  */
 bool
@ -159,7 +159,7 @@ diff -up patch-2.6.1/src/util.c.selinux patch-2.6.1/src/util.c
   return 1;
 diff -up patch-2.6.1/src/util.h.selinux patch-2.6.1/src/util.h
 --- patch-2.6.1/src/util.h.selinux	2009-11-02 19:09:57.000000000 +0000
-+++ patch-2.6.1/src/util.h	2010-08-16 17:36:31.795173993 +0100
+++ patch-2.6.1/src/util.h	2011-02-08 11:29:34.614271726 +0000
@@ -51,7 +51,7 @@ char *fetchname (char *, int, char **, t
 char *savebuf (char const *, size_t);
 char *savestr (char const *);
--- a/patch.spec
+++ b/patch.spec
@ -1,13 +1,14 @@
 Summary: Utility for modifying/upgrading files
 Name: patch
 Version: 2.6.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 URL: http://www.gnu.org/software/patch/patch.html
 Group: Development/Tools
 Source: ftp://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
 Patch1: patch-2.5.4-sigsegv.patch
 Patch2: patch-get-arg.patch
+Patch3: patch-CVE-2010-4651.patch
 Patch100: patch-selinux.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

@ -33,6 +34,11 @@ applications.
 # Fixed argument type for --get (bug #553624).
 %patch2 -p1 -b .get-arg

+# Applied upstream patch to fix CVE-2010-4651 so that malicious
+# patches cannot create files above the current directory
+# (bug #667529).
+%patch3 -p1 -b .CVE-2010-4651
+
 # SELinux support.
 %patch100 -p1 -b .selinux

@ -61,6 +67,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/*/*

 %changelog
+* Tue Feb  8 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-7
+- Applied upstream patch to fix CVE-2010-4651 so that malicious
+  patches cannot create files above the current directory
+  (bug #667529).
+
 * Tue Jan  4 2011 Tim Waugh <twaugh@redhat.com> 2.6.1-6
 - Use smp_mflags correctly (bug #665770).