From 4b3160c81a682ff27ff2ad2b4ad9d45c6e6d9905 Mon Sep 17 00:00:00 2001 From: Tim Waugh Date: Thu, 10 Feb 2011 12:33:04 +0000 Subject: [PATCH] Incorporate upstream fix for CVE-2010-4651 patch (bug #667529). --- patch-CVE-2010-4651.patch | 78 +++++++++++++++++++++++++++------------ patch.spec | 6 ++- 2 files changed, 60 insertions(+), 24 deletions(-) diff --git a/patch-CVE-2010-4651.patch b/patch-CVE-2010-4651.patch index d7556b6..3f2de6a 100644 --- a/patch-CVE-2010-4651.patch +++ b/patch-CVE-2010-4651.patch @@ -1,7 +1,6 @@ -diff -U0 patch-2.6.1/ChangeLog.CVE-2010-4651 patch-2.6.1/ChangeLog diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in ---- patch-2.6.1/Makefile.in.CVE-2010-4651 2011-02-08 11:26:21.782503673 +0000 -+++ patch-2.6.1/Makefile.in 2011-02-08 11:26:56.004078346 +0000 +--- patch-2.6.1/Makefile.in.CVE-2010-4651 2009-12-30 12:56:30.000000000 +0000 ++++ patch-2.6.1/Makefile.in 2011-02-10 12:29:32.926361705 +0000 @@ -192,6 +192,7 @@ installcheck:: TESTS = \ tests/asymmetric-hunks \ @@ -10,27 +9,38 @@ diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in tests/corrupt-reject-files \ tests/create-delete \ tests/crlf-handling \ -diff -up patch-2.6.1/NEWS.CVE-2010-4651 patch-2.6.1/NEWS -diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c ---- patch-2.6.1/src/pch.c.CVE-2010-4651 2009-12-30 12:56:30.000000000 +0000 -+++ patch-2.6.1/src/pch.c 2011-02-08 11:25:53.821034698 +0000 -@@ -3,7 +3,7 @@ - /* Copyright (C) 1986, 1987, 1988 Larry Wall +diff -up patch-2.6.1/src/common.h.CVE-2010-4651 patch-2.6.1/src/common.h +--- patch-2.6.1/src/common.h.CVE-2010-4651 2011-02-10 12:30:29.142797627 +0000 ++++ patch-2.6.1/src/common.h 2011-02-10 12:30:33.566989729 +0000 +@@ -169,6 +169,7 @@ XTERN char *revision; /* prerequisite + #endif - Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001, -- 2002, 2003, 2006, 2009 Free Software Foundation, Inc. -+ 2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc. + void fatal_exit (int) __attribute__ ((noreturn)); ++void validate_target_name (char const *n); - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -194,11 +194,31 @@ grow_hunkmax (void) - return false; + #include + #if !STDC_HEADERS && !defined errno +diff -up patch-2.6.1/src/patch.c.CVE-2010-4651 patch-2.6.1/src/patch.c +--- patch-2.6.1/src/patch.c.CVE-2010-4651 2011-02-10 12:30:20.721432124 +0000 ++++ patch-2.6.1/src/patch.c 2011-02-10 12:30:33.567989772 +0000 +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + /* procedures */ + +@@ -916,6 +917,26 @@ numeric_string (char const *string, + return value; } -+static void ++void +validate_target_name (char const *n) +{ + char const *p = n; ++ if (explicit_inname) ++ return; + if (IS_ABSOLUTE_FILE_NAME (p)) + fatal ("rejecting absolute target file name: %s", quotearg (p)); + while (*p) @@ -45,8 +55,22 @@ diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c + } +} + - static bool - maybe_reverse (char const *name, bool nonexistent, bool is_empty) + /* Attempt to find the right place to apply this hunk of patch. */ + + static LINENUM +diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c +--- patch-2.6.1/src/pch.c.CVE-2010-4651 2009-12-30 12:56:30.000000000 +0000 ++++ patch-2.6.1/src/pch.c 2011-02-10 12:30:33.573990033 +0000 +@@ -3,7 +3,7 @@ + /* Copyright (C) 1986, 1987, 1988 Larry Wall + + Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001, +- 2002, 2003, 2006, 2009 Free Software Foundation, Inc. ++ 2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -199,6 +199,8 @@ maybe_reverse (char const *name, bool no { bool looks_reversed = (! is_empty) < p_says_nonexistent[reverse ^ is_empty]; @@ -55,7 +79,7 @@ diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c if (looks_reversed) reverse ^= ok_to_reverse ("The next patch%s would %s the file %s,\nwhich %s!", -@@ -725,6 +745,7 @@ intuit_diff_type (bool need_header) +@@ -725,6 +727,7 @@ intuit_diff_type (bool need_header) inerrno = stat_errno[i]; invc = version_controlled[i]; instat = st[i]; @@ -64,9 +88,9 @@ diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c return retval; diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-filenames ---- patch-2.6.1/tests/bad-filenames.CVE-2010-4651 2011-02-08 11:24:57.517092060 +0000 -+++ patch-2.6.1/tests/bad-filenames 2011-02-08 11:24:57.518092076 +0000 -@@ -0,0 +1,63 @@ +--- patch-2.6.1/tests/bad-filenames.CVE-2010-4651 2011-02-10 12:29:32.931361921 +0000 ++++ patch-2.6.1/tests/bad-filenames 2011-02-10 12:30:33.576990163 +0000 +@@ -0,0 +1,71 @@ +# Copyright (C) 2011 Free Software Foundation, Inc. +# +# Copying and distribution of this file, with or without modification, @@ -130,3 +154,11 @@ diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-fil +patching file target +status: 0 +EOF ++ ++# Do not validate any file name from the input when the target ++# is specified on the command line: ++touch abs ++check 'emit_patch /absolute/path | patch `pwd`/abs; echo status: $?' < 2.6.1-8 +- Incorporate upstream fix for CVE-2010-4651 patch so that a target + name given on the command line is not validated (bug #667529). + * Tue Feb 8 2011 Tim Waugh 2.6.1-7 - Applied upstream patch to fix CVE-2010-4651 so that malicious patches cannot create files above the current directory