patch/patches/patch-2.6.1-CVE-2010-4651.patch

   1 diff -up patch-2.6.1/Makefile.in.CVE-2010-4651 patch-2.6.1/Makefile.in
   2 --- patch-2.6.1/Makefile.in.CVE-2010-4651       2009-12-30 12:56:30.000000000 +0000
   3 +++ patch-2.6.1/Makefile.in     2011-02-10 12:29:32.926361705 +0000
   4 @@ -192,6 +192,7 @@ installcheck::
   5  TESTS = \
   6         tests/asymmetric-hunks \
   7         tests/backup-prefix-suffix \
   8 +       tests/bad-filenames \
   9         tests/corrupt-reject-files \
  10         tests/create-delete \
  11         tests/crlf-handling \
  12 diff -up patch-2.6.1/src/common.h.CVE-2010-4651 patch-2.6.1/src/common.h
  13 --- patch-2.6.1/src/common.h.CVE-2010-4651      2011-02-10 12:30:29.142797627 +0000
  14 +++ patch-2.6.1/src/common.h    2011-02-10 12:30:33.566989729 +0000
  15 @@ -169,6 +169,7 @@ XTERN char *revision;                       /* prerequisite
  16  #endif
  17
  18  void fatal_exit (int) __attribute__ ((noreturn));
  19 +void validate_target_name (char const *n);
  20
  21  #include <errno.h>
  22  #if !STDC_HEADERS && !defined errno
  23 diff -up patch-2.6.1/src/patch.c.CVE-2010-4651 patch-2.6.1/src/patch.c
  24 --- patch-2.6.1/src/patch.c.CVE-2010-4651       2011-02-10 12:30:20.721432124 +0000
  25 +++ patch-2.6.1/src/patch.c     2011-02-10 12:30:33.567989772 +0000
  26 @@ -34,6 +34,7 @@
  27  #include <util.h>
  28  #include <version.h>
  29  #include <xalloc.h>
  30 +#include <dirname.h>
  31
  32  /* procedures */
  33
  34 @@ -916,6 +917,26 @@ numeric_string (char const *string,
  35    return value;
  36  }
  37
  38 +void
  39 +validate_target_name (char const *n)
  40 +{
  41 +  char const *p = n;
  42 +  if (explicit_inname)
  43 +    return;
  44 +  if (IS_ABSOLUTE_FILE_NAME (p))
  45 +    fatal ("rejecting absolute target file name: %s", quotearg (p));
  46 +  while (*p)
  47 +    {
  48 +      if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p)))
  49 +       fatal ("rejecting target file name with \"..\" component: %s",
  50 +              quotearg (n));
  51 +      while (*p && ! ISSLASH (*p))
  52 +       p++;
  53 +      while (ISSLASH (*p))
  54 +       p++;
  55 +    }
  56 +}
  57 +
  58  /* Attempt to find the right place to apply this hunk of patch. */
  59
  60  static LINENUM
  61 diff -up patch-2.6.1/src/pch.c.CVE-2010-4651 patch-2.6.1/src/pch.c
  62 --- patch-2.6.1/src/pch.c.CVE-2010-4651 2009-12-30 12:56:30.000000000 +0000
  63 +++ patch-2.6.1/src/pch.c       2011-02-10 12:30:33.573990033 +0000
  64 @@ -3,7 +3,7 @@
  65  /* Copyright (C) 1986, 1987, 1988 Larry Wall
  66
  67     Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
  68 -   2002, 2003, 2006, 2009 Free Software Foundation, Inc.
  69 +   2002, 2003, 2006, 2009, 2011 Free Software Foundation, Inc.
  70
  71     This program is free software; you can redistribute it and/or modify
  72     it under the terms of the GNU General Public License as published by
  73 @@ -199,6 +199,8 @@ maybe_reverse (char const *name, bool no
  74  {
  75    bool looks_reversed = (! is_empty) < p_says_nonexistent[reverse ^ is_empty];
  76
  77 +  validate_target_name (name);
  78 +
  79    if (looks_reversed)
  80      reverse ^=
  81        ok_to_reverse ("The next patch%s would %s the file %s,\nwhich %s!",
  82 @@ -725,6 +727,7 @@ intuit_diff_type (bool need_header)
  83         inerrno = stat_errno[i];
  84         invc = version_controlled[i];
  85         instat = st[i];
  86 +       validate_target_name (inname);
  87        }
  88
  89      return retval;
  90 diff -up patch-2.6.1/tests/bad-filenames.CVE-2010-4651 patch-2.6.1/tests/bad-filenames
  91 --- patch-2.6.1/tests/bad-filenames.CVE-2010-4651       2011-02-10 12:29:32.931361921 +0000
  92 +++ patch-2.6.1/tests/bad-filenames     2011-02-10 12:30:33.576990163 +0000
  93 @@ -0,0 +1,71 @@
  94 +# Copyright (C) 2011 Free Software Foundation, Inc.
  95 +#
  96 +# Copying and distribution of this file, with or without modification,
  97 +# in any medium, are permitted without royalty provided the copyright
  98 +# notice and this notice are preserved.
  99 +
 100 +. $srcdir/test-lib.sh
 101 +
 102 +use_local_patch
 103 +use_tmpdir
 104 +
 105 +# ================================================================
 106 +
 107 +emit_2()
 108 +{
 109 +cat <<EOF
 110 +--- $1
 111 ++++ $2
 112 +@@ -0,0 +1 @@
 113 ++x
 114 +EOF
 115 +}
 116 +
 117 +emit_patch() { emit_2 /dev/null "$1"; }
 118 +
 119 +# Ensure that patch rejects an output file name that is absolute
 120 +# or that contains a ".." component.
 121 +
 122 +check 'emit_patch /absolute/path | patch -p0; echo status: $?' <<EOF
 123 +$PATCH: **** rejecting absolute target file name: /absolute/path
 124 +status: 2
 125 +EOF
 126 +
 127 +check 'emit_patch a/../z | patch -p0; echo status: $?' <<EOF
 128 +$PATCH: **** rejecting target file name with ".." component: a/../z
 129 +status: 2
 130 +EOF
 131 +
 132 +check 'emit_patch a/../z | patch -p1; echo status: $?' <<EOF
 133 +$PATCH: **** rejecting target file name with ".." component: ../z
 134 +status: 2
 135 +EOF
 136 +
 137 +check 'emit_patch a/.. | patch -p0; echo status: $?' <<EOF
 138 +$PATCH: **** rejecting target file name with ".." component: a/..
 139 +status: 2
 140 +EOF
 141 +
 142 +check 'emit_patch ../z | patch -p0; echo status: $?' <<EOF
 143 +$PATCH: **** rejecting target file name with ".." component: ../z
 144 +status: 2
 145 +EOF
 146 +
 147 +check 'emit_2 /abs/path target | patch -p0; echo status: $?' <<EOF
 148 +patching file target
 149 +status: 0
 150 +EOF
 151 +
 152 +echo x > target
 153 +check 'emit_2 /abs/path target | patch -R -p0; echo status: $?' <<EOF
 154 +patching file target
 155 +status: 0
 156 +EOF
 157 +
 158 +# Do not validate any file name from the input when the target
 159 +# is specified on the command line:
 160 +touch abs
 161 +check 'emit_patch /absolute/path | patch `pwd`/abs; echo status: $?' <<EOF
 162 +patching file `pwd`/abs
 163 +status: 0
 164 +EOF