--- /dev/null
+Submitted By: Ken Moffat <ken@kenmoffat.uklinux.net>
+Date: 2005-07-29
+Initial Package Version: 2.6
+Upstream Status: Unknown
+Origin: from Mandrake
+Description: Vulnerability fixes, rediffed so that they all apply with
+ -p1 and consolidated to single patch. Also applicable to earlier versions.
+(1.) CAN-1999-1572 (still seems to apply to 2.6) cpio uses a 0 umask when
+creating files with -O or -F options, which creates the files with mode 0666
+and allows local users to overwrite them. Fix originally fom debian.
+(2.) CAN-2005-1111 Race condition in 2.6 and earlier allows local users to
+modify permissions of arbitrary files via a hard-link attack. Fix
+originally from fedora.
+(3.) CAN-2005-1229 Directory traversal vulnerability allows remote
+attackers to write to arbitrary directories via a dot dot in a cpio file.
+Fix by Peter Vrabec at RedHat.
+
+diff -Naur cpio-2.6.vanilla/doc/cpio.1 cpio-2.6/doc/cpio.1
+--- cpio-2.6.vanilla/doc/cpio.1 2004-08-30 17:21:48.000000000 +0100
++++ cpio-2.6/doc/cpio.1 2005-07-29 13:46:42.000000000 +0100
+@@ -20,7 +20,7 @@
+ [\-\-unconditional] [\-\-verbose] [\-\-block-size=blocks] [\-\-swap-halfwords]
+ [\-\-io-size=bytes] [\-\-pattern-file=file] [\-\-format=format]
+ [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
+-[\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
++[\-\-force\-local] [\-\-absolute\-filenames] [\-\-sparse]
+ [\-\-only\-verify\-crc] [\-\-quiet] [\-\-rsh-command=command] [\-\-help]
+ [\-\-version] [pattern...] [< archive]
+
+diff -Naur cpio-2.6.vanilla/doc/cpio.info cpio-2.6/doc/cpio.info
+--- cpio-2.6.vanilla/doc/cpio.info 2004-02-27 12:42:01.000000000 +0000
++++ cpio-2.6/doc/cpio.info 2005-07-29 13:46:42.000000000 +0100
+@@ -203,7 +203,7 @@
+ [--swap-halfwords] [--io-size=bytes] [--pattern-file=file]
+ [--format=format] [--owner=[user][:.][group]]
+ [--no-preserve-owner] [--message=message] [--help] [--version]
+- [-no-absolute-filenames] [--sparse] [-only-verify-crc] [-quiet]
++ [--absolute-filenames] [--sparse] [-only-verify-crc] [-quiet]
+ [--rsh-command=command] [pattern...] [< archive]
+
+ \1f
+@@ -358,9 +358,9 @@
+ Show numeric UID and GID instead of translating them into names
+ when using the `--verbose option'.
+
+-`--no-absolute-filenames'
+- Create all files relative to the current directory in copy-in
+- mode, even if they have an absolute file name in the archive.
++`--absolute-filenames'
++ Do not strip leading file name components that contain ".."
++ and leading slashes from file names in copy-in mode
+
+ `--no-preserve-owner'
+ Do not change the ownership of the files; leave them owned by the
+diff -Naur cpio-2.6.vanilla/src/copyin.c cpio-2.6/src/copyin.c
+--- cpio-2.6.vanilla/src/copyin.c 2004-09-08 12:10:02.000000000 +0100
++++ cpio-2.6/src/copyin.c 2005-07-29 13:46:42.000000000 +0100
+@@ -25,6 +25,7 @@
+ #include "dstring.h"
+ #include "extern.h"
+ #include "defer.h"
++#include "dirname.h"
+ #include <rmt.h>
+ #ifndef FNM_PATHNAME
+ #include <fnmatch.h>
+@@ -389,19 +390,26 @@
+ continue;
+ }
+
+- if (close (out_file_des) < 0)
+- error (0, errno, "%s", d->header.c_name);
+-
++ /*
++ * Avoid race condition.
++ * Set chown and chmod before closing the file desc.
++ * pvrabec@redhat.com
++ */
++
+ /* File is now copied; set attributes. */
+ if (!no_chown_flag)
+- if ((chown (d->header.c_name,
++ if ((fchown (out_file_des,
+ set_owner_flag ? set_owner : d->header.c_uid,
+ set_group_flag ? set_group : d->header.c_gid) < 0)
+ && errno != EPERM)
+ error (0, errno, "%s", d->header.c_name);
+ /* chown may have turned off some permissions we wanted. */
+- if (chmod (d->header.c_name, (int) d->header.c_mode) < 0)
++ if (fchmod (out_file_des, (int) d->header.c_mode) < 0)
+ error (0, errno, "%s", d->header.c_name);
++
++ if (close (out_file_des) < 0)
++ error (0, errno, "%s", d->header.c_name);
++
+ if (retain_time_flag)
+ {
+ times.actime = times.modtime = d->header.c_mtime;
+@@ -557,6 +565,25 @@
+ write (out_file_des, "", 1);
+ delayed_seek_count = 0;
+ }
++
++ /*
++ * Avoid race condition.
++ * Set chown and chmod before closing the file desc.
++ * pvrabec@redhat.com
++ */
++
++ /* File is now copied; set attributes. */
++ if (!no_chown_flag)
++ if ((fchown (out_file_des,
++ set_owner_flag ? set_owner : file_hdr->c_uid,
++ set_group_flag ? set_group : file_hdr->c_gid) < 0)
++ && errno != EPERM)
++ error (0, errno, "%s", file_hdr->c_name);
++
++ /* chown may have turned off some permissions we wanted. */
++ if (fchmod (out_file_des, (int) file_hdr->c_mode) < 0)
++ error (0, errno, "%s", file_hdr->c_name);
++
+ if (close (out_file_des) < 0)
+ error (0, errno, "%s", file_hdr->c_name);
+
+@@ -567,18 +594,6 @@
+ file_hdr->c_name, crc, file_hdr->c_chksum);
+ }
+
+- /* File is now copied; set attributes. */
+- if (!no_chown_flag)
+- if ((chown (file_hdr->c_name,
+- set_owner_flag ? set_owner : file_hdr->c_uid,
+- set_group_flag ? set_group : file_hdr->c_gid) < 0)
+- && errno != EPERM)
+- error (0, errno, "%s", file_hdr->c_name);
+-
+- /* chown may have turned off some permissions we wanted. */
+- if (chmod (file_hdr->c_name, (int) file_hdr->c_mode) < 0)
+- error (0, errno, "%s", file_hdr->c_name);
+-
+ if (retain_time_flag)
+ {
+ struct utimbuf times; /* For setting file times. */
+@@ -589,7 +604,7 @@
+ if (utime (file_hdr->c_name, ×) < 0)
+ error (0, errno, "%s", file_hdr->c_name);
+ }
+-
++
+ tape_skip_padding (in_file_des, file_hdr->c_filesize);
+ if (file_hdr->c_nlink > 1
+ && (archive_format == arf_newascii || archive_format == arf_crcascii) )
+@@ -1335,6 +1350,53 @@
+ }
+ }
+
++/* Return a safer suffix of FILE_NAME, or "." if it has no safer
++ suffix. Check for fully specified file names and other atrocities. */
++
++static const char *
++safer_name_suffix (char const *file_name)
++{
++ char const *p;
++
++ /* Skip file system prefixes, leading file name components that contain
++ "..", and leading slashes. */
++
++ size_t prefix_len = FILE_SYSTEM_PREFIX_LEN (file_name);
++
++ for (p = file_name + prefix_len; *p;)
++ {
++ if (p[0] == '.' && p[1] == '.' && (ISSLASH (p[2]) || !p[2]))
++ prefix_len = p + 2 - file_name;
++
++ do
++ {
++ char c = *p++;
++ if (ISSLASH (c))
++ break;
++ }
++ while (*p);
++ }
++
++ for (p = file_name + prefix_len; ISSLASH (*p); p++)
++ continue;
++ prefix_len = p - file_name;
++
++ if (prefix_len)
++ {
++ char *prefix = alloca (prefix_len + 1);
++ memcpy (prefix, file_name, prefix_len);
++ prefix[prefix_len] = '\0';
++
++
++ error (0, 0, _("Removing leading `%s' from member names"), prefix);
++ }
++
++ if (!*p)
++ p = ".";
++
++ return p;
++}
++
+ /* Read the collection from standard input and create files
+ in the file system. */
+
+@@ -1445,18 +1507,11 @@
+
+ /* Do we have to ignore absolute paths, and if so, does the filename
+ have an absolute path? */
+- if (no_abs_paths_flag && file_hdr.c_name && file_hdr.c_name [0] == '/')
++ if (!abs_paths_flag && file_hdr.c_name && file_hdr.c_name [0])
+ {
+- char *p;
++ const char *p = safer_name_suffix (file_hdr.c_name);
+
+- p = file_hdr.c_name;
+- while (*p == '/')
+- ++p;
+- if (*p == '\0')
+- {
+- strcpy (file_hdr.c_name, ".");
+- }
+- else
++ if (p != file_hdr.c_name)
+ {
+ /* Debian hack: file_hrd.c_name is sometimes set to
+ point to static memory by code in tar.c. This
+diff -Naur cpio-2.6.vanilla/src/copypass.c cpio-2.6/src/copypass.c
+--- cpio-2.6.vanilla/src/copypass.c 2004-09-06 13:09:04.000000000 +0100
++++ cpio-2.6/src/copypass.c 2005-07-29 13:46:07.000000000 +0100
+@@ -181,19 +181,25 @@
+ }
+ if (close (in_file_des) < 0)
+ error (0, errno, "%s", input_name.ds_string);
+- if (close (out_file_des) < 0)
+- error (0, errno, "%s", output_name.ds_string);
+-
++ /*
++ * Avoid race condition.
++ * Set chown and chmod before closing the file desc.
++ * pvrabec@redhat.com
++ */
+ /* Set the attributes of the new file. */
+ if (!no_chown_flag)
+- if ((chown (output_name.ds_string,
++ if ((fchown (out_file_des,
+ set_owner_flag ? set_owner : in_file_stat.st_uid,
+ set_group_flag ? set_group : in_file_stat.st_gid) < 0)
+ && errno != EPERM)
+ error (0, errno, "%s", output_name.ds_string);
+ /* chown may have turned off some permissions we wanted. */
+- if (chmod (output_name.ds_string, in_file_stat.st_mode) < 0)
++ if (fchmod (out_file_des, in_file_stat.st_mode) < 0)
++ error (0, errno, "%s", output_name.ds_string);
++
++ if (close (out_file_des) < 0)
+ error (0, errno, "%s", output_name.ds_string);
++
+ if (reset_time_flag)
+ {
+ times.actime = in_file_stat.st_atime;
+diff -Naur cpio-2.6.vanilla/src/extern.h cpio-2.6/src/extern.h
+--- cpio-2.6.vanilla/src/extern.h 2004-09-08 11:49:57.000000000 +0100
++++ cpio-2.6/src/extern.h 2005-07-29 13:47:34.000000000 +0100
+@@ -46,7 +46,7 @@
+ extern int sparse_flag;
+ extern int quiet_flag;
+ extern int only_verify_crc_flag;
+-extern int no_abs_paths_flag;
++extern int abs_paths_flag;
+ extern unsigned int warn_option;
+
+ /* Values for warn_option */
+@@ -91,6 +91,7 @@
+ extern char input_is_seekable;
+ extern char output_is_seekable;
+ extern char *program_name;
++extern mode_t sys_umask;
+ extern int (*xstat) ();
+ extern void (*copy_function) ();
+ \f
+diff -Naur cpio-2.6.vanilla/src/global.c cpio-2.6/src/global.c
+--- cpio-2.6.vanilla/src/global.c 2004-09-08 11:23:44.000000000 +0100
++++ cpio-2.6/src/global.c 2005-07-29 13:47:34.000000000 +0100
+@@ -100,7 +100,7 @@
+ int only_verify_crc_flag = false;
+
+ /* If true, don't use any absolute paths, prefix them by `./'. */
+-int no_abs_paths_flag = false;
++int abs_paths_flag = false;
+
+ #ifdef DEBUG_CPIO
+ /* If true, print debugging information. */
+@@ -195,6 +195,9 @@
+ /* The name this program was run with. */
+ char *program_name;
+
++/* Debian hack to make the -d option honor the umask. */
++mode_t sys_umask;
++
+ /* A pointer to either lstat or stat, depending on whether
+ dereferencing of symlinks is done for input files. */
+ int (*xstat) ();
+diff -Naur cpio-2.6.vanilla/src/main.c cpio-2.6/src/main.c
+--- cpio-2.6.vanilla/src/main.c 2004-11-23 00:42:18.000000000 +0000
++++ cpio-2.6/src/main.c 2005-07-29 13:47:34.000000000 +0100
+@@ -41,6 +41,7 @@
+
+ enum cpio_options {
+ NO_ABSOLUTE_FILENAMES_OPTION=256,
++ ABSOLUTE_FILENAMES_OPTION,
+ NO_PRESERVE_OWNER_OPTION,
+ ONLY_VERIFY_CRC_OPTION,
+ RENAME_BATCH_FILE_OPTION,
+@@ -134,6 +135,8 @@
+ N_("In copy-in mode, read additional patterns specifying filenames to extract or list from FILE"), 210},
+ {"no-absolute-filenames", NO_ABSOLUTE_FILENAMES_OPTION, 0, 0,
+ N_("Create all files relative to the current directory"), 210},
++ {"absolute-filenames", ABSOLUTE_FILENAMES_OPTION, 0, 0,
++ N_("do not strip leading file name components that contain \"..\" and leading slashes from file names"), 210},
+ {"only-verify-crc", ONLY_VERIFY_CRC_OPTION, 0, 0,
+ N_("When reading a CRC format archive in copy-in mode, only verify the CRC's of each file in the archive, don't actually extract the files"), 210},
+ {"rename", 'r', 0, 0,
+@@ -392,7 +395,11 @@
+ break;
+
+ case NO_ABSOLUTE_FILENAMES_OPTION: /* --no-absolute-filenames */
+- no_abs_paths_flag = true;
++ abs_paths_flag = false;
++ break;
++
++ case ABSOLUTE_FILENAMES_OPTION: /* --absolute-filenames */
++ abs_paths_flag = true;
+ break;
+
+ case NO_PRESERVE_OWNER_OPTION: /* --no-preserve-owner */
+@@ -631,7 +638,7 @@
+ _("--append is used but no archive file name is given (use -F or -O options")));
+
+ CHECK_USAGE(rename_batch_file, "--rename-batch-file", "--create");
+- CHECK_USAGE(no_abs_paths_flag, "--no-absolute-pathnames", "--create");
++ CHECK_USAGE(abs_paths_flag, "--absolute-pathnames", "--create");
+ CHECK_USAGE(input_archive_name, "-I", "--create");
+ if (archive_name && output_archive_name)
+ USAGE_ERROR ((0, 0, _("Both -O and -F are used in copy-out mode")));
+@@ -658,7 +665,7 @@
+ CHECK_USAGE(rename_flag, "--rename", "--pass-through");
+ CHECK_USAGE(append_flag, "--append", "--pass-through");
+ CHECK_USAGE(rename_batch_file, "--rename-batch-file", "--pass-through");
+- CHECK_USAGE(no_abs_paths_flag, "--no-absolute-pathnames",
++ CHECK_USAGE(abs_paths_flag, "--absolute-pathnames",
+ "--pass-through");
+ CHECK_USAGE(to_stdout_option, "--to-stdout", "--pass-through");
+
+@@ -740,7 +747,6 @@
+ textdomain (PACKAGE);
+
+ program_name = argv[0];
+- umask (0);
+
+ #ifdef __TURBOC__
+ _fmode = O_BINARY; /* Put stdin and stdout in binary mode. */
+@@ -751,6 +757,7 @@
+ #endif
+
+ process_args (argc, argv);
++ sys_umask = umask (0);
+
+ initialize_buffers ();
+
projects / people / pmueller / ipfire-2.x.git / blobdiff