/[packages]/updates/2/squashfs-tools/current/SOURCES/path-issue.patch
ViewVC logotype

Contents of /updates/2/squashfs-tools/current/SOURCES/path-issue.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 338264 - (show annotations) (download)
Thu Jan 3 16:45:09 2013 UTC (11 years, 9 months ago) by tmb
File size: 2431 byte(s)
- unsquashfs: Fix potential stack overflow in get_component 
  (CVE-2012-4024) (P2, from Fedora, mga #8448)
- unsquashfs: Fix integer overflow exploit in queue_init() leading to
  heap overflow. (CVE-2012-4025) (P3, from Fedora, mga #8448)

1 From: Phillip Lougher <phillip@squashfs.org.uk>
2 Date: Thu, 22 Nov 2012 04:58:39 +0000 (+0000)
3 Subject: unsquashfs: fix CVE-2012-4024
4 X-Git-Url: http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs%2Fsquashfs;a=commitdiff_plain;h=19c38fba0be1ce949ab44310d7f49887576cc123;hp=f7bbe5a202648b505879e2570672c012498f31fb
5
6 unsquashfs: fix CVE-2012-4024
7
8 Fix potential stack overflow in get_component() where an individual
9 pathname component in an extract file (specified on the command line
10 or in an extract file) could exceed the 1024 byte sized targname
11 allocated on the stack.
12
13 Fix by dynamically allocating targname rather than storing it as
14 a fixed size on the stack.
15
16 Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
17 ---
18
19 diff -Nurp squashfs4.2/squashfs-tools/unsquashfs.c squashfs4.2-fix1/squashfs-tools/unsquashfs.c
20 --- squashfs4.2/squashfs-tools/unsquashfs.c 2013-01-03 18:23:53.122876501 +0200
21 +++ squashfs4.2-fix1/squashfs-tools/unsquashfs.c 2013-01-03 18:25:58.835643093 +0200
22 @@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
23 }
24
25
26 -char *get_component(char *target, char *targname)
27 +char *get_component(char *target, char **targname)
28 {
29 + char *start;
30 +
31 while(*target == '/')
32 target ++;
33
34 + start = target;
35 while(*target != '/' && *target!= '\0')
36 - *targname ++ = *target ++;
37 + target ++;
38
39 - *targname = '\0';
40 + *targname = strndup(start, target - start);
41
42 return target;
43 }
44 @@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
45
46 struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
47 {
48 - char targname[1024];
49 + char *targname;
50 int i, error;
51
52 TRACE("add_path: adding \"%s\" extract file\n", target);
53
54 - target = get_component(target, targname);
55 + target = get_component(target, &targname);
56
57 if(paths == NULL) {
58 paths = malloc(sizeof(struct pathname));
59 @@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
60 sizeof(struct path_entry));
61 if(paths->name == NULL)
62 EXIT_UNSQUASH("Out of memory in add_path\n");
63 - paths->name[i].name = strdup(targname);
64 + paths->name[i].name = targname;
65 paths->name[i].paths = NULL;
66 if(use_regex) {
67 paths->name[i].preg = malloc(sizeof(regex_t));
68 @@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
69 /*
70 * existing matching entry
71 */
72 + free(targname);
73 +
74 if(paths->name[i].paths == NULL) {
75 /*
76 * No sub-directory which means this is the leaf

  ViewVC Help
Powered by ViewVC 1.1.30