Fixed multiple vulnerabilities; bug #62618. Thanks to vorlon <vorlon@vorlons.info>.

author: Mamoru Komachi <usata@gentoo.org> 2004-09-07 13:18:13 +0000
committer: Mamoru Komachi <usata@gentoo.org> 2004-09-07 13:18:13 +0000
commit: d2dc51c99bfc3491f71b135101d3c6e12eeb079b (patch)
tree: a2fa7687b5534a720c2f945f44f671b66943cea2 /app-arch/lha
parent: Version bump without support for sqlite (Manifest recommit) (diff)
download: gentoo-2-d2dc51c99bfc3491f71b135101d3c6e12eeb079b.tar.gz
gentoo-2-d2dc51c99bfc3491f71b135101d3c6e12eeb079b.tar.bz2
gentoo-2-d2dc51c99bfc3491f71b135101d3c6e12eeb079b.zip
8 files changed, 296 insertions, 3 deletions
diff --git a/app-arch/lha/ChangeLog b/app-arch/lha/ChangeLog
index aadb17da6eed..f0ef42938961 100644
--- a/app-arch/lha/ChangeLog
+++ b/app-arch/lha/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-arch/lha
 # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/lha/ChangeLog,v 1.18 2004/06/28 01:25:24 tgall Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-arch/lha/ChangeLog,v 1.19 2004/09/07 13:18:13 usata Exp $
+
+*lha-114i-r4 (07 Sep 2004)
+
+  07 Sep 2004; Mamoru KOMACHI <usata@gentoo.org> +files/lha-114i-malloc.patch,
+  +files/lha-114i-symlink.patch, +files/lha-command_buffer.patch,
+  +files/lha-dir_length_bounds_check.patch, +lha-114i-r4.ebuild:
+  Fixed multiple vulnerabilities; bug #62618. Thanks to vorlon
+  <vorlon@vorlons.info>.
 
   26 Jun 2004; Tom Gall <tgall@gentoo.org> lha-114i-r3.ebuild:
   stable ppc64, bug #55236
diff --git a/app-arch/lha/Manifest b/app-arch/lha/Manifest
index 482c480a601a..c5a8c7a12463 100644
--- a/app-arch/lha/Manifest
+++ b/app-arch/lha/Manifest
@@ -1,7 +1,13 @@
 MD5 3d857e3d86f3b286cd122594cc778d5a ChangeLog 2086
+MD5 a9a6b4253d2d5184ef402197965ad7f7 lha-114i-r4.ebuild 1072
 MD5 dc873af8aed538add6d4037ce1e8ea6f lha-114i-r2.ebuild 860
 MD5 e8d28951f8550ffff10118876051714e lha-114i-r3.ebuild 901
-MD5 0ca54fececc10dcda9d3e9f649102c78 files/digest-lha-114i-r2 59
+MD5 aecad116178774c3d84d2776e099639a files/rhel3-lha.patch 6437
 MD5 0ca54fececc10dcda9d3e9f649102c78 files/digest-lha-114i-r3 59
-MD5 9c4e9404173fd5897d3736e33c909b81 files/lha-114i-lhext.diff 513
+MD5 0ca54fececc10dcda9d3e9f649102c78 files/digest-lha-114i-r2 59
 MD5 7e87f643ac65634d0b934b7bfcd6a8cb files/lha-114i.diff 1721
+MD5 9c4e9404173fd5897d3736e33c909b81 files/lha-114i-lhext.diff 513
+MD5 ff83fd8d0be0194387cb243d91100e61 files/lha-dir_length_bounds_check.patch 556
+MD5 928b60b965833353acc7d99b063b9f29 files/lha-114i-malloc.patch 257
+MD5 414d7156c3bc01a95a10ee240e3e8535 files/lha-114i-symlink.patch 308
+MD5 0ca54fececc10dcda9d3e9f649102c78 files/digest-lha-114i-r4 59
diff --git a/app-arch/lha/files/digest-lha-114i-r4 b/app-arch/lha/files/digest-lha-114i-r4
new file mode 100644
index 000000000000..44da31fd5180
--- /dev/null
+++ b/app-arch/lha/files/digest-lha-114i-r4
@@ -0,0 +1 @@
+MD5 5225884d557b91f04124693e2c5c9e94 lha-114i.tar.gz 64608
diff --git a/app-arch/lha/files/lha-114i-malloc.patch b/app-arch/lha/files/lha-114i-malloc.patch
new file mode 100644
index 000000000000..cc3b034dc5e3
--- /dev/null
+++ b/app-arch/lha/files/lha-114i-malloc.patch
@@ -0,0 +1,10 @@
+--- lha-114i/src/lha.h.orig	2004-05-19 19:24:19.000000000 -0400
++++ lha-114i/src/lha.h	2004-05-19 19:23:19.000000000 -0400
+@@ -16,6 +16,7 @@
+ #include <sys/types.h>
+ #include <sys/file.h>
+ #include <sys/stat.h>
++#include <malloc.h>
+ 
+ #include <signal.h>
+ 
diff --git a/app-arch/lha/files/lha-114i-symlink.patch b/app-arch/lha/files/lha-114i-symlink.patch
new file mode 100644
index 000000000000..1189eef82e16
--- /dev/null
+++ b/app-arch/lha/files/lha-114i-symlink.patch
@@ -0,0 +1,10 @@
+--- lha-114i/src/lhext.c.symlink	2000-10-04 10:57:38.000000000 -0400
++++ lha-114i/src/lhext.c	2003-05-19 22:55:57.000000000 -0400
+@@ -351,6 +351,7 @@ extract_one(afp, hdr)
+ 				}
+ 
+ 				unlink(bb1);
++				make_parent_path(bb1);
+ 				l_code = symlink(bb2, bb1);
+ 				if (l_code < 0) {
+ 					if (quiet != TRUE)
diff --git a/app-arch/lha/files/lha-command_buffer.patch b/app-arch/lha/files/lha-command_buffer.patch
new file mode 100644
index 000000000000..e2a477784470
--- /dev/null
+++ b/app-arch/lha/files/lha-command_buffer.patch
@@ -0,0 +1,196 @@
+diff -urNp lha-114i.orig/src/lha_macro.h lha-114i/src/lha_macro.h
+--- lha-114i.orig/src/lha_macro.h	2004-08-03 15:53:56.000000000 -0500
++++ lha-114i/src/lha_macro.h	2004-08-03 15:54:05.000000000 -0500
+@@ -53,7 +53,7 @@
+ #define SEEK_SET		0
+ #define SEEK_CUR		1
+ #define SEEK_END		2
+-#endif	/* SEEK_SET
++#endif	/* SEEK_SET */
+ 
+ 
+ /* non-integral functions */
+diff -urNp lha-114i.orig/src/lharc.c lha-114i/src/lharc.c
+--- lha-114i.orig/src/lharc.c	2004-08-03 15:53:56.000000000 -0500
++++ lha-114i/src/lharc.c	2004-08-03 15:54:05.000000000 -0500
+@@ -830,9 +830,10 @@ find_files(name, v_filec, v_filev)
+ 	DIRENTRY       *dp;
+ 	struct stat     tmp_stbuf, arc_stbuf, fil_stbuf;
+ 
+-	strcpy(newname, name);
++	strncpy(newname, name, sizeof(newname));
++	newname[sizeof(newname)-1] = 0;
+ 	len = strlen(name);
+-	if (len > 0 && newname[len - 1] != '/')
++	if (len > 0 && newname[len - 1] != '/' && len < (sizeof(newname)-1))
+ 		newname[len++] = '/';
+ 
+ 	dirp = opendir(name);
+@@ -846,6 +847,11 @@ find_files(name, v_filec, v_filev)
+ 
+ 	for (dp = readdir(dirp); dp != NULL; dp = readdir(dirp)) {
+ 		n = NAMLEN(dp);
++		if (len >= (sizeof(newname)-1) ||
++				(len+n) >= (sizeof(newname)-1) ||
++					 n  <= 0                   ||
++				(len+n) <= 0)
++			break;
+ 		strncpy(newname + len, dp->d_name, n);
+ 		newname[len + n] = '\0';
+ 		if (GETSTAT(newname, &fil_stbuf) < 0)
+@@ -903,7 +909,8 @@ build_temporary_name()
+ 		strcpy(temporary_name, TMP_FILENAME_TEMPLATE);
+ 	}
+ 	else {
+-		sprintf(temporary_name, "%s/lhXXXXXX", extract_directory);
++		snprintf(temporary_name, sizeof(temporary_name),
++			"%s/lhXXXXXX", extract_directory);
+ 	}
+ #ifdef MKSTEMP
+ 	mkstemp(temporary_name);
+@@ -913,10 +920,16 @@ build_temporary_name()
+ #else
+ 	char           *p, *s;
+ 
+-	strcpy(temporary_name, archive_name);
++	strncpy(temporary_name, archive_name, sizeof(temporary_name));
++	temporary_name[sizeof(temporary_name)-1] = 0;
+ 	for (p = temporary_name, s = (char *) 0; *p; p++)
+ 		if (*p == '/')
+ 			s = p;
++
++	if( sizeof(temporary_name) - ((size_t) (s-temporary_name)) - 1
++		<= strlen("lhXXXXXX"))
++			exit(-1);
++
+ 	strcpy((s ? s + 1 : temporary_name), "lhXXXXXX");
+ #ifdef MKSTEMP
+ 	mkstemp(temporary_name);
+@@ -1052,7 +1065,8 @@ open_old_archive()
+ 
+ 	if (open_old_archive_1(archive_name, &fp))
+ 		return fp;
+-	sprintf(expanded_archive_name, "%s.lzh", archive_name);
++	snprintf(expanded_archive_name, sizeof(expanded_archive_name),
++		"%s.lzh", archive_name);
+ 	if (open_old_archive_1(expanded_archive_name, &fp)) {
+ 		archive_name = expanded_archive_name;
+ 		return fp;
+@@ -1061,7 +1075,8 @@ open_old_archive()
+ 	 * if ( (errno&0xffff)!=E_PNNF ) { archive_name =
+ 	 * expanded_archive_name; return NULL; }
+ 	 */
+-	sprintf(expanded_archive_name, "%s.lzs", archive_name);
++	snprintf(expanded_archive_name, sizeof(expanded_archive_name),
++		"%s.lzs", archive_name);
+ 	if (open_old_archive_1(expanded_archive_name, &fp)) {
+ 		archive_name = expanded_archive_name;
+ 		return fp;
+diff -urNp lha-114i.orig/src/lhext.c lha-114i/src/lhext.c
+--- lha-114i.orig/src/lhext.c	2004-08-03 15:53:56.000000000 -0500
++++ lha-114i/src/lhext.c	2004-08-03 15:55:40.000000000 -0500
+@@ -82,7 +82,8 @@ make_parent_path(name)
+ 	register char  *p;
+ 
+ 	/* make parent directory name into PATH for recursive call */
+-	strcpy(path, name);
++	memset(path, 0, sizeof(path));
++	strncpy(path, name, sizeof(path)-1);
+ 	for (p = path + strlen(path); p > path; p--)
+ 		if (p[-1] == '/') {
+ 			*--p = '\0';
+@@ -212,9 +213,11 @@ extract_one(afp, hdr)
+ 	}
+ 
+ 	if (extract_directory)
+-		sprintf(name, "%s/%s", extract_directory, q);
+-	else
+-		strcpy(name, q);
++		snprintf(name, sizeof(name), "%s/%s", extract_directory, q);
++	else {
++		strncpy(name, q, sizeof(name));
++		name[sizeof(name) - 1] = '\0';
++	}
+ 
+ 
+ 	/* LZHDIRS_METHOD�����ĥإå��������å����� */
+@@ -335,7 +338,8 @@ extract_one(afp, hdr)
+ 			if ((hdr->unix_mode & UNIX_FILE_TYPEMASK) == UNIX_FILE_SYMLINK) {
+ 				char            buf[256], *bb1, *bb2;
+ 				int             l_code;
+-				strcpy(buf, name);
++				strncpy(buf, name, sizeof(buf));
++				buf[sizeof(buf)-1] = 0;
+ 				bb1 = strtok(buf, "|");
+ 				bb2 = strtok(NULL, "|");
+ 
+@@ -365,9 +369,10 @@ extract_one(afp, hdr)
+ 				if (quiet != TRUE) {
+ 					printf("Symbolic Link %s -> %s\n", bb1, bb2);
+ 				}
+-				strcpy(name, bb1);	/* Symbolic's name set */
++				strncpy(name, bb1, 255);	/* Symbolic's name set */
++				name[255] = 0;
+ #else
+-				sprintf(buf, "%s -> %s", bb1, bb2);
++				sprintf(buf, sizeof(buf), "%s -> %s", bb1, bb2);
+ 				warning("Can't make Symbolic Link", buf);
+ 				return;
+ #endif
+diff -urNp lha-114i.orig/src/lhlist.c lha-114i/src/lhlist.c
+--- lha-114i.orig/src/lhlist.c	2004-08-03 15:53:56.000000000 -0500
++++ lha-114i/src/lhlist.c	2004-08-03 15:54:05.000000000 -0500
+@@ -250,7 +250,8 @@ list_one(hdr)
+ 			printf(" %s", hdr->name);
+ 		else {
+ 			char            buf[256], *b1, *b2;
+-			strcpy(buf, hdr->name);
++			strncpy(buf, hdr->name, sizeof(buf));
++			buf[sizeof(buf)-1] = 0;
+ 			b1 = strtok(buf, "|");
+ 			b2 = strtok(NULL, "|");
+ 			printf(" %s -> %s", b1, b2);
+diff -urNp lha-114i.orig/src/util.c lha-114i/src/util.c
+--- lha-114i.orig/src/util.c	2004-08-03 15:53:56.000000000 -0500
++++ lha-114i/src/util.c	2004-08-03 15:54:05.000000000 -0500
+@@ -276,21 +276,27 @@ rmdir(path)
+ 	char           *path;
+ {
+ 	int             stat, rtn = 0;
+-	char           *cmdname;
+-	if ((cmdname = (char *) malloc(strlen(RMDIRPATH) + 1 + strlen(path) + 1))
+-	    == 0)
++	pid_t           child;
++
++
++	/* XXX thomas: shell meta chars in path could exec commands */
++	/* therefore we should avoid using system() */
++	if ((child = fork()) < 0)
++		return (-1);    /* fork error */
++	else if (child) {       /* parent process */
++		while (child != wait(&stat))    /* ignore signals */
++			continue;
++	}
++	else {                  /* child process */
++		execl(RMDIRPATH, "rmdir", path, (char *) 0);
++		/* never come here except execl is error */
+ 		return (-1);
+-	strcpy(cmdname, RMDIRPATH);
+-	*(cmdname + strlen(RMDIRPATH)) = ' ';
+-	strcpy(cmdname + strlen(RMDIRPATH) + 1, path);
+-	if ((stat = system(cmdname)) < 0)
+-		rtn = -1;	/* fork or exec error */
+-	else if (stat) {	/* RMDIR command error */
+-		errno = EIO;
+-		rtn = -1;
+ 	}
+-	free(cmdname);
+-	return (rtn);
++	if (stat != 0) {
++		errno = EIO;    /* cannot get error num. */
++		return (-1);
++	}
++	return (0);
+ }
+ 
+ /* ------------------------------------------------------------------------ */
diff --git a/app-arch/lha/files/lha-dir_length_bounds_check.patch b/app-arch/lha/files/lha-dir_length_bounds_check.patch
new file mode 100644
index 000000000000..7a0ae1e086e2
--- /dev/null
+++ b/app-arch/lha/files/lha-dir_length_bounds_check.patch
@@ -0,0 +1,20 @@
+--- src/header.c	2002-07-19 17:23:58.000000000 +0900
++++ src/header.c	2004-06-16 09:49:23.000000000 +0900
+@@ -648,8 +648,17 @@
+ 	}
+ 
+ 	if (dir_length) {
++		if ((dir_length + name_length) > sizeof(dirname)) {
++			fprintf(stderr, "Insufficient buffer size\n");
++			exit(112);
++		}
+ 		strcat(dirname, hdr->name);
+-		strcpy(hdr->name, dirname);
++
++		if ((dir_length + name_length) > sizeof(hdr->name)) {
++			fprintf(stderr, "Insufficient buffer size\n");
++			exit(112);
++		}
++		strncpy(hdr->name, dirname, sizeof(hdr->name));
+ 		name_length += dir_length;
+ 	}
diff --git a/app-arch/lha/lha-114i-r4.ebuild b/app-arch/lha/lha-114i-r4.ebuild
new file mode 100644
index 000000000000..fc55fb930bd9
--- /dev/null
+++ b/app-arch/lha/lha-114i-r4.ebuild
@@ -0,0 +1,42 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/lha/lha-114i-r4.ebuild,v 1.1 2004/09/07 13:18:13 usata Exp $
+
+inherit eutils
+
+DESCRIPTION="Utility for creating and opening lzh archives"
+HOMEPAGE="http://www2m.biglobe.ne.jp/~dolphin/lha/lha-unix.htm"
+SRC_URI="http://www2m.biglobe.ne.jp/~dolphin/lha/prog/${P}.tar.gz"
+
+LICENSE="lha"
+SLOT="0"
+KEYWORDS="x86 ppc sparc alpha amd64 ppc64"
+IUSE=""
+
+DEPEND="virtual/libc"
+
+src_unpack () {
+	unpack ${A} ; cd ${S}
+	sed -i -e "/^OPTIMIZE/ s:-O2:${CFLAGS}:" Makefile
+	cd src
+	epatch ${FILESDIR}/${P}.diff
+	epatch ${FILESDIR}/${PN}-command_buffer.patch
+	epatch ${FILESDIR}/${P}-symlink.patch
+	epatch ${FILESDIR}/${P}-malloc.patch
+	epatch ${FILESDIR}/${PN}-dir_length_bounds_check.patch
+}
+
+src_compile() {
+	emake || die
+}
+
+src_install() {
+	dodir /usr/bin
+	dodir /usr/share/man/ja/man1
+	make \
+		BINDIR=${D}/usr/bin \
+		MANDIR=${D}/usr/share/man/ja \
+		install MANSECT=1 || die
+
+	dodoc *.txt *.euc *.eng
+}
author	Mamoru Komachi <usata@gentoo.org>	2004-09-07 13:18:13 +0000
committer	Mamoru Komachi <usata@gentoo.org>	2004-09-07 13:18:13 +0000
commit	d2dc51c99bfc3491f71b135101d3c6e12eeb079b (patch)
tree	a2fa7687b5534a720c2f945f44f671b66943cea2 /app-arch/lha
parent	Version bump without support for sqlite (Manifest recommit) (diff)
download	gentoo-2-d2dc51c99bfc3491f71b135101d3c6e12eeb079b.tar.gz gentoo-2-d2dc51c99bfc3491f71b135101d3c6e12eeb079b.tar.bz2 gentoo-2-d2dc51c99bfc3491f71b135101d3c6e12eeb079b.zip