cvs commit: patches/unzip unzip-5.50-dotdot.patch unzip-5.50-fix-Makefile.patch unzip-5.50-fix-libz.patch unzip-5.50-dont-make-noise.patch

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Fri Oct 3 07:17:47 PDT 2003


tushar      03/10/03 08:17:47

  Modified:    unzip    unzip-5.50-dont-make-noise.patch
  Added:       unzip    unzip-5.50-dotdot.patch
                        unzip-5.50-fix-Makefile.patch
                        unzip-5.50-fix-libz.patch
  Log:
  Added unzip patches
  
  Revision  Changes    Path
  1.2       +3 -2      patches/unzip/unzip-5.50-dont-make-noise.patch
  
  Index: unzip-5.50-dont-make-noise.patch
  ===================================================================
  RCS file: /home/cvsroot/patches/unzip/unzip-5.50-dont-make-noise.patch,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -u -r1.1 -r1.2
  --- unzip-5.50-dont-make-noise.patch	24 Sep 2003 01:32:58 -0000	1.1
  +++ unzip-5.50-dont-make-noise.patch	3 Oct 2003 14:17:47 -0000	1.2
  @@ -3,8 +3,9 @@
   Initial Package Version: 5.50
   Origin: http://archive.linuxfromscratch.org/mail-archives/blfs-dev/2003-August/003213.html
   Description: When unzipping files, the unzip stub prints out lot of "useful" info messages.
  -These messages can cause applications such as Midnight Commander. This patch is useful for
  -users linking unzip to the system zlib (i.e. installed as per the BLFS guidelines).
  +These messages can cause applications such as Midnight Commander to display strange behavior.
  +This patch is useful for users linking unzip to the system zlib
  +(i.e. installed as per the BLFS guidelines).
   --- unzip-5.50/unzipstb.c.orig	2003-09-22 01:05:45.000000000 -0500
   +++ unzip-5.50/unzipstb.c	2003-09-22 01:06:57.000000000 -0500
   @@ -30,27 +30,6 @@
  
  
  
  1.1                  patches/unzip/unzip-5.50-dotdot.patch
  
  Index: unzip-5.50-dotdot.patch
  ===================================================================
  Submitted By: Tushar Teredesai <tushar at linuxfromscratch.org>
  Date: 2003-10-03
  Initial Package Version: 5.50
  Origin: Redhat RPM, Gentoo Source
  Description: Fixes a directory traversal security (priority Medium) bug.
  Check out <http://archives.neohapsis.com/archives/bugtraq/2003-05/0113.html>.
  diff -ur unzip-5.50/unix/unix.c unzip-5.50-lhh/unix/unix.c
  --- unzip-5.50/unix/unix.c	2002-01-21 17:54:42.000000000 -0500
  +++ unzip-5.50-lhh/unix/unix.c	2003-06-11 18:35:38.000000000 -0400
  @@ -421,7 +421,8 @@
    */
   {
       char pathcomp[FILNAMSIZ];      /* path-component buffer */
  -    char *pp, *cp=(char *)NULL;    /* character pointers */
  +    char *pp, *cp=(char *)NULL,    /* character pointers */
  +         *dp=(char *)NULL;
       char *lastsemi=(char *)NULL;   /* pointer to last semi-colon in pathcomp */
   #ifdef ACORN_FTYPE_NFS
       char *lastcomma=(char *)NULL;  /* pointer to last comma in pathcomp */
  @@ -429,6 +430,7 @@
   #endif
       int quote = FALSE;             /* flags */
       int killed_ddot = FALSE;       /* is set when skipping "../" pathcomp */
  +    int snarf_ddot = FALSE;	   /* Is set while scanning for "../" */
       int error = MPN_OK;
       register unsigned workch;      /* hold the character being tested */
   
  @@ -467,6 +469,9 @@
       while ((workch = (uch)*cp++) != 0) {
   
           if (quote) {                 /* if character quoted, */
  +	    if ((pp == pathcomp) && (workch == '.'))
  +		/* Oh no you don't... */
  +		goto ddot_hack;
               *pp++ = (char)workch;    /*  include it literally */
               quote = FALSE;
           } else
  @@ -481,15 +486,44 @@
                   break;
   
               case '.':
  -                if (pp == pathcomp) {   /* nothing appended yet... */
  +                if (pp == pathcomp) {
  +ddot_hack:
  +		    /* nothing appended yet... */
                       if (*cp == '/') {   /* don't bother appending "./" to */
                           ++cp;           /*  the path: skip behind the '/' */
                           break;
  -                    } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
  -                        /* "../" dir traversal detected */
  -                        cp += 2;        /*  skip over behind the '/' */
  -                        killed_ddot = TRUE; /*  set "show message" flag */
  -                        break;
  +                    } else if (!uO.ddotflag) {
  +
  +			/*
  +			 * SECURITY: Skip past control characters if the user
  +			 * didn't OK use of absolute pathnames. lhh - this is
  +			 * a very quick, ugly, inefficient fix.
  +			 */
  +			dp = cp;
  +			do {
  +			    workch = (uch)(*dp);
  +			    if (workch == '/' && snarf_ddot) {
  +                                /* "../" dir traversal detected */
  +                                cp = dp + 1;      /* skip past the '/' */
  +                                killed_ddot = TRUE; /* set "show msg" flag */
  +                                break;
  +                            } else if (workch == '.' && !snarf_ddot) {
  +				snarf_ddot = TRUE;
  +                	    } else if (isprint(workch) ||
  +				       ((workch > 127) && (workch <= 254))) {
  +				/*
  +				 * Since we found a printable, non-ctrl char,
  +				 * we can stop looking for '../', the amount
  +				 * in ../!
  +				 */
  +			        break;
  +			    }
  +
  +			    dp++;
  +                        } while (*dp != 0);
  +
  +			if (killed_ddot)
  +			    break;
                       }
                   }
                   *pp++ = '.';
  
  
  
  1.1                  patches/unzip/unzip-5.50-fix-Makefile.patch
  
  Index: unzip-5.50-fix-Makefile.patch
  ===================================================================
  Submitted By: BLFS Book <blfs-book at linuxfromscratch.org>
  Date: 2003-10-03
  Initial Package Version: 5.50
  Origin: NA
  Description: Creates a missing symlink.
  diff -urN unzip-5.50/unix/Makefile unzip-5.50-rcl/unix/Makefile
  --- unzip-5.50/unix/Makefile	Sat Feb 16 17:00:38 2002
  +++ unzip-5.50-rcl/unix/Makefile	Sat Sep 28 14:32:44 2002
  @@ -818,6 +818,7 @@
   	ln -sf crc_gcc.pic.o crc32.pic.o
   	gcc -shared -Wl,-soname,libunzip.so.0 -o libunzip.so.0.4 $(OBJSDLL)
   	ln -sf libunzip.so.0.4 libunzip.so.0
  +	ln -sf libunzip.so.0.4 libunzip.so
   	gcc -c -O unzipstb.c
   	gcc -o unzip unzipstb.o -L. -lunzip -lz
  
  
  
  1.1                  patches/unzip/unzip-5.50-fix-libz.patch
  
  Index: unzip-5.50-fix-libz.patch
  ===================================================================
  Submitted By: BLFS Book <blfs-book at linuxfromscratch.org>
  Date: 2003-10-03
  Initial Package Version: 5.50
  Origin: NA
  Description: Fixes compilation against system zlib.
  diff -urN unzip-5.50/api.c unzip-5.50-rcl/api.c
  --- unzip-5.50/api.c	Thu Nov 22 23:43:26 2001
  +++ unzip-5.50-rcl/api.c	Sat Sep 28 14:31:51 2002
  @@ -48,6 +48,11 @@
   #endif
   #include "unzvers.h"
   
  +/* This is defined as zlibVersion() in zlib.h version 1.1.4 */
  +#ifdef   zlib_version
  +#  undef zlib_version
  +#endif
  +
   #ifdef DLL      /* This source file supplies DLL-only interface code. */
   
   jmp_buf dll_error_return;
  
  
  



More information about the patches mailing list