|
|
|
|
@ -9,3 +9,90 @@
|
|
|
|
|
[ $? -eq 0 ] && CPP="${CPP} -DNO_UNDERLINE"
|
|
|
|
|
if eval "$CPP crc_i386.S > _crc_i386.s 2>/dev/null"; then
|
|
|
|
|
if eval "$CC -c _crc_i386.s >/dev/null 2>/dev/null" && [ -f _crc_i386.o ]
|
|
|
|
|
|
|
|
|
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0282
|
|
|
|
|
Directory traversal vulnerability in UnZip 5.50 allows attackers to
|
|
|
|
|
overwrite arbitrary files via invalid characters between two . (dot)
|
|
|
|
|
characters, which are filtered and result in a ".." sequence.
|
|
|
|
|
|
|
|
|
|
--- unzip-5.50/unix/unix.c.orig 2002-01-21 17:54:42.000000000 -0500
|
|
|
|
|
+++ unzip-5.50/unix/unix.c 2003-06-11 18:35:38.000000000 -0400
|
|
|
|
|
@@ -421,7 +421,8 @@
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
char pathcomp[FILNAMSIZ]; /* path-component buffer */
|
|
|
|
|
- char *pp, *cp=(char *)NULL; /* character pointers */
|
|
|
|
|
+ char *pp, *cp=(char *)NULL, /* character pointers */
|
|
|
|
|
+ *dp=(char *)NULL;
|
|
|
|
|
char *lastsemi=(char *)NULL; /* pointer to last semi-colon in pathcomp */
|
|
|
|
|
#ifdef ACORN_FTYPE_NFS
|
|
|
|
|
char *lastcomma=(char *)NULL; /* pointer to last comma in pathcomp */
|
|
|
|
|
@@ -429,6 +430,7 @@
|
|
|
|
|
#endif
|
|
|
|
|
int quote = FALSE; /* flags */
|
|
|
|
|
int killed_ddot = FALSE; /* is set when skipping "../" pathcomp */
|
|
|
|
|
+ int snarf_ddot = FALSE; /* Is set while scanning for "../" */
|
|
|
|
|
int error = MPN_OK;
|
|
|
|
|
register unsigned workch; /* hold the character being tested */
|
|
|
|
|
|
|
|
|
|
@@ -467,6 +469,9 @@
|
|
|
|
|
while ((workch = (uch)*cp++) != 0) {
|
|
|
|
|
|
|
|
|
|
if (quote) { /* if character quoted, */
|
|
|
|
|
+ if ((pp == pathcomp) && (workch == '.'))
|
|
|
|
|
+ /* Oh no you don't... */
|
|
|
|
|
+ goto ddot_hack;
|
|
|
|
|
*pp++ = (char)workch; /* include it literally */
|
|
|
|
|
quote = FALSE;
|
|
|
|
|
} else
|
|
|
|
|
@@ -481,15 +486,44 @@
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case '.':
|
|
|
|
|
- if (pp == pathcomp) { /* nothing appended yet... */
|
|
|
|
|
+ if (pp == pathcomp) {
|
|
|
|
|
+ddot_hack:
|
|
|
|
|
+ /* nothing appended yet... */
|
|
|
|
|
if (*cp == '/') { /* don't bother appending "./" to */
|
|
|
|
|
++cp; /* the path: skip behind the '/' */
|
|
|
|
|
break;
|
|
|
|
|
- } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
|
|
|
|
|
- /* "../" dir traversal detected */
|
|
|
|
|
- cp += 2; /* skip over behind the '/' */
|
|
|
|
|
- killed_ddot = TRUE; /* set "show message" flag */
|
|
|
|
|
- break;
|
|
|
|
|
+ } else if (!uO.ddotflag) {
|
|
|
|
|
+
|
|
|
|
|
+ /*
|
|
|
|
|
+ * SECURITY: Skip past control characters if the user
|
|
|
|
|
+ * didn't OK use of absolute pathnames. lhh - this is
|
|
|
|
|
+ * a very quick, ugly, inefficient fix.
|
|
|
|
|
+ */
|
|
|
|
|
+ dp = cp;
|
|
|
|
|
+ do {
|
|
|
|
|
+ workch = (uch)(*dp);
|
|
|
|
|
+ if (workch == '/' && snarf_ddot) {
|
|
|
|
|
+ /* "../" dir traversal detected */
|
|
|
|
|
+ cp = dp + 1; /* skip past the '/' */
|
|
|
|
|
+ killed_ddot = TRUE; /* set "show msg" flag */
|
|
|
|
|
+ break;
|
|
|
|
|
+ } else if (workch == '.' && !snarf_ddot) {
|
|
|
|
|
+ snarf_ddot = TRUE;
|
|
|
|
|
+ } else if (isprint(workch) ||
|
|
|
|
|
+ ((workch > 127) && (workch <= 254))) {
|
|
|
|
|
+ /*
|
|
|
|
|
+ * Since we found a printable, non-ctrl char,
|
|
|
|
|
+ * we can stop looking for '../', the amount
|
|
|
|
|
+ * in ../!
|
|
|
|
|
+ */
|
|
|
|
|
+ break;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ dp++;
|
|
|
|
|
+ } while (*dp != 0);
|
|
|
|
|
+
|
|
|
|
|
+ if (killed_ddot)
|
|
|
|
|
+ break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
*pp++ = '.';
|
|
|
|
|
|
