From 51604f30957277f0f1cdecd4fcc2d8e1040a5859 Mon Sep 17 00:00:00 2001 From: "B. Watson" Date: Tue, 7 Apr 2015 19:58:35 +0700 Subject: system/arj: Security fixes. Signed-off-by: Willy Sudiarto Raharjo --- system/arj/arj.SlackBuild | 10 ++- system/arj/patches/001_arches_align.patch | 6 ++ .../arj/patches/002_no_remove_static_const.patch | 8 ++ system/arj/patches/003_64_bit_clean.patch | 7 ++ system/arj/patches/004_parallel_build.patch | 6 ++ system/arj/patches/005_use_system_strnlen.patch | 8 ++ system/arj/patches/006_use_safe_strcpy.patch | 9 +++ system/arj/patches/doc_refer_robert_k_jung.patch | 7 ++ system/arj/patches/gnu_build_fix.patch | 7 ++ system/arj/patches/gnu_build_flags.patch | 6 ++ system/arj/patches/gnu_build_strip.patch | 9 +++ system/arj/patches/hurd_no_fcntl_getlk.patch | 8 ++ system/arj/patches/security-afl.patch | 35 +++++++++ system/arj/patches/security-traversal-dir.patch | 33 +++++++++ .../arj/patches/security-traversal-symlink.patch | 85 ++++++++++++++++++++++ system/arj/patches/security_format.patch | 6 ++ system/arj/patches/self_integrity_64bit.patch | 52 +++++++++++++ system/arj/patches/series | 5 +- 18 files changed, 302 insertions(+), 5 deletions(-) create mode 100644 system/arj/patches/security-afl.patch create mode 100644 system/arj/patches/security-traversal-dir.patch create mode 100644 system/arj/patches/security-traversal-symlink.patch create mode 100644 system/arj/patches/self_integrity_64bit.patch (limited to 'system') diff --git a/system/arj/arj.SlackBuild b/system/arj/arj.SlackBuild index 49e052d924..19b37ae319 100644 --- a/system/arj/arj.SlackBuild +++ b/system/arj/arj.SlackBuild @@ -6,9 +6,13 @@ # Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details. +# 20150406 bkw: security vulns in arj! +# http://www.securityfocus.com/archive/1/535190 +# Already patched in debian, add their patches here. + PRGNAM=arj VERSION=${VERSION:-3.10.22} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} if [ -z "$ARCH" ]; then @@ -55,9 +59,7 @@ find -L . \ # Use Debian's patches. See https://packages.debian.org/sid/arj. These are # needed to get the source to build on modern systems, and work correctly -# on 64-bit systems. The SBo_integrity_64bit.patch is my own, it fixes -# "arj i" on 64-bit (and I've sent it to the debian maintainer as well). - +# on 64-bit systems. for i in $( cat $CWD/patches/series ); do patch -p1 < $CWD/patches/$i done diff --git a/system/arj/patches/001_arches_align.patch b/system/arj/patches/001_arches_align.patch index 96180dab70..48b3fe2b12 100644 --- a/system/arj/patches/001_arches_align.patch +++ b/system/arj/patches/001_arches_align.patch @@ -1,3 +1,9 @@ +Description: Correct build failure on ia64 due to unaligned memory access. +Author: Guillem Jover +Origin: vendor +Forwarded: no +Last-Update: 2008-06-16 + Index: b/arj_proc.c =================================================================== --- a/arj_proc.c 2005-06-21 22:53:12.000000000 +0300 diff --git a/system/arj/patches/002_no_remove_static_const.patch b/system/arj/patches/002_no_remove_static_const.patch index 9f435316e2..c1abbe26e3 100644 --- a/system/arj/patches/002_no_remove_static_const.patch +++ b/system/arj/patches/002_no_remove_static_const.patch @@ -1,3 +1,11 @@ +Description: Set the static const intergrity_identifier variable as volatile + instead of building the file with -O0 to avoid the compiler optimizing it + away, so that we can use standard flags everywhere. +Author: Guillem Jover +Origin: vendor +Forwarded: no +Last-Update: 2013-05-10 + --- integr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/arj/patches/003_64_bit_clean.patch b/system/arj/patches/003_64_bit_clean.patch index 4e32a86a6a..90a1311614 100644 --- a/system/arj/patches/003_64_bit_clean.patch +++ b/system/arj/patches/003_64_bit_clean.patch @@ -1,3 +1,10 @@ +Description: Make code 64-bit clean. +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/339815 +Forwarded: no +Last-Update: 2005-11-24 + Index: b/arj_arcv.c =================================================================== --- a/arj_arcv.c 2005-06-21 22:53:12.000000000 +0300 diff --git a/system/arj/patches/004_parallel_build.patch b/system/arj/patches/004_parallel_build.patch index 3351376233..bed4a406ae 100644 --- a/system/arj/patches/004_parallel_build.patch +++ b/system/arj/patches/004_parallel_build.patch @@ -1,3 +1,9 @@ +Description: Fix upstream build sysstem to support parallel builds. +Author: Guillem Jover +Origin: vendor +Forwarded: no +Last-Update: 2007-12-05 + --- gnu/makefile.in | 74 +++++++++++++++++++++++++++++++++----------------------- 1 file changed, 44 insertions(+), 30 deletions(-) diff --git a/system/arj/patches/005_use_system_strnlen.patch b/system/arj/patches/005_use_system_strnlen.patch index 00a459809b..4a5dd13d1e 100644 --- a/system/arj/patches/005_use_system_strnlen.patch +++ b/system/arj/patches/005_use_system_strnlen.patch @@ -1,3 +1,11 @@ +Description: Detect and conditionally use system strnlen function. + This fixes build failures when the system has eglibc 2.10. +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/546475 +Forwarded: no +Last-Update: 2009-09-13 + --- fardata.c | 2 ++ gnu/config.h.in | 1 + diff --git a/system/arj/patches/006_use_safe_strcpy.patch b/system/arj/patches/006_use_safe_strcpy.patch index ffcab3031e..006385a0af 100644 --- a/system/arj/patches/006_use_safe_strcpy.patch +++ b/system/arj/patches/006_use_safe_strcpy.patch @@ -1,3 +1,12 @@ +Description: Use a safe strcpy for overlapping strings, among others + fixes a build problem with a mangled generated .c file by msgbind + (thus FTBFS), and CRC errors at run-time. +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/590354 +Forwarded: no +Last-Update: 2010-07-26 + --- arj.c | 2 +- arjdata.c | 9 +-------- diff --git a/system/arj/patches/doc_refer_robert_k_jung.patch b/system/arj/patches/doc_refer_robert_k_jung.patch index f61b558775..43870e9d06 100644 --- a/system/arj/patches/doc_refer_robert_k_jung.patch +++ b/system/arj/patches/doc_refer_robert_k_jung.patch @@ -1,3 +1,10 @@ +Description: Refer to original author Robert K. Jung in the manual page. +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/456275 +Forwarded: no +Last-Update: 2008-06-16 + Index: b/resource/en/arj.1 =================================================================== --- a/resource/en/arj.1 2005-06-21 21:27:20.000000000 +0300 diff --git a/system/arj/patches/gnu_build_fix.patch b/system/arj/patches/gnu_build_fix.patch index e9ab1b6929..5737ea9a60 100644 --- a/system/arj/patches/gnu_build_fix.patch +++ b/system/arj/patches/gnu_build_fix.patch @@ -1,3 +1,10 @@ +Description: Fix build failure on GNU/Hurd due to missing -ldl, by + adding “gnu*” to the configure case handling libdl linking. +Author: Guillem Jover +Origin: vendor +Forwarded: no +Last-Update: 2011-02-28 + --- gnu/configure.in | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/system/arj/patches/gnu_build_flags.patch b/system/arj/patches/gnu_build_flags.patch index 89a8ffe653..b5e0e30059 100644 --- a/system/arj/patches/gnu_build_flags.patch +++ b/system/arj/patches/gnu_build_flags.patch @@ -1,3 +1,9 @@ +Description: Fix upstream build system to honour CPPFLAGS and LDFLAGS. +Author: Guillem Jover +Origin: vendor +Forwarded: no +Last-Update: 2013-05-09 + --- gnu/makefile.in | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/system/arj/patches/gnu_build_strip.patch b/system/arj/patches/gnu_build_strip.patch index 8b543dcd28..e34b07d269 100644 --- a/system/arj/patches/gnu_build_strip.patch +++ b/system/arj/patches/gnu_build_strip.patch @@ -1,3 +1,12 @@ +Description: Support nostrip build option. + By changing the upstrem build system to optionally strip the binaries + after the linking stage and before their preprocessing. +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/436473 +Forwarded: no +Last-Update: 2013-05-10 + --- gnu/makefile.in | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/system/arj/patches/hurd_no_fcntl_getlk.patch b/system/arj/patches/hurd_no_fcntl_getlk.patch index ff1113f831..85fdbbf3bf 100644 --- a/system/arj/patches/hurd_no_fcntl_getlk.patch +++ b/system/arj/patches/hurd_no_fcntl_getlk.patch @@ -1,3 +1,11 @@ +Description: Fix build failure on GNU/Hurd, by handling unimplemented + fcntl(F_GETLK). The Hurd does not implement yet fcntl(F_GETLK) and + returns ENOSYS, handle this as a non-fatal error. +Author: Guillem Jover +Origin: vendor +Forwarded: no +Last-Update: 2013-05-10 + --- environ.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/system/arj/patches/security-afl.patch b/system/arj/patches/security-afl.patch new file mode 100644 index 0000000000..ed2bf57717 --- /dev/null +++ b/system/arj/patches/security-afl.patch @@ -0,0 +1,35 @@ +Description: Fix buffer overflow causing an invalid pointer free(). +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/774015 +Forwarded: no +Last-Update: 2015-02-26 + +--- + decode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/decode.c ++++ b/decode.c +@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i + if(i==i_special) + { + c=getbits(2); +- while(--c>=0) ++ while(--c>=0&&i=0) ++ while(--c>=0&&i +Origin: vendor +Bug-Debian: https://bugs.debian.org/774435 +Forwarded: no +Last-Update: 2015-02-26 + +--- + environ.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/environ.c ++++ b/environ.c +@@ -1087,6 +1087,8 @@ static char *validate_path(char *name) + if(action!=VALIDATE_DRIVESPEC) + { + #endif ++ while (name[0]!='\0'&& ++ (name[0]=='.'||name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)) { + if(name[0]=='.') + { + if(name[1]=='.'&&(name[2]==PATHSEP_DEFAULT||name[2]==PATHSEP_UNIX)) +@@ -1096,6 +1098,7 @@ static char *validate_path(char *name) + } + if(name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX) + name++; /* "\\" - revert to root */ ++ } + #if SFX_LEVEL>=ARJSFXV + } + } diff --git a/system/arj/patches/security-traversal-symlink.patch b/system/arj/patches/security-traversal-symlink.patch new file mode 100644 index 0000000000..32481692b3 --- /dev/null +++ b/system/arj/patches/security-traversal-symlink.patch @@ -0,0 +1,85 @@ +Description: Fix symlink directory traversal. + Do not allow symlinks that traverse the current directoru, nor absolute + symlinks. + . + Fixes CVE-2015-0556. +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/774434 +Forwarded: no +Last-Update: 2015-03-28 + +--- + uxspec.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +--- a/uxspec.c ++++ b/uxspec.c +@@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha + } + #endif + ++#if TARGET==UNIX ++static int is_link_traversal(const char *name) ++{ ++ enum { ++ STATE_NONE, ++ STATE_DOTS, ++ STATE_NAME, ++ } state = STATE_NONE; ++ int ndir = 0; ++ int dots = 0; ++ ++ while(*name) { ++ int c = *name++; ++ ++ if (c == '/') ++ { ++ if ((state == STATE_DOTS) && (dots == 2)) ++ ndir--; ++ if (ndir < 0) ++ return 1; ++ if ((state == STATE_DOTS && dots == 1) && ndir == 0) ++ return 1; ++ if (state == STATE_NONE && ndir == 0) ++ return 1; ++ if ((state == STATE_DOTS) && (dots > 2)) ++ ndir++; ++ state = STATE_NONE; ++ dots = 0; ++ } ++ else if (c == '.') ++ { ++ if (state == STATE_NONE) ++ state = STATE_DOTS; ++ dots++; ++ } ++ else ++ { ++ if (state == STATE_NONE) ++ ndir++; ++ state = STATE_NAME; ++ } ++ } ++ ++ if ((state == STATE_DOTS) && (dots == 2)) ++ ndir--; ++ if ((state == STATE_DOTS) && (dots > 2)) ++ ndir++; ++ ++ return ndir < 0; ++} ++#endif ++ + /* Restores the UNIX special file data */ + + int set_uxspecial(char FAR *storage, char *name) +@@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha + l=sizeof(tmp_name)-1; + far_memmove((char FAR *)tmp_name, dptr, l); + tmp_name[l]='\0'; ++ if (is_link_traversal(tmp_name)) ++ return(UXSPEC_RC_ERROR); + rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name); + if(!rc) + return(0); diff --git a/system/arj/patches/security_format.patch b/system/arj/patches/security_format.patch index 229303dcb5..ec480b069d 100644 --- a/system/arj/patches/security_format.patch +++ b/system/arj/patches/security_format.patch @@ -1,3 +1,9 @@ +Description: Fix format security errors. +Author: Guillem Jover +Origin: vendor +Forwarded: no +Last-Update: 2013-05-09 + --- arj_arcv.c | 12 ++++++------ arj_user.c | 8 ++++---- diff --git a/system/arj/patches/self_integrity_64bit.patch b/system/arj/patches/self_integrity_64bit.patch new file mode 100644 index 0000000000..f9ceb2ffe9 --- /dev/null +++ b/system/arj/patches/self_integrity_64bit.patch @@ -0,0 +1,52 @@ +Description: Fix arj self-integrity check on 64-bit systems +Author: B Watson +Origin: other, http://slackbuilds.org/cgit/slackbuilds/tree/system/arj/patches/SBo_integrity_64bit.patch +Forwarded: no +Reviewed-By: Guillem Jover +Last-Update: 2014-08-06 + +diff -Naur arj-3.10.22/arj_proc.c arj-3.10.22.patched/arj_proc.c +--- arj-3.10.22/arj_proc.c 2005-06-21 15:53:12.000000000 -0400 ++++ arj-3.10.22.patched/arj_proc.c 2014-08-06 04:11:35.000000000 -0400 +@@ -7,6 +7,7 @@ + * + */ + ++#include + #include "arj.h" + + DEBUGHDR(__FILE__) /* Debug information block */ +@@ -929,9 +930,9 @@ + #endif + fclose(stream); + #if SFX_LEVEL>=ARJSFXV +- return(crc32term==st_crc&&fsize==st_fsize); ++ return((uint32_t)crc32term==(uint32_t)st_crc&&(uint32_t)fsize==(uint32_t)st_fsize); + #else +- if(crc32term==st_crc&&fsize==st_fsize) ++ if((uint32_t)crc32term==(uint32_t)st_crc&&(uint32_t)fsize==(uint32_t)st_fsize) + msg_cprintf(0, M_INTEGRITY_OK); + else + pause_error(M_INTEGRITY_VIOLATED); +diff -Naur arj-3.10.22/postproc.c arj-3.10.22.patched/postproc.c +--- arj-3.10.22/postproc.c 2003-06-22 07:12:28.000000000 -0400 ++++ arj-3.10.22.patched/postproc.c 2014-08-06 03:22:16.000000000 -0400 +@@ -6,6 +6,7 @@ + * + */ + ++#include + #include "arj.h" + + /* Operations */ +@@ -37,8 +38,9 @@ + + static char buf[PROC_BLOCK_SIZE]; + +-static void _fput_dword(const unsigned long l, FILE *stream) ++static void _fput_dword(const unsigned long w, FILE *stream) + { ++ uint32_t l = (uint32_t)w; + #ifdef WORDS_BIGENDIAN + fputc(l ,stream); + fputc(l>>8 ,stream); diff --git a/system/arj/patches/series b/system/arj/patches/series index 23c1fc7e53..ea86f10da9 100644 --- a/system/arj/patches/series +++ b/system/arj/patches/series @@ -10,4 +10,7 @@ doc_refer_robert_k_jung.patch gnu_build_fix.patch gnu_build_flags.patch gnu_build_strip.patch -SBo_integrity_64bit.patch +self_integrity_64bit.patch +security-afl.patch +security-traversal-dir.patch +security-traversal-symlink.patch -- cgit v1.2.3