[pkgsrc/trunk]: pkgsrc/archivers/gzip-base - Patches to address CAN-2005-1228...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/archivers/gzip-base - Patches to address CAN-2005-1228...
From: adrianp <adrianp%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 01:56:25 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/8dc26dd8f905
branches:  trunk
changeset: 495443:8dc26dd8f905
user:      adrianp <adrianp%pkgsrc.org@localhost>
date:      Thu Jun 09 20:23:26 2005 +0000

description:
- Patches to address CAN-2005-1228 and CAN-2005-0988 based on FreeBSD SA
  and Gentoo/Debian patches.

diffstat:

 archivers/gzip-base/Makefile         |   3 +-
 archivers/gzip-base/distinfo         |   4 +-
 archivers/gzip-base/patches/patch-ab |  70 ++++++++++++++++++++++++++++++++---
 3 files changed, 67 insertions(+), 10 deletions(-)

diffs (108 lines):

diff -r 186a4dea3a16 -r 8dc26dd8f905 archivers/gzip-base/Makefile
--- a/archivers/gzip-base/Makefile      Thu Jun 09 19:49:48 2005 +0000
+++ b/archivers/gzip-base/Makefile      Thu Jun 09 20:23:26 2005 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.18 2005/04/11 21:44:48 tv Exp $
+# $NetBSD: Makefile,v 1.19 2005/06/09 20:23:26 adrianp Exp $
 #
 
 DISTNAME=      gzip-1.2.4a
+PKGREVISION=   1
 PKGNAME=       ${DISTNAME:S/gzip-/gzip-base-/:S/a$/b/}
 SVR4_PKGNAME=  gzipb
 CATEGORIES=    archivers
diff -r 186a4dea3a16 -r 8dc26dd8f905 archivers/gzip-base/distinfo
--- a/archivers/gzip-base/distinfo      Thu Jun 09 19:49:48 2005 +0000
+++ b/archivers/gzip-base/distinfo      Thu Jun 09 20:23:26 2005 +0000
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.5 2005/02/23 14:45:23 agc Exp $
+$NetBSD: distinfo,v 1.6 2005/06/09 20:23:26 adrianp Exp $
 
 SHA1 (gzip-1.2.4a.shar) = 1e1e513f48be32ecfe24c06b609329963d5a5288
 RMD160 (gzip-1.2.4a.shar) = 529397e68b2ed7f39b3a4d3201fd73d10a9c1ebc
 Size (gzip-1.2.4a.shar) = 832431 bytes
 SHA1 (patch-aa) = 449d3eb975b9ddc634ba0b3a245381f3f3e1f5e1
-SHA1 (patch-ab) = e198a1d9a90a8b626b178ef7b5beabc729c6367d
+SHA1 (patch-ab) = e8c7e210c1e7e443230ba20266c0232f29002a4b
diff -r 186a4dea3a16 -r 8dc26dd8f905 archivers/gzip-base/patches/patch-ab
--- a/archivers/gzip-base/patches/patch-ab      Thu Jun 09 19:49:48 2005 +0000
+++ b/archivers/gzip-base/patches/patch-ab      Thu Jun 09 20:23:26 2005 +0000
@@ -1,11 +1,35 @@
-$NetBSD: patch-ab,v 1.1 2004/10/12 18:28:29 tv Exp $
+$NetBSD: patch-ab,v 1.2 2005/06/09 20:23:26 adrianp Exp $
+
+# CAN-2005-1228 and CAN-2005-0988
 
-From http://www.gzip.org/gzip-1.2.4b.patch - security fix for filenames
-over 1020 caharacters long.
-
---- gzip.c     Thu Aug 19 15:39:43 1993
-+++ gzip.c     Tue Jan  8 21:44:18 2002
-@@ -1005,7 +1005,14 @@
+--- gzip.c.orig        1993-08-19 09:39:00.000000000 +0100
++++ gzip.c
+@@ -824,8 +824,11 @@ local void treat_file(iname)
+     }
+ 
+     close(ifd);
+-    if (!to_stdout && close(ofd)) {
+-      write_error();
++    if (!to_stdout) {
++        /* Copy modes, times, ownership, and remove the input file */
++        copy_stat(&istat);
++        if (close(ofd))
++          write_error();
+     }
+     if (method == -1) {
+       if (!to_stdout) unlink (ofname);
+@@ -845,10 +848,6 @@ local void treat_file(iname)
+       }
+       fprintf(stderr, "\n");
+     }
+-    /* Copy modes, times, ownership, and remove the input file */
+-    if (!to_stdout) {
+-      copy_stat(&istat);
+-    }
+ }
+ 
+ /* ========================================================================
+@@ -1005,7 +1004,14 @@ local int get_istat(iname, sbuf)
  #ifdef NO_MULTIPLE_DOTS
      char *dot; /* pointer to ifname extension, or NULL */
  #endif
@@ -20,3 +44,35 @@
      strcpy(ifname, iname);
  
      /* If input file exists, return OK. */
+@@ -1244,6 +1250,7 @@ local int get_method(in)
+               /* Copy the base name. Keep a directory prefix intact. */
+                 char *p = basename(ofname);
+                 char *base = p;
++              char *base2;
+               for (;;) {
+                   *p = (char)get_char();
+                   if (*p++ == '\0') break;
+@@ -1251,6 +1258,8 @@ local int get_method(in)
+                       error("corrupted input -- file name too large");
+                   }
+               }
++              base2 = basename (base);
++              strcpy(base, base2);
+                 /* If necessary, adapt the name to local OS conventions: */
+                 if (!list) {
+                    MAKE_LEGAL_NAME(base);
+@@ -1624,12 +1633,12 @@ local void copy_stat(ifstat)
+     reset_times(ofname, ifstat);
+ #endif
+     /* Copy the protection modes */
+-    if (chmod(ofname, ifstat->st_mode & 07777)) {
++    if (fchmod(ofd, ifstat->st_mode & 07777)) {
+       WARN((stderr, "%s: ", progname));
+       if (!quiet) perror(ofname);
+     }
+ #ifndef NO_CHOWN
+-    chown(ofname, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
++    (void) fchown(ofd, ifstat->st_uid, ifstat->st_gid);  /* Copy ownership */
+ #endif
+     remove_ofname = 0;
+     /* It's now safe to remove the input file: */

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc Note update of idesk to 0.7.2.
Next by Date: [pkgsrc/trunk]: pkgsrc/net/tnftp/files merge tnftp 20050610
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc Note update of idesk to 0.7.2.
Next by Thread: [pkgsrc/trunk]: pkgsrc/net/tnftp/files merge tnftp 20050610
Indexes:

Home | Main Index | Thread Index | Old Index