rpms/lha/F-8 lha-1.14i-dir_length_bounds_check.patch, NONE, 1.1 lha-1.14i-malloc.patch, NONE, 1.1 lha-1.14i-sec.patch, NONE, 1.1 lha-1.14i-sec2.patch, NONE, 1.1 lha-1.14i-symlink.patch, NONE, 1.1 lha.spec, NONE, 1.1

Thu Jul 24 13:24:22 CEST 2008

Author: jwrdegoede

Update of /cvs/nonfree/rpms/lha/F-8
In directory se02.es.rpmfusion.net:/tmp/cvs-serv5684

Added Files:
	lha-1.14i-dir_length_bounds_check.patch lha-1.14i-malloc.patch 
	lha-1.14i-sec.patch lha-1.14i-sec2.patch 
	lha-1.14i-symlink.patch lha.spec 
Log Message:
* Wed Jul 23 2008 Hans de Goede <j.w.r.degoede at hhs.nl> 1.14i-21
- Release bump for rpmfusion build


lha-1.14i-dir_length_bounds_check.patch:

--- NEW FILE lha-1.14i-dir_length_bounds_check.patch ---
--- lha-114i.orig/src/header.c	2002-07-19 17:23:58.000000000 +0900
+++ lha-114i/src/header.c	2004-06-16 09:49:23.000000000 +0900
@@ -648,8 +648,17 @@
 	}
 
 	if (dir_length) {
+		if ((dir_length + name_length) > sizeof(dirname)) {
+			fprintf(stderr, "Insufficient buffer size\n");
+			exit(112);
+		}
 		strcat(dirname, hdr->name);
-		strcpy(hdr->name, dirname);
+
+		if ((dir_length + name_length) > sizeof(hdr->name)) {
+			fprintf(stderr, "Insufficient buffer size\n");
+			exit(112);
+		}
+		strncpy(hdr->name, dirname, sizeof(hdr->name));
 		name_length += dir_length;
 	}

lha-1.14i-malloc.patch:

--- NEW FILE lha-1.14i-malloc.patch ---
--- lha-114i/src/lha.h.orig	2004-05-19 19:24:19.000000000 -0400
+++ lha-114i/src/lha.h	2004-05-19 19:23:19.000000000 -0400
@@ -16,6 +16,7 @@
 #include <sys/types.h>
 #include <sys/file.h>
 #include <sys/stat.h>
+#include <malloc.h>
 
 #include <signal.h>
 

lha-1.14i-sec.patch:

--- NEW FILE lha-1.14i-sec.patch ---
--- lha-114i/src/header.c.orig	2000-10-05 19:36:03.000000000 +0200
+++ lha-114i/src/header.c	2004-04-21 14:30:52.000000000 +0200
@@ -538,6 +538,10 @@
 				/*
 				 * filename
 				 */
+				if (header_size >= 256) {
+				  fprintf(stderr, "Possible buffer overflow hack attack, type #1\n");
+				  exit(109);
+				}
 				for (i = 0; i < header_size - 3; i++)
 					hdr->name[i] = (char) get_byte();
 				hdr->name[header_size - 3] = '\0';
@@ -547,6 +551,10 @@
 				/*
 				 * directory
 				 */
+				if (header_size >= FILENAME_LENGTH) {
+				  fprintf(stderr, "Possible buffer overflow hack attack, type #2\n");
+				  exit(110);
+				}
 				for (i = 0; i < header_size - 3; i++)
 					dirname[i] = (char) get_byte();
 				dirname[header_size - 3] = '\0';
--- lha-114i/src/lhext.c.orig	2000-10-04 16:57:38.000000000 +0200
+++ lha-114i/src/lhext.c	2004-04-21 14:30:52.000000000 +0200
@@ -190,8 +190,13 @@
 		q = (char *) rindex(hdr->name, '/') + 1;
 	}
 	else {
+		if (is_directory_traversal(q)) {
+		  fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q);
+		  exit(111);
+		}
+
 		if (*q == '/') {
-			q++;
+			while (*q == '/') { q++; }
 			/*
 			 * if OSK then strip device name
 			 */
@@ -419,6 +424,33 @@
 	return;
 }
 
+int
+is_directory_traversal(char *string)
+{
+  unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */
+  char *temp;
+
+  temp = string;
+
+  while (*temp != 0) {
+    if (temp[0] == '/') {
+      if (type == 1) { return 1; }
+      type = 0;
+      temp++;
+      continue;
+    }
+
+    if ((temp[0] == '.') && (type < 2))
+      type = 1;
+    if (temp[0] != '.')
+      type = 2;
+
+    temp++;
+  } /* while */
+
+  return (type == 1);
+}
+
 /* Local Variables: */
 /* mode:c */
 /* tab-width:4 */

lha-1.14i-sec2.patch:

--- NEW FILE lha-1.14i-sec2.patch ---
diff -urNp lha-114i.orig/src/lha_macro.h lha-114i/src/lha_macro.h
--- lha-114i.orig/src/lha_macro.h	2004-08-03 15:53:56.000000000 -0500
+++ lha-114i/src/lha_macro.h	2004-08-03 15:54:05.000000000 -0500
@@ -53,7 +53,7 @@
 #define SEEK_SET		0
 #define SEEK_CUR		1
 #define SEEK_END		2
-#endif	/* SEEK_SET
+#endif	/* SEEK_SET */
 
 
 /* non-integral functions */
diff -urNp lha-114i.orig/src/lharc.c lha-114i/src/lharc.c
--- lha-114i.orig/src/lharc.c	2004-08-03 15:53:56.000000000 -0500
+++ lha-114i/src/lharc.c	2004-08-03 15:54:05.000000000 -0500
@@ -830,9 +830,10 @@ find_files(name, v_filec, v_filev)
 	DIRENTRY       *dp;
 	struct stat     tmp_stbuf, arc_stbuf, fil_stbuf;
 
-	strcpy(newname, name);
+	strncpy(newname, name, sizeof(newname));
+	newname[sizeof(newname)-1] = 0;
 	len = strlen(name);
-	if (len > 0 && newname[len - 1] != '/')
+	if (len > 0 && newname[len - 1] != '/' && len < (sizeof(newname)-1))
 		newname[len++] = '/';
 
 	dirp = opendir(name);
@@ -846,6 +847,11 @@ find_files(name, v_filec, v_filev)
 
 	for (dp = readdir(dirp); dp != NULL; dp = readdir(dirp)) {
 		n = NAMLEN(dp);
+		if (len >= (sizeof(newname)-1) ||
+				(len+n) >= (sizeof(newname)-1) ||
+					 n  <= 0                   ||
+				(len+n) <= 0)
+			break;
 		strncpy(newname + len, dp->d_name, n);
 		newname[len + n] = '\0';
 		if (GETSTAT(newname, &fil_stbuf) < 0)
@@ -903,7 +909,8 @@ build_temporary_name()
 		strcpy(temporary_name, TMP_FILENAME_TEMPLATE);
 	}
 	else {
-		sprintf(temporary_name, "%s/lhXXXXXX", extract_directory);
+		snprintf(temporary_name, sizeof(temporary_name),
+			"%s/lhXXXXXX", extract_directory);
 	}
 #ifdef MKSTEMP
 	mkstemp(temporary_name);
@@ -913,10 +920,16 @@ build_temporary_name()
 #else
 	char           *p, *s;
 
-	strcpy(temporary_name, archive_name);
+	strncpy(temporary_name, archive_name, sizeof(temporary_name));
+	temporary_name[sizeof(temporary_name)-1] = 0;
 	for (p = temporary_name, s = (char *) 0; *p; p++)
 		if (*p == '/')
 			s = p;
+
+	if( sizeof(temporary_name) - ((size_t) (s-temporary_name)) - 1
+		<= strlen("lhXXXXXX"))
+			exit(-1);
+
 	strcpy((s ? s + 1 : temporary_name), "lhXXXXXX");
 #ifdef MKSTEMP
 	mkstemp(temporary_name);
@@ -1052,7 +1065,8 @@ open_old_archive()
 
 	if (open_old_archive_1(archive_name, &fp))
 		return fp;
-	sprintf(expanded_archive_name, "%s.lzh", archive_name);
+	snprintf(expanded_archive_name, sizeof(expanded_archive_name),
+		"%s.lzh", archive_name);
 	if (open_old_archive_1(expanded_archive_name, &fp)) {
 		archive_name = expanded_archive_name;
 		return fp;
@@ -1061,7 +1075,8 @@ open_old_archive()
 	 * if ( (errno&0xffff)!=E_PNNF ) { archive_name =
 	 * expanded_archive_name; return NULL; }
 	 */
-	sprintf(expanded_archive_name, "%s.lzs", archive_name);
+	snprintf(expanded_archive_name, sizeof(expanded_archive_name),
+		"%s.lzs", archive_name);
 	if (open_old_archive_1(expanded_archive_name, &fp)) {
 		archive_name = expanded_archive_name;
 		return fp;
diff -urNp lha-114i.orig/src/lhext.c lha-114i/src/lhext.c
--- lha-114i.orig/src/lhext.c	2004-08-03 15:53:56.000000000 -0500
+++ lha-114i/src/lhext.c	2004-08-03 15:55:40.000000000 -0500
@@ -82,7 +82,8 @@ make_parent_path(name)
 	register char  *p;
 
 	/* make parent directory name into PATH for recursive call */
-	strcpy(path, name);
+	memset(path, 0, sizeof(path));
+	strncpy(path, name, sizeof(path)-1);
 	for (p = path + strlen(path); p > path; p--)
 		if (p[-1] == '/') {
 			*--p = '\0';
@@ -212,9 +213,11 @@ extract_one(afp, hdr)
 	}
 
 	if (extract_directory)
-		sprintf(name, "%s/%s", extract_directory, q);
-	else
-		strcpy(name, q);
+		snprintf(name, sizeof(name), "%s/%s", extract_directory, q);
+	else {
+		strncpy(name, q, sizeof(name));
+		name[sizeof(name) - 1] = '\0';
+	}
 
 
 	/* LZHDIRS_METHODï¿½ï¿½ï¿½ï¿½ï¿½Ä¥Ø¥Ã¥ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½Ã¥ï¿½ï¿½ï¿½ï¿½ï¿½ */
@@ -335,7 +338,8 @@ extract_one(afp, hdr)
 			if ((hdr->unix_mode & UNIX_FILE_TYPEMASK) == UNIX_FILE_SYMLINK) {
 				char            buf[256], *bb1, *bb2;
 				int             l_code;
-				strcpy(buf, name);
+				strncpy(buf, name, sizeof(buf));
+				buf[sizeof(buf)-1] = 0;
 				bb1 = strtok(buf, "|");
 				bb2 = strtok(NULL, "|");
 
@@ -365,9 +369,10 @@ extract_one(afp, hdr)
 				if (quiet != TRUE) {
 					printf("Symbolic Link %s -> %s\n", bb1, bb2);
 				}
-				strcpy(name, bb1);	/* Symbolic's name set */
+				strncpy(name, bb1, 255);	/* Symbolic's name set */
+				name[255] = 0;
 #else
-				sprintf(buf, "%s -> %s", bb1, bb2);
+				sprintf(buf, sizeof(buf), "%s -> %s", bb1, bb2);
 				warning("Can't make Symbolic Link", buf);
 				return;
 #endif
diff -urNp lha-114i.orig/src/lhlist.c lha-114i/src/lhlist.c
--- lha-114i.orig/src/lhlist.c	2004-08-03 15:53:56.000000000 -0500
+++ lha-114i/src/lhlist.c	2004-08-03 15:54:05.000000000 -0500
@@ -250,7 +250,8 @@ list_one(hdr)
 			printf(" %s", hdr->name);
 		else {
 			char            buf[256], *b1, *b2;
-			strcpy(buf, hdr->name);
+			strncpy(buf, hdr->name, sizeof(buf));
+			buf[sizeof(buf)-1] = 0;
 			b1 = strtok(buf, "|");
 			b2 = strtok(NULL, "|");
 			printf(" %s -> %s", b1, b2);
diff -urNp lha-114i.orig/src/util.c lha-114i/src/util.c
--- lha-114i.orig/src/util.c	2004-08-03 15:53:56.000000000 -0500
+++ lha-114i/src/util.c	2004-08-03 15:54:05.000000000 -0500
@@ -276,21 +276,27 @@ rmdir(path)
 	char           *path;
 {
 	int             stat, rtn = 0;
-	char           *cmdname;
-	if ((cmdname = (char *) malloc(strlen(RMDIRPATH) + 1 + strlen(path) + 1))
-	    == 0)
+	pid_t           child;
+
+
+	/* XXX thomas: shell meta chars in path could exec commands */
+	/* therefore we should avoid using system() */
+	if ((child = fork()) < 0)
+		return (-1);    /* fork error */
+	else if (child) {       /* parent process */
+		while (child != wait(&stat))    /* ignore signals */
+			continue;
+	}
+	else {                  /* child process */
+		execl(RMDIRPATH, "rmdir", path, (char *) 0);
+		/* never come here except execl is error */
 		return (-1);
-	strcpy(cmdname, RMDIRPATH);
-	*(cmdname + strlen(RMDIRPATH)) = ' ';
-	strcpy(cmdname + strlen(RMDIRPATH) + 1, path);
-	if ((stat = system(cmdname)) < 0)
-		rtn = -1;	/* fork or exec error */
-	else if (stat) {	/* RMDIR command error */
-		errno = EIO;
-		rtn = -1;
 	}
-	free(cmdname);
-	return (rtn);
+	if (stat != 0) {
+		errno = EIO;    /* cannot get error num. */
+		return (-1);
+	}
+	return (0);
 }
 
 /* ------------------------------------------------------------------------ */

lha-1.14i-symlink.patch:

--- NEW FILE lha-1.14i-symlink.patch ---
--- lha-114i/src/lhext.c.symlink	2000-10-04 10:57:38.000000000 -0400
+++ lha-114i/src/lhext.c	2003-05-19 22:55:57.000000000 -0400
@@ -351,6 +351,7 @@ extract_one(afp, hdr)
 				}
 
 				unlink(bb1);
+				make_parent_path(bb1);
 				l_code = symlink(bb2, bb1);
 				if (l_code < 0) {
 					if (quiet != TRUE)


--- NEW FILE lha.spec ---
Name:           lha
Version:        1.14i
Release:        21%{?dist}
Summary:        Archiving and compression utility for LHarc/lha/lzh archives
Group:          Applications/Archiving
License:        Distributable
URL:            http://www2m.biglobe.ne.jp/~dolphin/lha/prog/
Source0:        http://www2m.biglobe.ne.jp/~dolphin/%{name}/prog/%{name}-114i.tar.gz
Patch0:         lha-1.14i-symlink.patch
Patch1:         lha-1.14i-malloc.patch
Patch2:         lha-1.14i-sec.patch
Patch3:         lha-1.14i-dir_length_bounds_check.patch
Patch4:         lha-1.14i-sec2.patch
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root

%description
LHA is an archiving and compression utility for LHarc/lha/lzh format archives.


%prep
%setup -qn lha-114i

%patch0 -p1 -b .symlink
%patch1 -p1 -b .malloc
# security fixes
%patch2 -p1 -b .sec
%patch3 -p1 -b .sec
%patch4 -p1 -b .sec

# Rename doc files to better represent encoding which is EUC (jp)
mv change-114e.txt change-114e.euc
mv change-114g.txt change-114g.euc
mv change-114h.txt change-114h.euc
mv change-114i.txt change-114i.euc


%build
make %{?_smp_mflags} OPTIMIZE="%{optflags} -DSUPPORT_LH7 -DMKSTEMP"


%install
rm -rf %{buildroot}
mkdir -p %{buildroot}%{_bindir}
install -m0755 src/lha %{buildroot}%{_bindir}


%clean
rm -rf %{buildroot}


%files
%defattr(-,root,root,-)
%doc change-114* CHANGES.euc PROBLEMS.euc README.euc
%{_bindir}/lha


%changelog
* Wed Jul 23 2008 Hans de Goede <j.w.r.degoede at hhs.nl> 1.14i-21
- Release bump for rpmfusion build

* Sun Jan 14 2007 Ian Chapman <packages at amiga-hardware.com> 1.14i-20%{?dist}
- Initial dribble release
- Aesthetic spec clean-ups for publishing in dribble
- Use %%{?_smp_mflags}
- Use %%{optflags}
- Changed the description (it's saner IMHO)
- Include changelogs
- Dropped MACHINES*, useless to end user
- Changed license field from freeware to distributable

* Fri Feb 10 2006 Jesse Keating <jkeating at redhat.com> - 1.14i-19.2.1
- bump again for double-long bug on ppc(64)

* Tue Feb 07 2006 Jesse Keating <jkeating at redhat.com> - 1.14i-19.2
- rebuilt for new gcc4.1 snapshot and glibc changes

* Fri Dec 09 2005 Jesse Keating <jkeating at redhat.com>
- rebuilt

* Sat Mar 05 2005 Than Ngo <than at redhat.com> 1.14i-19
- rebuilt

* Wed Feb 09 2005 Than Ngo <than at redhat.com> 1.14i-18
- rebuilt

* Fri Sep 10 2004 Than Ngo <than at redhat.com> 1.14i-17
- security vulnerabilities CAN-2004-0769, CAN-2004-0771, CAN-2004-0694, CAN-2004-0745

* Tue Jun 15 2004 Elliot Lee <sopwith at redhat.com>
- rebuilt

* Fri May 21 2004 Than Ngo <than at redhat.com> 1.14i-15
- fix segmentation fault on ia64

* Wed May 05 2004 Than Ngo <than at redhat.com> 1.14i-14
- fix security vulnerabilities, CAN-2004-0234, CAN-2004-0235

* Fri Feb 13 2004 Elliot Lee <sopwith at redhat.com>
- rebuilt

* Wed Jun 04 2003 Elliot Lee <sopwith at redhat.com>
- rebuilt

* Tue May 20 2003 Than Ngo <than at redhat.com> 1.14i-11
- add patch file from Matt Wilson, bug #91206

* Wed Jan 22 2003 Tim Powers <timp at redhat.com>
- rebuilt

* Wed Dec 11 2002 Tim Powers <timp at redhat.com> 1.14i-8
- rebuild on all arches

* Fri Jun 21 2002 Tim Powers <timp at redhat.com>
- automated rebuild

* Wed Jun 19 2002 Than Ngo <than at redhat.com> 1.14i-6
- don't forcibly strip binaries

* Thu May 23 2002 Tim Powers <timp at redhat.com>
- automated rebuild

* Wed Feb 27 2002 Than Ngo <than at redhat.com> 1.14i-4
- rebuild

* Tue Jan 29 2002 Than Ngo <than at redhat.com> 1.14i-3
- rebuild in rawhide

* Tue Sep 25 2001 Than Ngo <than at redhat.com> 1.14i-1
- update to 1.14i (bug #52779)

* Mon May 21 2001 Tim Powers <timp at redhat.com>
- rebuilt for the distro

* Mon Jul 24 2000 Prospector <prospector at redhat.com>
- rebuilt

* Wed Jul 12 2000 Than Ngo <than at redhat.de>
- rebuilt

* Mon Jul 03 2000 Prospector <bugzilla at redhat.com>
- automatic rebuild

* Fri May 12 2000 Tim Powers <timp at redhat.com>
- rebuilt for Powertools-7.0

* Wed Jan 19 2000 Bill Nottingham <notting at redhat.com>
- add some more docs

* Sun Mar 21 1999 Cristian Gafton <gafton at redhat.com>
- auto rebuild in the new build environment (release 11)

* Tue Jan 24 1999 Michael Maher <mike at redhat.com>
- this package will never change.
- changed groups

* Thu Dec 17 1998 Michael Maher <mike at redhat.com>
- built package for 6.0

* Wed Sep 23 1998 Jeff Johnson <jbj at redhat.com>
- add english doco.

* Sat Aug 15 1998 Jeff Johnson <jbj at redhat.com>
- build root

* Mon Apr 27 1998 Prospector System <bugs at redhat.com>
- translations modified for de, fr, tr

* Tue Oct 21 1997 Donnie Barnes <djb at redhat.com>
- removed man page, wasn't ASCII and caused more harm than good
- spec file cleanups

* Thu Jul 10 1997 Erik Troan <ewt at redhat.com>
- built against glibc

