This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
[4.0/4.1] fastjar fix for PR28359
- From: Matthias Klose <doko at cs dot tu-berlin dot de>
- To: gcc-patches at gcc dot gnu dot org
- Cc: mmitchell at gcc dot gnu dot org, rguenth at gcc dot gnu dot org
- Date: Fri, 4 Aug 2006 15:06:33 +0200
- Subject: [4.0/4.1] fastjar fix for PR28359
Not yet applied to the active release branches. Ok to checkin?
Matthias
2006-08-04 Matthias Klose <doko@debian.org>
PR fastjar/28359 / CVE-2006-3619
2006-07-17 Richard Guenther <rguenther@suse.de>
* jartool.c (extract_jar): Do not allow directory traversal
to parents of the extraction root.
Index: jartool.c
===================================================================
--- jartool.c (revision 115922)
+++ jartool.c (working copy)
@@ -1736,6 +1736,7 @@
const ub1 *start = filename;
char *tmp_buff;
struct stat sbuf;
+ int depth = 0;
tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
@@ -1756,7 +1757,14 @@
#ifdef DEBUG
printf("checking the existance of %s\n", tmp_buff);
#endif
-
+ if(strcmp(tmp_buff, "..") == 0){
+ --depth;
+ if (depth < 0){
+ fprintf(stderr, "Traversal to parent directories during unpacking!\n");
+ exit(1);
+ }
+ } else if (strcmp(tmp_buff, ".") != 0)
+ ++depth;
if(stat(tmp_buff, &sbuf) < 0){
if(errno != ENOENT){
perror("stat");