Fix multiple security vulnerabilities:

- buffer overflows (CAN-2005-0160) - directory traversal problem (CAN-2005-0161) Obtained from: Ulf Harnhammar <Ulf.Harnhammar.9485@student.uu.se>
svn path=/head/; revision=129554
2005-02-22 15:29:27 +00:00 · 2005-02-22 15:29:27 +00:00 · e663e66b59 · 2021-03-31 03:12:20 +00:00
commit e663e66b59
parent 0f524db5b7
4 changed files with 177 additions and 1 deletions
--- a/archivers/unace/Makefile
+++ b/archivers/unace/Makefile
@ -8,7 +8,7 @@

 PORTNAME=	unace
 PORTVERSION=	1.2b
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	archivers
 MASTER_SITES=	${MASTER_SITE_SUNSITE}
 MASTER_SITE_SUBDIR=	utils/compress
--- a/archivers/unace/files/patch-uac__crt.c
+++ b/archivers/unace/files/patch-uac__crt.c
@ -0,0 +1,98 @@
+
+$FreeBSD$
+
+--- uac_crt.c.orig
+++ uac_crt.c
+@@ -33,12 +33,15 @@
+ 
+ /* gets file name from header
+  */
+-CHAR *ace_fname(CHAR * s, thead * head, INT nopath)
+CHAR *ace_fname(CHAR * s, thead * head, INT nopath, unsigned int size)
+ {
+-   INT  i;
+   unsigned int i;
+    char *cp;
+ 
+-   strncpy(s, (*(tfhead *) head).FNAME, i = (*(tfhead *) head).FNAME_SIZE);
+   i = (*(tfhead *) head).FNAME_SIZE;
+   if (i > (size - 1))
+     i = size - 1;
+   strncpy(s, (*(tfhead *) head).FNAME, i);
+    s[i] = 0;
+ 
+    if (nopath)
+@@ -56,22 +59,72 @@
+    }
+ #endif
+ 
+   cp = s;
+   while (*cp == '/') cp++;
+   if (cp != s)
+     memmove(s, cp, strlen(cp) + 1);
+
+    return s;
+ }
+ 
+int is_directory_traversal(char *str)
+{
+  unsigned int mode, countdots;
+  /* mode 0 = fresh, 1 = just dots, 2 = not just dots */
+  char ch;
+
+  mode = countdots = 0;
+
+  while (ch = *str++)
+  {
+    if ((ch == '/') && (mode == 1) && (countdots > 1))
+      return 1;
+
+    if (ch == '/')
+    {
+       mode = countdots = 0;
+       continue;
+    }
+
+    if (ch == '.')
+    {
+      if (mode == 0)
+        mode = 1;
+
+      countdots++;
+    }
+    else
+      mode = 2;
+  }
+
+  if ((mode == 1) && (countdots > 1))
+    return 1;
+
+  return 0;
+}
+
+ void check_ext_dir(CHAR * f)        // checks/creates path of file
+ {
+    CHAR *cp,
+         d[PATH_MAX];
+-   INT  i;
+   unsigned int i;
+ 
+    d[0] = 0;
+ 
+   if (is_directory_traversal(f))
+   {
+      f_err = ERR_WRITE;
+      printf("\n    Directory traversal attempt:  %s\n", f);
+      return;
+   }
+
+    for (;;)
+    {
+       if ((cp = (CHAR *) strchr(&f[strlen(d) + 1], DIRSEP))!=NULL)
+       {
+          i = cp - f;
+         if (i > (PATH_MAX - 1))
+           i = PATH_MAX - 1;
+          strncpy(d, f, i);
+          d[i] = 0;
+       }
--- a/archivers/unace/files/patch-uac__crt.h
+++ b/archivers/unace/files/patch-uac__crt.h
@ -0,0 +1,14 @@
+
+$FreeBSD$
+
+--- uac_crt.h.orig
+++ uac_crt.h
+@@ -4,7 +4,7 @@
+ 
+ #include "acestruc.h"
+ 
+-CHAR *ace_fname(CHAR * s, thead * head, INT nopath);
+CHAR *ace_fname(CHAR * s, thead * head, INT nopath, unsigned int size);
+ INT  create_dest_file(CHAR * file, INT a);
+ 
+ #ifdef UNIX
--- a/archivers/unace/files/patch-unace.c
+++ b/archivers/unace/files/patch-unace.c
@ -0,0 +1,64 @@
+
+$FreeBSD$
+
+--- unace.c.orig
+++ unace.c
+@@ -240,6 +240,7 @@
+ INT  open_archive(INT print_err)        // opens archive (or volume)
+ {
+    CHAR av_str[80];
+   unsigned int copylen;
+ 
+    archan = open(aname, O_RDONLY | O_BINARY);   // open file
+ 
+@@ -263,8 +264,11 @@
+       sprintf(av_str, "\ncreated on %d.%d.%d by ",
+               ts_day(adat.time_cr), ts_month(adat.time_cr), ts_year(adat.time_cr));
+       printf(av_str);
+-      strncpy(av_str, mhead.AV, mhead.AV_SIZE);
+-      av_str[mhead.AV_SIZE] = 0;
+      copylen = mhead.AV_SIZE;
+      if (copylen > 79)
+        copylen = 79;
+      strncpy(av_str, mhead.AV, copylen);
+      av_str[copylen] = 0;
+       printf("%s\n\n", av_str);
+    }
+    comment_out("Main comment:");        // print main comment
+@@ -300,7 +304,7 @@
+ INT  proc_vol(void)                     // opens volume
+ {
+    INT  i;
+-   CHAR s[80];
+   CHAR s[PATH_MAX + 80];
+ 
+    // if f_allvol_pr is 2 we have -y and should never ask
+    if ((!fileexists_insense(aname) && f_allvol_pr != 2) || !f_allvol_pr)
+@@ -428,7 +432,7 @@
+       if (head.HEAD_TYPE == FILE_BLK)
+       {
+          comment_out("File comment:");   // show file comment
+-         ace_fname(file, &head, nopath); // get file name
+         ace_fname(file, &head, nopath, sizeof(file)); // get file name
+          printf("\n%s", file);
+          flush;
+          dcpr_init_file();               // initialize decompression of file
+@@ -496,7 +500,7 @@
+       if (head.HEAD_TYPE == FILE_BLK)
+       {
+          ULONG ti=fhead.FTIME;
+-         ace_fname(file, &head, verbose ? 0 : 1); // get file name
+         ace_fname(file, &head, verbose ? 0 : 1, sizeof(file)); // get file name
+ 
+          size  += fhead.SIZE;
+          psize +=
+@@ -588,7 +592,8 @@
+ 
+       init_unace();                              // initialize unace
+ 
+-      strcpy(aname, argv[arg_cnt]);              // get archive name
+      strncpy(aname, argv[arg_cnt], sizeof(aname) - 4);  // get archive name
+      aname[sizeof(aname) - 5] = '\0';
+       if (!(s = (CHAR *) strrchr(aname, DIRSEP)))
+          s = aname;
+       if (!strrchr(s, '.'))