Merge Debian patches for:

CVE-2015-0556: symlink traversal
CVE-2015-0557: directory traversal
CVE-2015-2782: buffer overflow

archivers/arj/distinfo

@@ -1,14 +1,15 @@
-$NetBSD: distinfo,v 1.17 2015/04/12 15:45:00 tnn Exp $
+$NetBSD: distinfo,v 1.18 2015/04/12 15:54:02 tnn Exp $
 
 SHA1 (arj-3.10.22.tar.gz) = e8470f480e9eee14906e5485a8898e5c24738c8b
 RMD160 (arj-3.10.22.tar.gz) = 80f8a1a8cd203f73def8e957d96563a4dba80153
 Size (arj-3.10.22.tar.gz) = 431467 bytes
 SHA1 (patch-arjdata.c) = 4e4c142b97feee0673b14ea6f454f3d9de45f584
-SHA1 (patch-environ.c) = 02a45f1365121b63020f3714cea142f9571d8f72
+SHA1 (patch-decode.c) = 15c31c3bf1303370691b701a98bad88ae1b0967b
+SHA1 (patch-environ.c) = e306005a88825b2bfd5b3bb35b18710d26a4c885
 SHA1 (patch-exe__sear.c) = 6d8db5a2cdb8f2452b96cf4d09687ae9d45d3e17
 SHA1 (patch-fardata.c) = 341a8d10ec1927b9cb980c90400e323cd53f979d
 SHA1 (patch-gnu_config.h.in) = 2cf609a6c7cb4e32441a433db3dc9cc04c23ae2a
 SHA1 (patch-gnu_configure.in) = 062f3dc1eee6f009dfdfa432bb3c138a9c28a829
 SHA1 (patch-gnu_makefile.in) = db8a0afa61f49242e9fd601d5fc3167cf75f748b
 SHA1 (patch-integr.c) = fade32219b21ac3382028bf23ee4171d8d095b5f
-SHA1 (patch-uxspec.c) = c54bd6223c39a73fed95286ce0a5f834770c86d3
+SHA1 (patch-uxspec.c) = b1756afe8a39cc5cdce30b031bb3c96ee40a6b89

archivers/arj/patches/patch-decode.c

@@ -0,0 +1,28 @@
+$NetBSD: patch-decode.c,v 1.1 2015/04/12 15:54:02 tnn Exp $
+
+Fix CVE-2015-2782. Via Debian security-afl.patch.
+
+--- decode.c.orig	2003-04-12 16:15:58.000000000 +0000
++++ decode.c
+@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
+    if(i==i_special)
+    {
+     c=getbits(2);
+-    while(--c>=0)
++    while(--c>=0&&i<nn)
+      pt_len[i++]=0;
+    }
+   }
+@@ -314,10 +314,10 @@ void read_c_len()
+      c=getbits(CBIT);
+      c+=20;
+     }
+-    while(--c>=0)
++    while(--c>=0&&i<NC)
+      c_len[i++]=0;
+    }
+-   else
++   else if (i<NC)
+     c_len[i++]=(unsigned char)(c-2);
+   }
+   while(i<NC)

archivers/arj/patches/patch-environ.c

@@ -1,8 +1,9 @@
-$NetBSD: patch-environ.c,v 1.1 2015/04/12 15:45:00 tnn Exp $
+$NetBSD: patch-environ.c,v 1.2 2015/04/12 15:54:02 tnn Exp $
 
 Add support for various OSes.
+Fix CVE-2015-0557. Via Debian security-traversal-dir.patch.
 
---- environ.c.orig	2004-06-18 16:19:36.000000000 +0000
+--- environ.c.orig	2015-04-12 15:49:08.000000000 +0000
 +++ environ.c
 @@ -58,10 +58,10 @@
    #include <sys/ioctl.h>
@@ -17,7 +18,24 @@ Add support for various OSes.
    #include <sys/statvfs.h>
   #else
    #include <sys/statfs.h>
-@@ -2286,7 +2286,7 @@ unsigned long file_getfree(char *name)
+@@ -1087,6 +1087,8 @@ static char *validate_path(char *name)
+   if(action!=VALIDATE_DRIVESPEC)
+   {
+ #endif
++   while (name[0]!='\0'&&
++          (name[0]=='.'||name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)) {
+    if(name[0]=='.')
+    {
+     if(name[1]=='.'&&(name[2]==PATHSEP_DEFAULT||name[2]==PATHSEP_UNIX))
+@@ -1096,6 +1098,7 @@ static char *validate_path(char *name)
+    }
+    if(name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)
+     name++;                             /* "\\" - revert to root */
++   }
+ #if SFX_LEVEL>=ARJSFXV
+   }
+  }
+@@ -2286,7 +2289,7 @@ unsigned long file_getfree(char *name)
    else
     return((LONG_MAX/(spclu*bps)<fclu)?LONG_MAX:spclu*bps*fclu);
   #elif TARGET==UNIX
@@ -26,7 +44,7 @@ Add support for various OSes.
     struct statvfs vfs;
  
     if(statvfs(name, &vfs)==-1)
-@@ -3005,7 +3005,7 @@ void get_exe_name(char *dest, char *arg)
+@@ -3005,7 +3008,7 @@ void get_exe_name(char *dest, char *arg)
      they are missing altogether, the corresponding code will gracefully
      terminate. */
   #if SFX_LEVEL==ARJ
@@ -35,7 +53,7 @@ Add support for various OSes.
   #elif SFX_LEVEL==ARJSFXV
    strcpy(dest, "./arjsfxv");
   #elif SFX_LEVEL==ARJSFX
-@@ -3013,7 +3013,7 @@ void get_exe_name(char *dest, char *arg)
+@@ -3013,7 +3016,7 @@ void get_exe_name(char *dest, char *arg)
   #elif SFX_LEVEL==ARJSFXJR
    strcpy(dest, "./arjsfxjr");
   #elif defined(REARJ)
@@ -44,7 +62,7 @@ Add support for various OSes.
   #else
    dest[0]='\0';
   #endif
-@@ -3802,7 +3802,9 @@ int reset_drive(char *name)
+@@ -3802,7 +3805,9 @@ int reset_drive(char *name)
   #elif TARGET==WIN32
    return(0);
   #elif TARGET==UNIX

archivers/arj/patches/patch-uxspec.c

@@ -1,18 +1,75 @@
-$NetBSD: patch-uxspec.c,v 1.1 2015/04/12 15:45:00 tnn Exp $
+$NetBSD: patch-uxspec.c,v 1.2 2015/04/12 15:54:02 tnn Exp $
 
 Fix build on systems without lchown.
+Fix CVE-2015-0556. Via Debian security-traversal-symlink.patch.
 
---- uxspec.c.orig	2004-04-17 11:39:42.000000000 +0000
+--- uxspec.c.orig	2015-04-12 15:46:11.000000000 +0000
 +++ uxspec.c
-@@ -13,6 +13,11 @@
-  #include <unistd.h>
+@@ -125,6 +125,58 @@ int query_uxspecial(char FAR **dest, cha
+ }
  #endif
  
-+#include "c_defs.h"
-+#ifndef HAVE_LCHOWN
-+#define lchown chown
++#if TARGET==UNIX
++static int is_link_traversal(const char *name)
++{
++  enum {
++    STATE_NONE,
++    STATE_DOTS,
++    STATE_NAME,
++  } state = STATE_NONE;
++  int ndir = 0;
++  int dots = 0;
++
++  while(*name) {
++    int c = *name++;
++
++    if (c == '/')
++    {
++      if ((state == STATE_DOTS) && (dots == 2))
++        ndir--;
++      if (ndir < 0)
++        return 1;
++      if ((state == STATE_DOTS && dots == 1) && ndir == 0)
++        return 1;
++      if (state == STATE_NONE && ndir == 0)
++        return 1;
++      if ((state == STATE_DOTS) && (dots > 2))
++        ndir++;
++      state = STATE_NONE;
++      dots = 0;
++    }
++    else if (c == '.')
++    {
++      if (state == STATE_NONE)
++        state = STATE_DOTS;
++      dots++;
++    }
++    else
++    {
++      if (state == STATE_NONE)
++        ndir++;
++      state = STATE_NAME;
++    }
++  }
++
++  if ((state == STATE_DOTS) && (dots == 2))
++    ndir--;
++  if ((state == STATE_DOTS) && (dots > 2))
++    ndir++;
++
++  return ndir < 0;
++}
 +#endif
 +
- DEBUGHDR(__FILE__)                      /* Debug information block */
+ /* Restores the UNIX special file data */
  
- /* UXSPECIAL block types */
+ int set_uxspecial(char FAR *storage, char *name)
+@@ -161,6 +213,8 @@ int set_uxspecial(char FAR *storage, cha
+      l=sizeof(tmp_name)-1;
+     far_memmove((char FAR *)tmp_name, dptr, l);
+     tmp_name[l]='\0';
++    if (is_link_traversal(tmp_name))
++      return(UXSPEC_RC_ERROR);
+     rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name);
+     if(!rc)
+      return(0);