rpms/gzip/devel gzip-1.3.5-gunzip-dir.patch, NONE, 1.1 gzip-1.3.5-gzip-perm.patch, 1.1, 1.2 gzip.spec, 1.19, 1.20
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Apr 29 13:15:45 UTC 2005
Author: varekova
Update of /cvs/dist/rpms/gzip/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv2175
Modified Files:
gzip-1.3.5-gzip-perm.patch gzip.spec
Added Files:
gzip-1.3.5-gunzip-dir.patch
Log Message:
fix bug 156269 - CAN-2005-1228 directory traversal bug
gzip-1.3.5-gunzip-dir.patch:
gzip.c | 2 ++
1 files changed, 2 insertions(+)
--- NEW FILE gzip-1.3.5-gunzip-dir.patch ---
--- gzip-1.3.5/gzip.c.pom 2005-04-29 14:25:23.000000000 +0200
+++ gzip-1.3.5/gzip.c 2005-04-29 14:24:42.000000000 +0200
@@ -1344,6 +1344,8 @@
error("corrupted input -- file name too large");
}
}
+ char *base2 = base_name (base); /* there should be problem with file name */
+ strcpy(base, base2); /* in this name there can't be path */
/* If necessary, adapt the name to local OS conventions: */
if (!list) {
MAKE_LEGAL_NAME(base);
gzip-1.3.5-gzip-perm.patch:
gzip.c | 30 ++++++++++++++++--------------
1 files changed, 16 insertions(+), 14 deletions(-)
Index: gzip-1.3.5-gzip-perm.patch
===================================================================
RCS file: /cvs/dist/rpms/gzip/devel/gzip-1.3.5-gzip-perm.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- gzip-1.3.5-gzip-perm.patch 26 Apr 2005 12:35:16 -0000 1.1
+++ gzip-1.3.5-gzip-perm.patch 29 Apr 2005 13:15:42 -0000 1.2
@@ -4,7 +4,7 @@
}
close(ifd);
-+ /* ofd ownership and permisions have to be set before close(ofd)*/
++ /* ofd ownership and permissions have to be set before close(ofd)*/
+ if (!to_stdout) {
+ if (fchmod(ofd, istat.st_mode & 07777)) {
+ int e = errno;
Index: gzip.spec
===================================================================
RCS file: /cvs/dist/rpms/gzip/devel/gzip.spec,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- gzip.spec 26 Apr 2005 12:35:16 -0000 1.19
+++ gzip.spec 29 Apr 2005 13:15:42 -0000 1.20
@@ -1,7 +1,7 @@
Summary: The GNU data compression program.
Name: gzip
Version: 1.3.5
-Release: 4
+Release: 5
License: GPL
Group: Applications/File
Source: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz
@@ -14,6 +14,7 @@
Patch7: gzip-1.3.3-addsuffix.patch
Patch8: gzip-1.3.5-zgrep-sed.patch
Patch9: gzip-1.3.5-gzip-perm.patch
+Patch10: gzip-1.3.5-gunzip-dir.patch
URL: http://www.gzip.org/
Prereq: /sbin/install-info
Requires: mktemp less
@@ -37,6 +38,7 @@
%patch7 -p1 -b .addsuffix
%patch8 -p0 -b .sed
%patch9 -p1 -b .perm
+%patch10 -p1 -b .dir
%build
export DEFS="NO_ASM"
@@ -82,6 +84,10 @@
%{_infodir}/gzip.info*
%changelog
+* Fri Apr 29 2005 Ivana Varekova <varekova at redhat.com> 1.3.5-5
+- fix bug 156269 - CAN-2005-1228 directory traversal bug
+ (using the patch from Ulf Harnhammar)
+
* Tue Apr 26 2005 Ivana Varekova <varekova at redhat.com> 1.3.5-4
- fix bug 155746 - CAN-2005-0988 Race condition in gzip (patch9)
More information about the fedora-cvs-commits
mailing list