rpms/mikmod/FC-3 mikmod-3.1.6-security.patch, NONE, 1.1 mikmod-3.1.6-tar.patch, NONE, 1.1 mikmod.spec, 1.18, 1.19

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Tue Jun 7 11:21:57 UTC 2005


Author: stransky

Update of /cvs/dist/rpms/mikmod/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv18620

Modified Files:
	mikmod.spec 
Added Files:
	mikmod-3.1.6-security.patch mikmod-3.1.6-tar.patch 
Log Message:
fixed #159290,#159291 - CAN-2003-0427, fixed playing mod files from tar archive

mikmod-3.1.6-security.patch:
 marchive.c |   52 +++++++++++++++++++---------------------------------
 1 files changed, 19 insertions(+), 33 deletions(-)

--- NEW FILE mikmod-3.1.6-security.patch ---
--- mikmod-3.1.6/src/marchive.c.sec	2005-06-03 15:57:05.000000000 +0200
+++ mikmod-3.1.6/src/marchive.c	2005-06-06 11:02:31.000000000 +0200
@@ -269,6 +269,10 @@
 {
 	int t;
 
+	/* a filename may not start with '-' since this could be abused to
+	   feed another option to the archiver */
+	if (filename[0]=='-')
+		return 0;
 	for (t=0;modulepatterns[t];t++)
 		if (!fnmatch(modulepatterns[t],filename,FNM_NOESCAPE))
 			return 1;
@@ -522,8 +526,8 @@
 
 			if (!pipe(fd)) {
 				pid_t pid;
-				int status,cur,finished=0;
-				char ch;
+				FILE *file;
+				int status,s;
 
 				switch (pid=fork()) {
 					case -1: /* fork failed */
@@ -553,40 +557,22 @@
 					}
 						break;
 					default: /* fork succeeded, main process code */
-						/* have to wait for the child to ensure the command was
-						   successful and the pipe contains useful
-						   information */
 
-						/* read from the pipe */
 						close(fd[1]);
-						cur=0;
-						for (;;) {
-							/* check if child process has finished */
-							if ((!finished)&&(waitpid(pid,&status,WNOHANG))) {
-								finished=1;
-								/* abnormal exit */
-								if (!WIFEXITED(status)) {
-								  close(fd[0]);
-								  break;
-								}
-							}
-
-							/* check for end of pipe, otherwise read char */
-							if ((!read(fd[0],&ch,1))&&(finished)) break;
-
-							if (ch=='\n') ch=0;
-							string[cur++]=ch;
-							if (!ch) {
-								cur=0;
-								if (!MA_archiver[archive].nameoffset) {
-									for (t=0;string[t]!=' ';t++);
-									string[t]=0;
-								}
-								if (MA_isModuleFilename2(string+MA_archiver[archive].nameoffset))
-									PL_Add(pl,(string+MA_archiver[archive].nameoffset),filename,0,0);
-							}
+						if (!(file=fdopen(fd[0],"r"))) {
+							close(fd[0]);
+							waitpid(pid,&status,0);
+							break;
+						}
+						/* read from the pipe */
+						while (fgets(string,PATH_MAX+MAXCOLUMN+1,file)) {
+							s=strlen(string)-1;
+							if (string[s]=='\n') string[s]='\0';
+							if (MA_isModuleFilename2(string+MA_archiver[archive].nameoffset))
+								PL_Add(pl,(string+MA_archiver[archive].nameoffset),filename,0,0);
 						}
-						close(fd[0]);
+						fclose(file);
+						waitpid(pid,&status,0);
 						break;
 				}
 			}

mikmod-3.1.6-tar.patch:
 marchive.c |   21 +++++++++++++++------
 1 files changed, 15 insertions(+), 6 deletions(-)

--- NEW FILE mikmod-3.1.6-tar.patch ---
--- mikmod-3.1.6/src/marchive.c.tar	2005-06-06 16:12:52.000000000 +0200
+++ mikmod-3.1.6/src/marchive.c	2005-06-06 16:18:20.000000000 +0200
@@ -149,19 +149,19 @@
 /* PKzip archive */
 	{	0,	pksignature,	"unzip",	"-pqq", NULL,	"-vqq", NULL,	58},
 /* zoo */
-	{	20,	zoosignature,	"zoo",		"xpq", NULL,	"lq", NULL,		47},
+	{	20,	zoosignature,	"zoo",		"xpq", NULL,	"lfq", NULL,		0},
 /* rar */
 	{	0,	rarsignature,	"unrar",	"p", "-inul",	"v", "-c-",		1},
 /* lharc */
 	{	2,	lhsignature,	"lha",		"pq", NULL,		"vvq", NULL,	0},
 	{	2,	lzsignature,	"lha",		"pq", NULL,		"vvq", NULL,	0},
 /* tar */
-	{	257,tarsignature,	"tar",		"-xOf", NULL,	"-tRf", NULL,	18},
+	{	257,tarsignature,	"tar",		"-xOf", NULL,	"-tf", NULL,	0},
 /* tar.gz */
-	{	-1,	targzextension,	"tar",		"-xOzf", NULL,	"-tRzf", NULL,	18},
+	{	-1,	targzextension,	"tar",		"-xOzf", NULL,	"-tzf", NULL,	0},
 /* tar.bz2 */
 	{	-1,	tarbzip2extension,	"tar",	"--use-compress-program=bzip2",
-			"-xOf",		"--use-compress-program=bzip2",	"-tRf",			18},
+			"-xOf",		"--use-compress-program=bzip2",	"-tf",			0},
 /* gzip */
 	{	0,	gzsignature,	"gzip",		"-dqc", NULL,	NULL, NULL,		0},
 /* bzip2 */
@@ -566,8 +566,17 @@
 						}
 						/* read from the pipe */
 						while (fgets(string,PATH_MAX+MAXCOLUMN+1,file)) {
-							s=strlen(string)-1;
-							if (string[s]=='\n') string[s]='\0';
+							s = strlen(string) - 1;
+							if (string[s]=='\n') 
+                                string[s]='\0';
+
+							/* remove trailing whitespace from the filename */
+							for (s = 0, t = 0; string[t]; t++)
+								if (string[t] != ' ')
+									s = t;
+							if(s) 
+								string[s+1] = '\0';
+
 							if (MA_isModuleFilename2(string+MA_archiver[archive].nameoffset))
 								PL_Add(pl,(string+MA_archiver[archive].nameoffset),filename,0,0);
 						}


Index: mikmod.spec
===================================================================
RCS file: /cvs/dist/rpms/mikmod/FC-3/mikmod.spec,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- mikmod.spec	14 Dec 2004 01:26:42 -0000	1.18
+++ mikmod.spec	7 Jun 2005 11:21:55 -0000	1.19
@@ -4,7 +4,7 @@
 Summary: A MOD music file player.
 Name: mikmod
 Version: 3.1.6
-Release: 30.2
+Release: 31.FC3
 License: LGPL
 Group: Applications/Multimedia
 Prereq: /sbin/ldconfig
@@ -19,6 +19,8 @@
 Patch3:  libmikmod-64bit.patch
 Patch4:  patch-mikmod-3.1.6-a
 Patch5:  mikmod-3.1.6-varargs.patch
+Patch7:  mikmod-3.1.6-security.patch
+Patch8:  mikmod-3.1.6-tar.patch
 Obsoletes: tracker
 
 %description
@@ -51,6 +53,8 @@
 %patch3 -p1
 %patch4 -p1 -b .orig
 %patch5 -p1 
+%patch7 -p1 -b .sec
+%patch8 -p1 -b .tar
 
 %build
 rm -rf $RPM_BUILD_ROOT
@@ -110,6 +114,10 @@
 %{_mandir}/man1/libmikmod-config*
 
 %changelog
+* Mon Jun  6 2005 Martin Stransky <stransky at redhat.com> 3.1.6-31.FC3
+- fixed #159290,#159291 - CAN-2003-0427
+- fixed playing mod files from tar archive
+
 * Mon Dec 13 2004 Bill Nottingham <notting at redhat.com> 3.1.6-30.2
 - move mikmod binary back to main package (#142668)
 




More information about the fedora-cvs-commits mailing list