rpms/gzip/FC-3 gzip-1.3.5-gunzip-dir.patch, NONE, 1.1 gzip-1.3.5-gzip-perm.patch, NONE, 1.1 gzip.spec, 1.12, 1.13
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Jun 17 09:56:13 UTC 2005
Author: varekova
Update of /cvs/dist/rpms/gzip/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv5455
Modified Files:
gzip.spec
Added Files:
gzip-1.3.5-gunzip-dir.patch gzip-1.3.5-gzip-perm.patch
Log Message:
- fix bug 156269 - CAN-2005-1228 directory traversal bug
- fix bug 155746 - CAN-2005-0988 Race condition in gzip
gzip-1.3.5-gunzip-dir.patch:
gzip.c | 2 ++
1 files changed, 2 insertions(+)
--- NEW FILE gzip-1.3.5-gunzip-dir.patch ---
--- gzip-1.3.5/gzip.c.pom 2005-04-29 14:25:23.000000000 +0200
+++ gzip-1.3.5/gzip.c 2005-04-29 14:24:42.000000000 +0200
@@ -1344,6 +1344,8 @@
error("corrupted input -- file name too large");
}
}
+ char *base2 = base_name (base); /* there should be problem with file name */
+ strcpy(base, base2); /* in this name there can't be path */
/* If necessary, adapt the name to local OS conventions: */
if (!list) {
MAKE_LEGAL_NAME(base);
gzip-1.3.5-gzip-perm.patch:
gzip.c | 30 ++++++++++++++++--------------
1 files changed, 16 insertions(+), 14 deletions(-)
--- NEW FILE gzip-1.3.5-gzip-perm.patch ---
--- gzip-1.3.5/gzip.c.perm 2005-04-26 14:22:58.211395152 +0200
+++ gzip-1.3.5/gzip.c 2005-04-26 14:24:10.414418624 +0200
@@ -881,6 +881,20 @@
}
close(ifd);
+ /* ofd ownership and permissions have to be set before close(ofd)*/
+ if (!to_stdout) {
+ if (fchmod(ofd, istat.st_mode & 07777)) {
+ int e = errno;
+ WARN((stderr, "%s: ", progname));
+ if (!quiet) {
+ errno = e;
+ perror(ofname);
+ }
+ }
+#ifndef NO_CHOWN
+ fchown(ofd, istat.st_uid, istat.st_gid); /* Copy ownership */
+#endif
+ }
if (!to_stdout && close(ofd)) {
write_error();
}
@@ -902,7 +916,7 @@
}
fprintf(stderr, "\n");
}
- /* Copy modes, times, ownership, and remove the input file */
+ /* Copy times and remove the input file */
if (!to_stdout) {
copy_stat(&istat);
}
@@ -1715,7 +1729,7 @@
/* ========================================================================
- * Copy modes, times, ownership from input file to output file.
+ * Copy times from input file to output file.
* IN assertion: to_stdout is false.
*/
local void copy_stat(ifstat)
@@ -1730,18 +1744,6 @@
}
reset_times(ofname, ifstat);
#endif
- /* Copy the protection modes */
- if (chmod(ofname, ifstat->st_mode & 07777)) {
- int e = errno;
- WARN((stderr, "%s: ", progname));
- if (!quiet) {
- errno = e;
- perror(ofname);
- }
- }
-#ifndef NO_CHOWN
- chown(ofname, ifstat->st_uid, ifstat->st_gid); /* Copy ownership */
-#endif
remove_ofname = 0;
/* It's now safe to remove the input file: */
if (xunlink (ifname)) {
Index: gzip.spec
===================================================================
RCS file: /cvs/dist/rpms/gzip/FC-3/gzip.spec,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- gzip.spec 9 Sep 2004 06:05:28 -0000 1.12
+++ gzip.spec 17 Jun 2005 09:56:10 -0000 1.13
@@ -1,7 +1,7 @@
Summary: The GNU data compression program.
Name: gzip
Version: 1.3.3
-Release: 13
+Release: 14.fc3
License: GPL
Group: Applications/File
Source: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz
@@ -12,6 +12,8 @@
Patch4: gzip-1.3.1-zgreppipe.patch
Patch5: gzip-1.3-rsync.patch
Patch6: gzip-1.3.3-window-size.patch
+Patch7: gzip-1.3.5-gzip-perm.patch
+Patch8: gzip-1.3.5-gunzip-dir.patch
URL: http://www.gzip.org/
Prereq: /sbin/install-info
Requires: mktemp less
@@ -33,6 +35,8 @@
%patch4 -p1 -b .nixi
%patch5 -p1 -b .rsync
%patch6 -p1 -b .window-size
+%patch7 -p1 -b .perm
+%patch8 -p1 -b .dir
%build
export DEFS="-DNO_ASM"
@@ -85,6 +89,11 @@
%{_infodir}/gzip.info*
%changelog
+* Fri Jun 17 2005 Ivana Varekova <varekova at redhat.com> 1.3.5-14.fc3
+- fix bug 156269 - CAN-2005-1228 directory traversal bug
+ (using the patch from Ulf Harnhammar)
+- fix bug 155746 - CAN-2005-0988 Race condition in gzip
+
* Tue Jun 15 2004 Elliot Lee <sopwith at redhat.com>
- rebuilt
More information about the fedora-cvs-commits
mailing list