aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorB. Watson <yalhcru@gmail.com>2015-04-07 19:58:35 +0700
committerWilly Sudiarto Raharjo <willysr@slackbuilds.org>2015-04-07 19:58:35 +0700
commit51604f30957277f0f1cdecd4fcc2d8e1040a5859 (patch)
treefd53149b90a1950415cd0daedf13915aa38ecbef
parentf62f19ede487f36a8a3604f3ad843ee241b9284d (diff)
system/arj: Security fixes.
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
-rw-r--r--system/arj/arj.SlackBuild10
-rw-r--r--system/arj/patches/001_arches_align.patch6
-rw-r--r--system/arj/patches/002_no_remove_static_const.patch8
-rw-r--r--system/arj/patches/003_64_bit_clean.patch7
-rw-r--r--system/arj/patches/004_parallel_build.patch6
-rw-r--r--system/arj/patches/005_use_system_strnlen.patch8
-rw-r--r--system/arj/patches/006_use_safe_strcpy.patch9
-rw-r--r--system/arj/patches/doc_refer_robert_k_jung.patch7
-rw-r--r--system/arj/patches/gnu_build_fix.patch7
-rw-r--r--system/arj/patches/gnu_build_flags.patch6
-rw-r--r--system/arj/patches/gnu_build_strip.patch9
-rw-r--r--system/arj/patches/hurd_no_fcntl_getlk.patch8
-rw-r--r--system/arj/patches/security-afl.patch35
-rw-r--r--system/arj/patches/security-traversal-dir.patch33
-rw-r--r--system/arj/patches/security-traversal-symlink.patch85
-rw-r--r--system/arj/patches/security_format.patch6
-rw-r--r--system/arj/patches/self_integrity_64bit.patch52
-rw-r--r--system/arj/patches/series5
18 files changed, 302 insertions, 5 deletions
diff --git a/system/arj/arj.SlackBuild b/system/arj/arj.SlackBuild
index 49e052d924f73..19b37ae3191a7 100644
--- a/system/arj/arj.SlackBuild
+++ b/system/arj/arj.SlackBuild
@@ -6,9 +6,13 @@
# Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details.
+# 20150406 bkw: security vulns in arj!
+# http://www.securityfocus.com/archive/1/535190
+# Already patched in debian, add their patches here.
+
PRGNAM=arj
VERSION=${VERSION:-3.10.22}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
TAG=${TAG:-_SBo}
if [ -z "$ARCH" ]; then
@@ -55,9 +59,7 @@ find -L . \
# Use Debian's patches. See https://packages.debian.org/sid/arj. These are
# needed to get the source to build on modern systems, and work correctly
-# on 64-bit systems. The SBo_integrity_64bit.patch is my own, it fixes
-# "arj i" on 64-bit (and I've sent it to the debian maintainer as well).
-
+# on 64-bit systems.
for i in $( cat $CWD/patches/series ); do
patch -p1 < $CWD/patches/$i
done
diff --git a/system/arj/patches/001_arches_align.patch b/system/arj/patches/001_arches_align.patch
index 96180dab707ad..48b3fe2b12c06 100644
--- a/system/arj/patches/001_arches_align.patch
+++ b/system/arj/patches/001_arches_align.patch
@@ -1,3 +1,9 @@
+Description: Correct build failure on ia64 due to unaligned memory access.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Forwarded: no
+Last-Update: 2008-06-16
+
Index: b/arj_proc.c
===================================================================
--- a/arj_proc.c 2005-06-21 22:53:12.000000000 +0300
diff --git a/system/arj/patches/002_no_remove_static_const.patch b/system/arj/patches/002_no_remove_static_const.patch
index 9f435316e25f7..c1abbe26e3160 100644
--- a/system/arj/patches/002_no_remove_static_const.patch
+++ b/system/arj/patches/002_no_remove_static_const.patch
@@ -1,3 +1,11 @@
+Description: Set the static const intergrity_identifier variable as volatile
+ instead of building the file with -O0 to avoid the compiler optimizing it
+ away, so that we can use standard flags everywhere.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Forwarded: no
+Last-Update: 2013-05-10
+
---
integr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/system/arj/patches/003_64_bit_clean.patch b/system/arj/patches/003_64_bit_clean.patch
index 4e32a86a6afb6..90a1311614e87 100644
--- a/system/arj/patches/003_64_bit_clean.patch
+++ b/system/arj/patches/003_64_bit_clean.patch
@@ -1,3 +1,10 @@
+Description: Make code 64-bit clean.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/339815
+Forwarded: no
+Last-Update: 2005-11-24
+
Index: b/arj_arcv.c
===================================================================
--- a/arj_arcv.c 2005-06-21 22:53:12.000000000 +0300
diff --git a/system/arj/patches/004_parallel_build.patch b/system/arj/patches/004_parallel_build.patch
index 3351376233d48..bed4a406aea6a 100644
--- a/system/arj/patches/004_parallel_build.patch
+++ b/system/arj/patches/004_parallel_build.patch
@@ -1,3 +1,9 @@
+Description: Fix upstream build sysstem to support parallel builds.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Forwarded: no
+Last-Update: 2007-12-05
+
---
gnu/makefile.in | 74 +++++++++++++++++++++++++++++++++-----------------------
1 file changed, 44 insertions(+), 30 deletions(-)
diff --git a/system/arj/patches/005_use_system_strnlen.patch b/system/arj/patches/005_use_system_strnlen.patch
index 00a459809b3ed..4a5dd13d1ed32 100644
--- a/system/arj/patches/005_use_system_strnlen.patch
+++ b/system/arj/patches/005_use_system_strnlen.patch
@@ -1,3 +1,11 @@
+Description: Detect and conditionally use system strnlen function.
+ This fixes build failures when the system has eglibc 2.10.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/546475
+Forwarded: no
+Last-Update: 2009-09-13
+
---
fardata.c | 2 ++
gnu/config.h.in | 1 +
diff --git a/system/arj/patches/006_use_safe_strcpy.patch b/system/arj/patches/006_use_safe_strcpy.patch
index ffcab3031efe2..006385a0af6ad 100644
--- a/system/arj/patches/006_use_safe_strcpy.patch
+++ b/system/arj/patches/006_use_safe_strcpy.patch
@@ -1,3 +1,12 @@
+Description: Use a safe strcpy for overlapping strings, among others
+ fixes a build problem with a mangled generated .c file by msgbind
+ (thus FTBFS), and CRC errors at run-time.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/590354
+Forwarded: no
+Last-Update: 2010-07-26
+
---
arj.c | 2 +-
arjdata.c | 9 +--------
diff --git a/system/arj/patches/doc_refer_robert_k_jung.patch b/system/arj/patches/doc_refer_robert_k_jung.patch
index f61b558775774..43870e9d06690 100644
--- a/system/arj/patches/doc_refer_robert_k_jung.patch
+++ b/system/arj/patches/doc_refer_robert_k_jung.patch
@@ -1,3 +1,10 @@
+Description: Refer to original author Robert K. Jung in the manual page.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/456275
+Forwarded: no
+Last-Update: 2008-06-16
+
Index: b/resource/en/arj.1
===================================================================
--- a/resource/en/arj.1 2005-06-21 21:27:20.000000000 +0300
diff --git a/system/arj/patches/gnu_build_fix.patch b/system/arj/patches/gnu_build_fix.patch
index e9ab1b69294bb..5737ea9a60b3b 100644
--- a/system/arj/patches/gnu_build_fix.patch
+++ b/system/arj/patches/gnu_build_fix.patch
@@ -1,3 +1,10 @@
+Description: Fix build failure on GNU/Hurd due to missing -ldl, by
+ adding “gnu*” to the configure case handling libdl linking.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Forwarded: no
+Last-Update: 2011-02-28
+
---
gnu/configure.in | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/system/arj/patches/gnu_build_flags.patch b/system/arj/patches/gnu_build_flags.patch
index 89a8ffe653f0f..b5e0e3005924a 100644
--- a/system/arj/patches/gnu_build_flags.patch
+++ b/system/arj/patches/gnu_build_flags.patch
@@ -1,3 +1,9 @@
+Description: Fix upstream build system to honour CPPFLAGS and LDFLAGS.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Forwarded: no
+Last-Update: 2013-05-09
+
---
gnu/makefile.in | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/system/arj/patches/gnu_build_strip.patch b/system/arj/patches/gnu_build_strip.patch
index 8b543dcd2846f..e34b07d269d23 100644
--- a/system/arj/patches/gnu_build_strip.patch
+++ b/system/arj/patches/gnu_build_strip.patch
@@ -1,3 +1,12 @@
+Description: Support nostrip build option.
+ By changing the upstrem build system to optionally strip the binaries
+ after the linking stage and before their preprocessing.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/436473
+Forwarded: no
+Last-Update: 2013-05-10
+
---
gnu/makefile.in | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/system/arj/patches/hurd_no_fcntl_getlk.patch b/system/arj/patches/hurd_no_fcntl_getlk.patch
index ff1113f8319a2..85fdbbf3bf4cb 100644
--- a/system/arj/patches/hurd_no_fcntl_getlk.patch
+++ b/system/arj/patches/hurd_no_fcntl_getlk.patch
@@ -1,3 +1,11 @@
+Description: Fix build failure on GNU/Hurd, by handling unimplemented
+ fcntl(F_GETLK). The Hurd does not implement yet fcntl(F_GETLK) and
+ returns ENOSYS, handle this as a non-fatal error.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Forwarded: no
+Last-Update: 2013-05-10
+
---
environ.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/system/arj/patches/security-afl.patch b/system/arj/patches/security-afl.patch
new file mode 100644
index 0000000000000..ed2bf57717863
--- /dev/null
+++ b/system/arj/patches/security-afl.patch
@@ -0,0 +1,35 @@
+Description: Fix buffer overflow causing an invalid pointer free().
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774015
+Forwarded: no
+Last-Update: 2015-02-26
+
+---
+ decode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/decode.c
++++ b/decode.c
+@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
+ if(i==i_special)
+ {
+ c=getbits(2);
+- while(--c>=0)
++ while(--c>=0&&i<nn)
+ pt_len[i++]=0;
+ }
+ }
+@@ -314,10 +314,10 @@ void read_c_len()
+ c=getbits(CBIT);
+ c+=20;
+ }
+- while(--c>=0)
++ while(--c>=0&&i<NC)
+ c_len[i++]=0;
+ }
+- else
++ else if (i<NC)
+ c_len[i++]=(unsigned char)(c-2);
+ }
+ while(i<NC)
diff --git a/system/arj/patches/security-traversal-dir.patch b/system/arj/patches/security-traversal-dir.patch
new file mode 100644
index 0000000000000..02d955c805310
--- /dev/null
+++ b/system/arj/patches/security-traversal-dir.patch
@@ -0,0 +1,33 @@
+Description: Fix absolute path traversals.
+ Catch multiple leading slashes when checking for absolute path traversals.
+ .
+ Fixes CVE-2015-0557.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774435
+Forwarded: no
+Last-Update: 2015-02-26
+
+---
+ environ.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/environ.c
++++ b/environ.c
+@@ -1087,6 +1087,8 @@ static char *validate_path(char *name)
+ if(action!=VALIDATE_DRIVESPEC)
+ {
+ #endif
++ while (name[0]!='\0'&&
++ (name[0]=='.'||name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)) {
+ if(name[0]=='.')
+ {
+ if(name[1]=='.'&&(name[2]==PATHSEP_DEFAULT||name[2]==PATHSEP_UNIX))
+@@ -1096,6 +1098,7 @@ static char *validate_path(char *name)
+ }
+ if(name[0]==PATHSEP_DEFAULT||name[0]==PATHSEP_UNIX)
+ name++; /* "\\" - revert to root */
++ }
+ #if SFX_LEVEL>=ARJSFXV
+ }
+ }
diff --git a/system/arj/patches/security-traversal-symlink.patch b/system/arj/patches/security-traversal-symlink.patch
new file mode 100644
index 0000000000000..32481692b377c
--- /dev/null
+++ b/system/arj/patches/security-traversal-symlink.patch
@@ -0,0 +1,85 @@
+Description: Fix symlink directory traversal.
+ Do not allow symlinks that traverse the current directoru, nor absolute
+ symlinks.
+ .
+ Fixes CVE-2015-0556.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/774434
+Forwarded: no
+Last-Update: 2015-03-28
+
+---
+ uxspec.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 54 insertions(+)
+
+--- a/uxspec.c
++++ b/uxspec.c
+@@ -120,6 +120,58 @@ int query_uxspecial(char FAR **dest, cha
+ }
+ #endif
+
++#if TARGET==UNIX
++static int is_link_traversal(const char *name)
++{
++ enum {
++ STATE_NONE,
++ STATE_DOTS,
++ STATE_NAME,
++ } state = STATE_NONE;
++ int ndir = 0;
++ int dots = 0;
++
++ while(*name) {
++ int c = *name++;
++
++ if (c == '/')
++ {
++ if ((state == STATE_DOTS) && (dots == 2))
++ ndir--;
++ if (ndir < 0)
++ return 1;
++ if ((state == STATE_DOTS && dots == 1) && ndir == 0)
++ return 1;
++ if (state == STATE_NONE && ndir == 0)
++ return 1;
++ if ((state == STATE_DOTS) && (dots > 2))
++ ndir++;
++ state = STATE_NONE;
++ dots = 0;
++ }
++ else if (c == '.')
++ {
++ if (state == STATE_NONE)
++ state = STATE_DOTS;
++ dots++;
++ }
++ else
++ {
++ if (state == STATE_NONE)
++ ndir++;
++ state = STATE_NAME;
++ }
++ }
++
++ if ((state == STATE_DOTS) && (dots == 2))
++ ndir--;
++ if ((state == STATE_DOTS) && (dots > 2))
++ ndir++;
++
++ return ndir < 0;
++}
++#endif
++
+ /* Restores the UNIX special file data */
+
+ int set_uxspecial(char FAR *storage, char *name)
+@@ -156,6 +208,8 @@ int set_uxspecial(char FAR *storage, cha
+ l=sizeof(tmp_name)-1;
+ far_memmove((char FAR *)tmp_name, dptr, l);
+ tmp_name[l]='\0';
++ if (is_link_traversal(tmp_name))
++ return(UXSPEC_RC_ERROR);
+ rc=(id==UXSB_HLNK)?link(tmp_name, name):symlink(tmp_name, name);
+ if(!rc)
+ return(0);
diff --git a/system/arj/patches/security_format.patch b/system/arj/patches/security_format.patch
index 229303dcb5529..ec480b069d7e2 100644
--- a/system/arj/patches/security_format.patch
+++ b/system/arj/patches/security_format.patch
@@ -1,3 +1,9 @@
+Description: Fix format security errors.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Forwarded: no
+Last-Update: 2013-05-09
+
---
arj_arcv.c | 12 ++++++------
arj_user.c | 8 ++++----
diff --git a/system/arj/patches/self_integrity_64bit.patch b/system/arj/patches/self_integrity_64bit.patch
new file mode 100644
index 0000000000000..f9ceb2ffe9b2d
--- /dev/null
+++ b/system/arj/patches/self_integrity_64bit.patch
@@ -0,0 +1,52 @@
+Description: Fix arj self-integrity check on 64-bit systems
+Author: B Watson <yalhcru@gmail.com>
+Origin: other, http://slackbuilds.org/cgit/slackbuilds/tree/system/arj/patches/SBo_integrity_64bit.patch
+Forwarded: no
+Reviewed-By: Guillem Jover <guillem@debian.org>
+Last-Update: 2014-08-06
+
+diff -Naur arj-3.10.22/arj_proc.c arj-3.10.22.patched/arj_proc.c
+--- arj-3.10.22/arj_proc.c 2005-06-21 15:53:12.000000000 -0400
++++ arj-3.10.22.patched/arj_proc.c 2014-08-06 04:11:35.000000000 -0400
+@@ -7,6 +7,7 @@
+ *
+ */
+
++#include <stdint.h>
+ #include "arj.h"
+
+ DEBUGHDR(__FILE__) /* Debug information block */
+@@ -929,9 +930,9 @@
+ #endif
+ fclose(stream);
+ #if SFX_LEVEL>=ARJSFXV
+- return(crc32term==st_crc&&fsize==st_fsize);
++ return((uint32_t)crc32term==(uint32_t)st_crc&&(uint32_t)fsize==(uint32_t)st_fsize);
+ #else
+- if(crc32term==st_crc&&fsize==st_fsize)
++ if((uint32_t)crc32term==(uint32_t)st_crc&&(uint32_t)fsize==(uint32_t)st_fsize)
+ msg_cprintf(0, M_INTEGRITY_OK);
+ else
+ pause_error(M_INTEGRITY_VIOLATED);
+diff -Naur arj-3.10.22/postproc.c arj-3.10.22.patched/postproc.c
+--- arj-3.10.22/postproc.c 2003-06-22 07:12:28.000000000 -0400
++++ arj-3.10.22.patched/postproc.c 2014-08-06 03:22:16.000000000 -0400
+@@ -6,6 +6,7 @@
+ *
+ */
+
++#include <stdint.h>
+ #include "arj.h"
+
+ /* Operations */
+@@ -37,8 +38,9 @@
+
+ static char buf[PROC_BLOCK_SIZE];
+
+-static void _fput_dword(const unsigned long l, FILE *stream)
++static void _fput_dword(const unsigned long w, FILE *stream)
+ {
++ uint32_t l = (uint32_t)w;
+ #ifdef WORDS_BIGENDIAN
+ fputc(l ,stream);
+ fputc(l>>8 ,stream);
diff --git a/system/arj/patches/series b/system/arj/patches/series
index 23c1fc7e5356b..ea86f10da987a 100644
--- a/system/arj/patches/series
+++ b/system/arj/patches/series
@@ -10,4 +10,7 @@ doc_refer_robert_k_jung.patch
gnu_build_fix.patch
gnu_build_flags.patch
gnu_build_strip.patch
-SBo_integrity_64bit.patch
+self_integrity_64bit.patch
+security-afl.patch
+security-traversal-dir.patch
+security-traversal-symlink.patch