Update: archivers/zoo

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Update: archivers/zoo

Rui Reis-2
zoo contains a exploitable buffer overflow. This update has a patch
from original advisory:
http://www.guay-leroux.com/projects/zoo-advisory.txt

update available here:
http://openbsd-pt.com/ports/zoo-2.10.1.diff

Works fine for me on i386.

Test and comment.
Rui Reis

Reply | Threaded
Open this post in threaded view
|

Re: Update: archivers/zoo

Rui Reis-2
On Thu, 6 Apr 2006 09:57:41 +0100
Rui Reis <[hidden email]> wrote:

> zoo contains a exploitable buffer overflow. This update has a patch
> from original advisory:
> http://www.guay-leroux.com/projects/zoo-advisory.txt
>
> update available here:
> http://openbsd-pt.com/ports/zoo-2.10.1.diff

sorry, hosting problems... diff available here:
http://dei.isep.ipp.pt/~i020853/zoo-2.10.1.diff

Rui Reis


>
> Works fine for me on i386.
>
> Test and comment.
> Rui Reis

Reply | Threaded
Open this post in threaded view
|

Re: Update: archivers/zoo

Peter Valchev
In reply to this post by Rui Reis-2
Actually there are way more issues in it ... a small list that
linux people have fixed:
http://rpmfind.net/linux/RPM/suse/updates/10.0-OSS/i386/rpm/i586/zoo-2.10-858.4.i586.html

Patches for those follow; however this thing is a pile of poo
altogether.  There are likely many other issues (just look at the
amount of remaining strcat/strcpy which come from user input).
Someone should fix them all but I feel like I've already wasted
enough time looking at this pile of poo.  Anyway, someone
should double check these don't break anything at least.

Index: Makefile
===================================================================
RCS file: /cvs/ports/archivers/zoo/Makefile,v
retrieving revision 1.17
diff -u -p -r1.17 Makefile
--- Makefile 21 Nov 2004 12:50:33 -0000 1.17
+++ Makefile 7 Apr 2006 07:41:16 -0000
@@ -3,7 +3,7 @@
 COMMENT= "handle the old .ZOO archive format"
 
 DISTNAME= zoo-2.10pl1
-PKGNAME= zoo-2.10.1
+PKGNAME= zoo-2.10.1p0
 CATEGORIES= archivers
 MASTER_SITES= ftp://ftp.kiarchive.ru/pub/unix/arcers/
 
Index: patches/patch-misc_c
===================================================================
RCS file: patches/patch-misc_c
diff -N patches/patch-misc_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-misc_c 7 Apr 2006 07:41:16 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+--- misc.c.orig Tue Jul 16 09:52:54 1991
++++ misc.c Fri Apr  7 01:36:17 2006
+@@ -135,11 +135,16 @@ if available, else the short filename is
+ char *fullpath (direntry)
+ struct direntry *direntry;
+ {
+- static char result[PATHSIZE];
++ static char result[PATHSIZE+LFNAMESIZE+12]; /* Room for enough space.*/
+ combine (result,
+ direntry->dirlen != 0 ? direntry->dirname : "",
+ (direntry->namlen != 0) ? direntry->lfname : direntry->fname
+  );
++
++       if (strlen (result) >= PATHSIZE) {
++               prterror ('f', "Combined dirname and filename too long!\n");
++       }
++
+ return (result);
+ }
+
Index: patches/patch-parse_c
===================================================================
RCS file: patches/patch-parse_c
diff -N patches/patch-parse_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-parse_c 7 Apr 2006 07:41:16 -0000
@@ -0,0 +1,12 @@
+$OpenBSD$
+--- parse.c.orig Tue Jul 16 09:54:43 1991
++++ parse.c Fri Apr  7 01:37:24 2006
+@@ -39,7 +39,7 @@ char *fname;
+    char *namep;                   /* points to relevant part of tempname */
+
+    char *p;
+-   strcpy (tempname, fname);
++   strlcpy(tempname, fname, LFNAMESIZE);
+
+ #ifdef DEBUG
+ printf ("parse:  supplied name is [%s].\n", tempname);
Index: patches/patch-portable_c
===================================================================
RCS file: patches/patch-portable_c
diff -N patches/patch-portable_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-portable_c 7 Apr 2006 07:41:16 -0000
@@ -0,0 +1,35 @@
+$OpenBSD$
+--- portable.c.orig Tue Jul 16 09:55:11 1991
++++ portable.c Fri Apr  7 01:35:28 2006
+@@ -364,6 +364,31 @@ ZOOFILE zoo_file;
+       show_dir(direntry);
+    }
+ #endif
++   char *p;
++   /* take off '../'   */
++   while ((p = strstr( direntry->dirname, "../" )) != NULL) {
++      while (*(p+3) != '\0') {
++        *p = *(p + 3);
++        p++;
++      }
++      *p = *(p+3); /* move last null */
++      //printf("zoo: skipped \"../\" path component in '%s'\n", direntry->dirname);
++   }
++   /* take off  '/'  */
++   if ( direntry->dirname[0] == '/' ) {
++      p = direntry->dirname;
++      while (*p != '\0') {
++        *p = *(p + 1);
++        p++;
++      }
++      *p = *(p+1); /* move last null */
++      //printf("zoo: skipped \"/\" path component in '%s'\n", direntry->dirname);
++   }
++   /* take off '..'   */
++   if(!strcmp(direntry->dirname, ".."))
++      direntry->dirname[0] = '\0';
++   /* direntry->dirlen = strlen(direntry->dirname); */
++
+    return (0);
+ }
+

Reply | Threaded
Open this post in threaded view
|

Re: Update: archivers/zoo

Rui Reis-2
On Fri, 7 Apr 2006 01:50:46 -0600
Peter Valchev <[hidden email]> wrote:

> Actually there are way more issues in it ... a small list that
> linux people have fixed:
> http://rpmfind.net/linux/RPM/suse/updates/10.0-OSS/i386/rpm/i586/zoo-2.10-858.4.i586.html
>
> Patches for those follow; however this thing is a pile of poo
> altogether.  There are likely many other issues (just look at the
> amount of remaining strcat/strcpy which come from user input).
> Someone should fix them all but I feel like I've already wasted
> enough time looking at this pile of poo.  Anyway, someone
> should double check these don't break anything at least.

seems ok on i386.

Rui Reis

 

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/archivers/zoo/Makefile,v
> retrieving revision 1.17
> diff -u -p -r1.17 Makefile
> --- Makefile 21 Nov 2004 12:50:33 -0000 1.17
> +++ Makefile 7 Apr 2006 07:41:16 -0000
> @@ -3,7 +3,7 @@
>  COMMENT= "handle the old .ZOO archive format"
>  
>  DISTNAME= zoo-2.10pl1
> -PKGNAME= zoo-2.10.1
> +PKGNAME= zoo-2.10.1p0
>  CATEGORIES= archivers
>  MASTER_SITES= ftp://ftp.kiarchive.ru/pub/unix/arcers/
>  
> Index: patches/patch-misc_c
> ===================================================================
> RCS file: patches/patch-misc_c
> diff -N patches/patch-misc_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-misc_c 7 Apr 2006 07:41:16 -0000
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +--- misc.c.orig Tue Jul 16 09:52:54 1991
> ++++ misc.c Fri Apr  7 01:36:17 2006
> +@@ -135,11 +135,16 @@ if available, else the short filename is
> + char *fullpath (direntry)
> + struct direntry *direntry;
> + {
> +- static char result[PATHSIZE];
> ++ static char result[PATHSIZE+LFNAMESIZE+12]; /* Room for enough space.*/
> + combine (result,
> + direntry->dirlen != 0 ? direntry->dirname : "",
> + (direntry->namlen != 0) ? direntry->lfname : direntry->fname
> +  );
> ++
> ++       if (strlen (result) >= PATHSIZE) {
> ++               prterror ('f', "Combined dirname and filename too long!\n");
> ++       }
> ++
> + return (result);
> + }
> +
> Index: patches/patch-parse_c
> ===================================================================
> RCS file: patches/patch-parse_c
> diff -N patches/patch-parse_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-parse_c 7 Apr 2006 07:41:16 -0000
> @@ -0,0 +1,12 @@
> +$OpenBSD$
> +--- parse.c.orig Tue Jul 16 09:54:43 1991
> ++++ parse.c Fri Apr  7 01:37:24 2006
> +@@ -39,7 +39,7 @@ char *fname;
> +    char *namep;                   /* points to relevant part of tempname */
> +
> +    char *p;
> +-   strcpy (tempname, fname);
> ++   strlcpy(tempname, fname, LFNAMESIZE);
> +
> + #ifdef DEBUG
> + printf ("parse:  supplied name is [%s].\n", tempname);
> Index: patches/patch-portable_c
> ===================================================================
> RCS file: patches/patch-portable_c
> diff -N patches/patch-portable_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-portable_c 7 Apr 2006 07:41:16 -0000
> @@ -0,0 +1,35 @@
> +$OpenBSD$
> +--- portable.c.orig Tue Jul 16 09:55:11 1991
> ++++ portable.c Fri Apr  7 01:35:28 2006
> +@@ -364,6 +364,31 @@ ZOOFILE zoo_file;
> +       show_dir(direntry);
> +    }
> + #endif
> ++   char *p;
> ++   /* take off '../'   */
> ++   while ((p = strstr( direntry->dirname, "../" )) != NULL) {
> ++      while (*(p+3) != '\0') {
> ++        *p = *(p + 3);
> ++        p++;
> ++      }
> ++      *p = *(p+3); /* move last null */
> ++      //printf("zoo: skipped \"../\" path component in '%s'\n", direntry->dirname);
> ++   }
> ++   /* take off  '/'  */
> ++   if ( direntry->dirname[0] == '/' ) {
> ++      p = direntry->dirname;
> ++      while (*p != '\0') {
> ++        *p = *(p + 1);
> ++        p++;
> ++      }
> ++      *p = *(p+1); /* move last null */
> ++      //printf("zoo: skipped \"/\" path component in '%s'\n", direntry->dirname);
> ++   }
> ++   /* take off '..'   */
> ++   if(!strcmp(direntry->dirname, ".."))
> ++      direntry->dirname[0] = '\0';
> ++   /* direntry->dirlen = strlen(direntry->dirname); */
> ++
> +    return (0);
> + }
> +