retitle 305255 CAN-2005-1228 gzip: dir traversal bug when using "gunzip -N" thanks
Time to tag the CVE number into the title. :) This bug is reported into RedHat as bug <URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156266>. There is no patch available there. It is also reported as solved by Ubuntu, <URL:http://lwn.net/Alerts/134678/>. They are using the patch directly from Ulf Harnhammar. Based on the patch from Ulf Harnhammar, I ended up with this patch for version 1.2.4a. The original patch was not legal ANSI C89, and failed to build with gcc 2.95. I'm still not sure if the user of basename() instead of base_name() is the correct thing to do here. diff -ur src-1.2.4a-local/gzip.c src-1.2.4aUSIT.1/gzip.c --- src-1.2.4a-local/gzip.c 1993-08-19 15:39:43.000000000 +0200 +++ src-1.2.4aUSIT.1/gzip.c 2005-05-19 18:20:17.000000000 +0200 @@ -1244,6 +1244,7 @@ /* Copy the base name. Keep a directory prefix intact. */ char *p = basename(ofname); char *base = p; + char *base2; for (;;) { *p = (char)get_char(); if (*p++ == '\0') break; @@ -1251,6 +1252,8 @@ error("corrupted input -- file name too large"); } } + base2 = basename (base); + strcpy(base, base2); /* If necessary, adapt the name to local OS conventions: */ if (!list) { MAKE_LEGAL_NAME(base); -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
