retitle 305255 CAN-2005-1228 gzip: dir traversal bug when using "gunzip -N"
thanks

Time to tag the CVE number into the title. :)

This bug is reported into RedHat as bug
<URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=156266>.
There is no patch available there.  It is also reported as solved by
Ubuntu, <URL:http://lwn.net/Alerts/134678/>.  They are using the patch
directly from  Ulf Harnhammar.

Based on the patch from Ulf Harnhammar, I ended up with this patch for
version 1.2.4a.  The original patch was not legal ANSI C89, and failed
to build with gcc 2.95.  I'm still not sure if the user of basename()
instead of base_name() is the correct thing to do here.

diff -ur src-1.2.4a-local/gzip.c src-1.2.4aUSIT.1/gzip.c
--- src-1.2.4a-local/gzip.c     1993-08-19 15:39:43.000000000 +0200
+++ src-1.2.4aUSIT.1/gzip.c     2005-05-19 18:20:17.000000000 +0200
@@ -1244,6 +1244,7 @@
                /* Copy the base name. Keep a directory prefix intact. */
                 char *p = basename(ofname);
                 char *base = p;
+               char *base2;
                for (;;) {
                    *p = (char)get_char();
                    if (*p++ == '\0') break;
@@ -1251,6 +1252,8 @@
                        error("corrupted input -- file name too large");
                    }
                }
+               base2 = basename (base);
+               strcpy(base, base2);
                 /* If necessary, adapt the name to local OS conventions: */
                 if (!list) {
                    MAKE_LEGAL_NAME(base);


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to