On Mon, 2006-03-27 at 21:25 +0200, Antoine Reilles wrote: > Hi, > Salut Antoine, hi Tom,
thanks for the bug report. > The fastjar in kaffe/external/gcc/fastjar has a security problem > as reported at: > http://secunia.com/advisories/14902 > > There is a problem with input validation that allows to extract files > to arbitrary locations, using ../ (see the url for more details). I can confirm that the bug is indeed there in the version of fastjar distributed in Kaffe 1.1.7. I've tried the steps described in http://www.securiteam.com/securitynews/5IP0C0AFGW.html > I adapted a patch [EMAIL PROTECTED] wrote for the fastjar package in > pkgsrc to the fastjar in kaffe, adding the necessary input checks to > avoid that problem. Thanks! I'd recommend using realpath or canonicalize_file_name, if available, to do the canonicalisation, rather than writing one's own function, though. See http://www.gnu.org/software/libc/manual/html_node/Symbolic-Links.html#Symbolic-Links for a description. I guess you could then simply chop the first char off if it is a file separator. I am not sure what the POSIX-y way to find out the file separator char/string is, though. Just slashing '/'s may not work so well on systems where '\' is the directory separator, like win32. So I'd recommend going with realpath or canonicalize_filename. If the patch fixes the issue, please check it in, though. We can improve on it while the hole is plugged. I need to check if the fastjar code in gcc has changed between gcc 4.0.2 and 4.0.3/4.1.0. > Is it right to commit ? Also, a similar fix could be brought to the > fastjar in gcc I have not tried the fastjar code in gcc yet. I've fired off a gcc SVN head build, but I don't know how long it will take. :/ cheers, dalibor topic _______________________________________________ kaffe mailing list [email protected] http://kaffe.org/cgi-bin/mailman/listinfo/kaffe
