With bad UTF-8, cygwin can create files it can't read
Hello,
I've found that if you use cygwin to create a file with badly-encoded
UTF-8, readdir() gives out an entry with a name that cygwin won't
subsequently accept.
* create a file using filename with hex bytes F4 8F BF BF
* readdir() reports the filename as hex bytes E2 8E B3 ED BF BF
* attempting to open or unlink the filename E2 8E B3 ED BF BF fails
* attempting to open or unlink the filename F4 8F BF BF succeeds
Here's a test case. Beware that it will delete everything in the
current directory.
#include stdio.h
#include dirent.h
int main() {
DIR *d;
struct dirent *de;
char *fname = \xF4\x8F\xBF\xBF;
// touch file
fclose(fopen(fname, wb));
// iterate through dir
d = opendir(.);
while ((de = readdir(d))) {
if (de-d_name[0] == '.') continue;
printf(unlink(%s) = %d\n, de-d_name, unlink(de-d_name));
}
closedir(d);
// show that unlink works if you know the real filename
printf(unlink(%s) = %d\n, fname, unlink(fname));
}
This outputs (piped through hexdump -C)
75 6e 6c 69 6e 6b 28 e2 8e b3 ed bf bf 29 20 3d |unlink(..) =|
0010 20 2d 31 0a 75 6e 6c 69 6e 6b 28 f4 8f bf bf 29 | -1.unlink()|
0020 20 3d 20 30 0a| = 0.|
0025
e.g.
unlink(\xe2\x8e\xb3\xed\xbf\xbf) = -1
unlink(\xf4\x8f\xbf\xbf) = 0
This is with cygwin package 1.7.35
$ cygcheck -c cygwin
Cygwin Package Information
Package VersionStatus
cygwin 1.7.35-1 OK
WIndows / DOS does not have the problem:
c:\test\tdir
Volume in drive C has no label.
Volume Serial Number is -
Directory of c:\test\t
25/03/2015 14:30DIR .
25/03/2015 14:30DIR ..
25/03/2015 14:30 0 ??
1 File(s) 0 bytes
2 Dir(s) 39,906,525,184 bytes free
c:\test\tdel *
c:\test\t\*, Are you sure (Y/N)? y
c:\test\tdir
Volume in drive C has no label.
Volume Serial Number is -
Directory of c:\test\t
25/03/2015 14:31DIR .
25/03/2015 14:31DIR ..
0 File(s) 0 bytes
2 Dir(s) 39,906,525,184 bytes free
Regards
Stuart
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
[ANNOUNCEMENT] Updated: cabextract-1.6-1
Version1.6-1 of cabextract has been uploaded. cabextract is a utility for extracting Microsoft Cabinet (.CAB) files This update fixes a number of security bugs: * CVE-2014-9556: A CAB file with invalid file offset or length (where offset + length == 2^32) causes an infinite loop in the Quantum decoder on 32-bit architectures. [Debian bugs #772891, #773041] * CVE-2015-2060: A CAB file with overlong UTF-8 encodings for / can get its files extracted to an absolute path instead of the current directory. [Debian bug #778753] * On Cygwin, a CAB file using both / and \ can evade checks for absolute files and ../ directory traversals and can get its files extracted to any path. * A CAB file with two folders, the second folder invalid, and a file decompression order of folder 1, 2, 1, causes execution to jump to NULL. [Debian bugs #773659, #774665] * A CAB file with MSZIP-compressed data and a distance code of 30 causes a 1 byte over-read [Debian bug #775498] * A CAB file with zero-length filenames causes a 1 byte over-read. * A CAB file with invalid UTF-8 encoded filenames causes over-read of up to 5 bytes. * A CAB file with LZX-compressed data ending early during an odd-sized uncompressed block can cause a 1-byte under-read. [Debian bug #775499] *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the List-Unsubscribe: tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain.com at cygwin.com If you need more information on unsubscribing, start reading here: http://sourceware.org/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at this URL. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
SSH key for upload access
Name: Stuart Caie Package: cabextract BEGIN SSH2 PUBLIC KEY B3NzaC1yc2EDAQABAAABAQC2ppqXA1Bs+m3D3z0UUqGarPxwOniuv7VYOc9Yob 2GOjQ9P98TMXs95TKPog465JQjKA/clYbmSq0pgbUrepaJ/+MF/s3veicT8/2mPbOFnnAA K2mgw4IifT7f1XnTH+PcsZU2SecViZGKkgAdvbwAFnWYgL0MnKTpikJaNqtyD9tg/VB8rx JXzQxtVXDLzbdc9xUtr1IkdpsrPuU9PJxg4EalziP6sLQ0DT/IMJ0FvR/gA6/IY9bGW98o hdUrQyXnuHQ0hlfKIy/lvwPYMESKpjtAe0pisWTlQNBgTaQYjGBI3SwIBwLUwcIUE+cBxG NGpV2XcT/c3lJJ14duw2VD END SSH2 PUBLIC KEY
[RFU] cabextract 1.4 x86-64
I've compiled a 64-bit version of the existing cabextract 1.4-1 package: http://www.cabextract.org.uk/cygwin64/cabextract-1.4-1.tar.bz2 http://www.cabextract.org.uk/cygwin64/cabextract-1.4-1-src.tar.bz2 Other than the architecture, there are no differences between this and the existing 32-bit version. Regards Stuart
[RFU] cabextract 1.4
I've created an update to the cabextract package. http://www.cabextract.org.uk/cygwin/cabextract-1.4-1.tar.bz2 http://www.cabextract.org.uk/cygwin/cabextract-1.4-1-src.tar.bz2 The old version to keep is 1.3, any older than that can be removed. Regards Stuart
[ANNOUNCEMENT] Updated: cabextract 1.3-1
Version 1.3 of cabextract has been uploaded. cabextract is Free Software for extracting Microsoft cabinet files, also called .CAB files. See http://www.cabextract.org.uk/ for more details. Since the last cygwin release (1.1), the following changes were made: * -t option: Allows you to test that every file can be extracted without having to extract it to disk. This also prints the MD5 checksum of the file. * UTF-8 filenames are now decoded correctly. * Large files (2GB) are now searched correctly for cabinets. * Bugs in all decompressors have been fixed. This includes fixing an infinite loop caused by a carefully crafted MS-ZIP archive. * MS-ZIP recovery has been improved. You will now get data from within a bad block, up to the point it turned bad. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Updated: cabextract 1.3-1
Version 1.3 of cabextract has been uploaded. cabextract is Free Software for extracting Microsoft cabinet files, also called .CAB files. See http://www.cabextract.org.uk/ for more details. Since the last cygwin release (1.1), the following changes were made: * -t option: Allows you to test that every file can be extracted without having to extract it to disk. This also prints the MD5 checksum of the file. * UTF-8 filenames are now decoded correctly. * Large files (2GB) are now searched correctly for cabinets. * Bugs in all decompressors have been fixed. This includes fixing an infinite loop caused by a carefully crafted MS-ZIP archive. * MS-ZIP recovery has been improved. You will now get data from within a bad block, up to the point it turned bad.
[ITP] cabextract 1.3
cabextract is free software to extract Microsoft Cabinet files. I am the author of cabextract, and I thought Cygwin could do with the latest version, as it fixes several security bugs. The version currently in Cygwin is about 4 years out of date. http://www.cabextract.org.uk/cygwin/Makefile http://www.cabextract.org.uk/cygwin/README http://www.cabextract.org.uk/cygwin/cabextract-1.3-1-src.tar.bz2 http://www.cabextract.org.uk/cygwin/cabextract-1.3-1.cygport http://www.cabextract.org.uk/cygwin/cabextract-1.3-1.tar.bz2 http://www.cabextract.org.uk/cygwin/setup.hint Regards Stuart
Re: [ITP] cabextract 1.3
On 27 July 2010 15:47, Christopher Faylor cgf-use-the-mailinglist-ple...@cygwin.com wrote: Just to be clear, are you saying that you'll take over maintainership of this package? Sure, I can do that. Regards Stuart
Re: [ITP] cabextract 1.3
On 27 July 2010 20:00, Christopher Faylor cgf-use-the-mailinglist-ple...@cygwin.com wrote: Ok. That will mean that you need to subscribe to the cygwin mailing list to look for problem reports and you'll need to also be reading this mailing list for any issues that affect package maintainers. OK, I'll do that. The setup.hint file that you've provided doesn't need a Requires: cygwin because that is assumed. It would also be unusual if it didn't rely on anything other than cygwin. OK, I removed it. I can't check the binary tarball because: [...] It looks like it is corrupted. So it is! It appears ftp.exe defaults to ASCII, which is the source of the problem. I've rebuilt the packages and uploaded them again. Regards Stuart
