[kaffe] fastjar security issue

Antoine Reilles Antoine.Reilles at loria.fr
Mon Mar 27 11:25:41 PST 2006 

Hi,

The fastjar in kaffe/external/gcc/fastjar has a security problem
as reported at:
http://secunia.com/advisories/14902

There is a problem with input validation that allows to extract files
to arbitrary locations, using ../ (see the url for more details).

I adapted a patch joerg at netbsd.org wrote for the fastjar package in
pkgsrc to the fastjar in kaffe, adding the necessary input checks to
avoid that problem.

Is it right to commit ? Also, a similar fix could be brought to the
fastjar in gcc

Cheers,
antoine
-------------- next part --------------
Index: jartool.c
===================================================================
RCS file: /cvs/kaffe/kaffe/external/gcc/fastjar/jartool.c,v
retrieving revision 1.1
diff -u -r1.1 jartool.c
--- jartool.c	3 Jan 2006 15:27:01 -0000	1.1
+++ jartool.c	27 Mar 2006 19:02:49 -0000
@@ -1591,6 +1591,31 @@
   return 0;
 }
 
+static void canonical_filename(char *filename)
+{
+    char *iterator, *iterator2;
+
+    for (;;) {
+	if (*filename == '/')
+	    memmove(filename, filename + 1, strlen(filename));
+	else if (filename[0] == '.' && filename[1] == '/')
+	    memmove(filename, filename + 2, strlen(filename) - 1);
+	else if (filename[0] == '.' && filename[1] == '.' && filename[2] == '/')
+	    memmove(filename, filename + 3, strlen(filename) - 2);
+	else if ((iterator = strstr(filename, "//")) != NULL)
+	    memmove(iterator, iterator + 1, strlen(iterator));
+	else if ((iterator = strstr(filename, "/./")) != NULL)
+	    memmove(iterator, iterator + 2, strlen(iterator) - 1);
+	else if ((iterator = strstr(filename, "/../")) != NULL) {
+	    for (iterator2 = iterator - 1; iterator2 > filename && *iterator2 != '/'; --iterator2)
+		continue;
+	    /* iterator2 >= filename, handle the initial slash above, if necessary */
+	    memmove(iterator2, iterator + 3, strlen(iterator) - 2);
+	} else
+	    break;
+    }
+}
+
 int extract_jar(int fd, char **files, int file_num){
   int rdamt;
   int out_a, in_a;
@@ -1699,6 +1724,13 @@
     pb_read(&pbf, filename, fnlen);
     filename[fnlen] = '\0';
 
+    canonical_filename(filename);
+
+    if (*filename == '\0') {
+       fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
+       exit(1);
+     }
+
 #ifdef DEBUG    
     printf("filename is %s\n", filename);
 #endif
@@ -2007,6 +2039,12 @@
       }
       filename[fnlen] = '\0';
     
+      canonical_filename(filename);
+      if (*filename == '\0') {
+          fprintf(stderr, "Error extracting JAR archive, empty file name!\n");
+          exit(1);
+      }
+
       /* if the user specified a list of files on the command line,
          we'll only display those, otherwise we'll display everything */
       if(file_num > 0){
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://kaffe.org/pipermail/kaffe/attachments/20060327/bd2691a7/attachment-0002.pgp

More information about the kaffe mailing list