lha-security_fixes.patch

   1 diff -urN lha-114i.orig/src/lha_macro.h lha-114i/src/lha_macro.h
   2 --- lha-114i.orig/src/lha_macro.h       2000-10-04 16:57:38.000000000 +0200
   3 +++ lha-114i/src/lha_macro.h    2004-12-13 20:02:02.850369304 +0100
   4 @@ -53,7 +53,7 @@
   5  #define SEEK_SET               0
   6  #define SEEK_CUR               1
   7  #define SEEK_END               2
   8 -#endif /* SEEK_SET
   9 +#endif /* SEEK_SET */
  10
  11
  12  /* non-integral functions */
  13 diff -urN lha-114i.orig/src/lharc.c lha-114i/src/lharc.c
  14 --- lha-114i.orig/src/lharc.c   2004-12-13 20:01:23.000000000 +0100
  15 +++ lha-114i/src/lharc.c        2004-12-13 20:04:18.906685600 +0100
  16 @@ -830,9 +830,10 @@
  17         DIRENTRY       *dp;
  18         struct stat     tmp_stbuf, arc_stbuf, fil_stbuf;
  19
  20 -       strcpy(newname, name);
  21 +       strncpy(newname, name, sizeof(newname));
  22 +       newname[sizeof(newname)-1] = 0;
  23         len = strlen(name);
  24 -       if (len > 0 && newname[len - 1] != '/')
  25 +       if (len > 0 && newname[len - 1] != '/' && len < (sizeof(newname)-1))
  26                 newname[len++] = '/';
  27
  28         dirp = opendir(name);
  29 @@ -846,6 +847,11 @@
  30
  31         for (dp = readdir(dirp); dp != NULL; dp = readdir(dirp)) {
  32                 n = NAMLEN(dp);
  33 +               if (len >= (sizeof(newname)-1) ||
  34 +                               (len+n) >= (sizeof(newname)-1) ||
  35 +                                        n  <= 0                   ||
  36 +                               (len+n) <= 0)
  37 +                       break;
  38                 strncpy(newname + len, dp->d_name, n);
  39                 newname[len + n] = '\0';
  40                 if (GETSTAT(newname, &fil_stbuf) < 0)
  41 @@ -903,7 +909,8 @@
  42                 strcpy(temporary_name, TMP_FILENAME_TEMPLATE);
  43         }
  44         else {
  45 -               sprintf(temporary_name, "%s/lhXXXXXX", extract_directory);
  46 +               snprintf(temporary_name, sizeof(temporary_name),
  47 +                       "%s/lhXXXXXX", extract_directory);
  48         }
  49  #ifdef MKSTEMP
  50         mkstemp(temporary_name);
  51 @@ -913,10 +920,16 @@
  52  #else
  53         char           *p, *s;
  54
  55 -       strcpy(temporary_name, archive_name);
  56 +       strncpy(temporary_name, archive_name, sizeof(temporary_name));
  57 +       temporary_name[sizeof(temporary_name)-1] = 0;
  58         for (p = temporary_name, s = (char *) 0; *p; p++)
  59                 if (*p == '/')
  60                         s = p;
  61 +
  62 +       if( sizeof(temporary_name) - ((size_t) (s-temporary_name)) - 1
  63 +               <= strlen("lhXXXXXX"))
  64 +                       exit(-1);
  65 +
  66         strcpy((s ? s + 1 : temporary_name), "lhXXXXXX");
  67  #ifdef MKSTEMP
  68         mkstemp(temporary_name);
  69 @@ -1053,12 +1066,14 @@
  70
  71         if (open_old_archive_1(archive_name, &fp))
  72                 return fp;
  73 -       sprintf(expanded_archive_name, "%s%s", archive_name, ARCHIVENAME_EXTENTION);
  74 +       snprintf(expanded_archive_name, sizeof(expanded_archive_name),
  75 +               "%s%s", archive_name, ARCHIVENAME_EXTENTION);
  76         if (open_old_archive_1(expanded_archive_name, &fp)) {
  77                 archive_name = expanded_archive_name;
  78                 return fp;
  79         }
  80 -       sprintf(expanded_archive_name, "%s.lzh", archive_name);
  81 +       snprintf(expanded_archive_name, sizeof(expanded_archive_name),
  82 +               "%s.lzh", archive_name);
  83         if (open_old_archive_1(expanded_archive_name, &fp)) {
  84                 archive_name = expanded_archive_name;
  85                 return fp;
  86 @@ -1067,7 +1082,8 @@
  87          * if ( (errno&0xffff)!=E_PNNF ) { archive_name =
  88          * expanded_archive_name; return NULL; }
  89          */
  90 -       sprintf(expanded_archive_name, "%s.lzs", archive_name);
  91 +       snprintf(expanded_archive_name, sizeof(expanded_archive_name),
  92 +               "%s.lzs", archive_name);
  93         if (open_old_archive_1(expanded_archive_name, &fp)) {
  94                 archive_name = expanded_archive_name;
  95                 return fp;
  96 diff -urN lha-114i.orig/src/lhext.c lha-114i/src/lhext.c
  97 --- lha-114i.orig/src/lhext.c   2004-12-13 20:01:23.000000000 +0100
  98 +++ lha-114i/src/lhext.c        2004-12-13 20:02:02.855368544 +0100
  99 @@ -82,7 +82,8 @@
 100         register char  *p;
 101
 102         /* make parent directory name into PATH for recursive call */
 103 -       strcpy(path, name);
 104 +       memset(path, 0, sizeof(path));
 105 +       strncpy(path, name, sizeof(path)-1);
 106         for (p = path + strlen(path); p > path; p--)
 107                 if (p[-1] == '/') {
 108                         *--p = '\0';
 109 @@ -212,9 +213,11 @@
 110         }
 111
 112         if (extract_directory)
 113 -               sprintf(name, "%s/%s", extract_directory, q);
 114 -       else
 115 -               strcpy(name, q);
 116 +               snprintf(name, sizeof(name), "%s/%s", extract_directory, q);
 117 +       else {
 118 +               strncpy(name, q, sizeof(name));
 119 +               name[sizeof(name) - 1] = '\0';
 120 +       }
 121
 122
 123         /* LZHDIRS_METHOD¤ò»ý¤Ä¥Ø¥Ã¥À¤ò¥Á¥§¥Ã¥¯¤¹¤ë */
 124 @@ -335,7 +338,8 @@
 125                         if ((hdr->unix_mode & UNIX_FILE_TYPEMASK) == UNIX_FILE_SYMLINK) {
 126                                 char            buf[256], *bb1, *bb2;
 127                                 int             l_code;
 128 -                               strcpy(buf, name);
 129 +                               strncpy(buf, name, sizeof(buf));
 130 +                               buf[sizeof(buf)-1] = 0;
 131                                 bb1 = strtok(buf, "|");
 132                                 bb2 = strtok(NULL, "|");
 133
 134 @@ -365,9 +369,10 @@
 135                                 if (quiet != TRUE) {
 136                                         printf("Symbolic Link %s -> %s\n", bb1, bb2);
 137                                 }
 138 -                               strcpy(name, bb1);      /* Symbolic's name set */
 139 +                               strncpy(name, bb1, 255);        /* Symbolic's name set */
 140 +                               name[255] = 0;
 141  #else
 142 -                               sprintf(buf, "%s -> %s", bb1, bb2);
 143 +                               sprintf(buf, sizeof(buf), "%s -> %s", bb1, bb2);
 144                                 warning("Can't make Symbolic Link", buf);
 145                                 return;
 146  #endif
 147 diff -urN lha-114i.orig/src/lhlist.c lha-114i/src/lhlist.c
 148 --- lha-114i.orig/src/lhlist.c  2000-10-04 16:57:38.000000000 +0200
 149 +++ lha-114i/src/lhlist.c       2004-12-13 20:02:02.856368392 +0100
 150 @@ -250,7 +250,8 @@
 151                         printf(" %s", hdr->name);
 152                 else {
 153                         char            buf[256], *b1, *b2;
 154 -                       strcpy(buf, hdr->name);
 155 +                       strncpy(buf, hdr->name, sizeof(buf));
 156 +                       buf[sizeof(buf)-1] = 0;
 157                         b1 = strtok(buf, "|");
 158                         b2 = strtok(NULL, "|");
 159                         printf(" %s -> %s", b1, b2);
 160 diff -urN lha-114i.orig/src/util.c lha-114i/src/util.c
 161 --- lha-114i.orig/src/util.c    2000-10-04 16:57:38.000000000 +0200
 162 +++ lha-114i/src/util.c 2004-12-13 20:02:02.859367936 +0100
 163 @@ -276,21 +276,27 @@
 164         char           *path;
 165  {
 166         int             stat, rtn = 0;
 167 -       char           *cmdname;
 168 -       if ((cmdname = (char *) malloc(strlen(RMDIRPATH) + 1 + strlen(path) + 1))
 169 -           == 0)
 170 +       pid_t           child;
 171 +
 172 +
 173 +       /* XXX thomas: shell meta chars in path could exec commands */
 174 +       /* therefore we should avoid using system() */
 175 +       if ((child = fork()) < 0)
 176 +               return (-1);    /* fork error */
 177 +       else if (child) {       /* parent process */
 178 +               while (child != wait(&stat))    /* ignore signals */
 179 +                       continue;
 180 +       }
 181 +       else {                  /* child process */
 182 +               execl(RMDIRPATH, "rmdir", path, (char *) 0);
 183 +               /* never come here except execl is error */
 184                 return (-1);
 185 -       strcpy(cmdname, RMDIRPATH);
 186 -       *(cmdname + strlen(RMDIRPATH)) = ' ';
 187 -       strcpy(cmdname + strlen(RMDIRPATH) + 1, path);
 188 -       if ((stat = system(cmdname)) < 0)
 189 -               rtn = -1;       /* fork or exec error */
 190 -       else if (stat) {        /* RMDIR command error */
 191 -               errno = EIO;
 192 -               rtn = -1;
 193         }
 194 -       free(cmdname);
 195 -       return (rtn);
 196 +       if (stat != 0) {
 197 +               errno = EIO;    /* cannot get error num. */
 198 +               return (-1);
 199 +       }
 200 +       return (0);
 201  }
 202
 203  /* ------------------------------------------------------------------------ */