packages/gnome-autoar
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-36241

Browse Source
This commit is contained in:
yeah_wang 2021-03-19 16:01:57 +08:00
parent 448025b93e
commit 80151dae9c
2 changed files with 110 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
backport-CVE-2020-36241.patch Normal file
View File

@ -0,0 +1,101 @@
diff -Naur gnome-autoar-0.2.4.old/gnome-autoar/autoar-extractor.c gnome-autoar-0.2.4/gnome-autoar/autoar-extractor.c
--- gnome-autoar-0.2.4.old/gnome-autoar/autoar-extractor.c 2019-03-09 00:53:15.000000000 +0800
+++ gnome-autoar-0.2.4/gnome-autoar/autoar-extractor.c 2021-03-18 22:01:20.838393707 +0800
@@ -881,32 +881,67 @@
return prefix;
}
+static gboolean
+is_valid_filename (GFile *file, GFile *destination)
+{
+ g_autoptr (GFile) parent = NULL;
+ g_autoptr (GFileInfo) info = NULL;
+
+ if (g_file_equal (file, destination))
+ return TRUE;
+
+ if (!g_file_has_prefix (file, destination))
+ return FALSE;
+
+ /* Resolve symbolic link ancestors to confirm file is actually inside destination. */
+ parent = g_file_get_parent (file);
+ info = g_file_query_info (parent,
+ G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK ","
+ G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET,
+ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
+ NULL,
+ NULL);
+ if (info == NULL)
+ return FALSE;
+
+ if (g_file_info_get_is_symlink (info)) {
+ g_autoptr (GFile) cwd = NULL;
+ const gchar *target;
+
+ target = g_file_info_get_symlink_target (info);
+ if (g_path_is_absolute (target))
+ return FALSE;
+
+ cwd = g_file_get_parent (parent);
+ g_object_unref (parent);
+ parent = g_file_resolve_relative_path (cwd, target);
+ }
+
+ /* Climb up the path to resolve every symbolic link ancestor found */
+ return is_valid_filename (parent, destination);
+}
+
static GFile*
autoar_extractor_do_sanitize_pathname (AutoarExtractor *self,
const char *pathname_bytes)
{
GFile *extracted_filename;
gboolean valid_filename;
- g_autofree char *sanitized_pathname;
+ g_autofree char *sanitized_pathname = NULL;
g_autofree char *utf8_pathname;
utf8_pathname = autoar_common_get_utf8_pathname (pathname_bytes);
extracted_filename = g_file_get_child (self->destination_dir,
utf8_pathname ? utf8_pathname : pathname_bytes);
- valid_filename =
- g_file_equal (extracted_filename, self->destination_dir) ||
- g_file_has_prefix (extracted_filename, self->destination_dir);
-
+ valid_filename = is_valid_filename (extracted_filename, self->destination_dir);
if (!valid_filename) {
- g_autofree char *basename;
-
- basename = g_file_get_basename (extracted_filename);
-
+ g_warning ("autoar_extractor_do_sanitize_pathname: %s is outside of the destination dir",
+ g_file_peek_path (extracted_filename));
+
g_object_unref (extracted_filename);
- extracted_filename = g_file_get_child (self->destination_dir,
- basename);
+ return NULL;
}
if (self->prefix != NULL && self->new_prefix != NULL) {
@@ -1862,10 +1897,17 @@
extracted_filename =
autoar_extractor_do_sanitize_pathname (self, pathname);
-
+ if (extracted_filename == NULL) {
+ archive_read_data_skip (a);
+ continue;
+ }
if (hardlink != NULL) {
hardlink_filename =
autoar_extractor_do_sanitize_pathname (self, hardlink);
+ if (hardlink_filename == NULL) {
+ archive_read_data_skip (a);
+ continue;
+ }
}
/* Attempt to solve any name conflict before doing any operations */

10
gnome-autoar.spec
View File

@ -1,11 +1,13 @@
Name: gnome-autoar
Version: 0.2.4
Release: 1
Release: 2
Summary: Creating and extracting archives
License: LGPLv2+
URL: https://git.gnome.org/browse/gnome-autoar
Source0: https://download.gnome.org/sources/gnome-autoar/0.2/gnome-autoar-%{version}.tar.xz
Patch6000: backport-CVE-2020-36241.patch
BuildRequires: gcc vala pkgconfig(gio-2.0) pkgconfig(glib-2.0) pkgconfig(gobject-2.0) gdb
BuildRequires: pkgconfig(gobject-introspection-1.0) pkgconfig(gtk+-3.0) pkgconfig(libarchive)
@ -48,6 +50,12 @@ make check
%{_datadir}/vala/vapi/*.vapi
%changelog
* Fri Mar 19 2021 Dehui Fan <fandehui1@huawei.com> - 0.2.4-2
Type: CVE
ID: CVE-2020-36241
SUG: NA
DESC: fix CVE-2020-36241
* Fri Jan 29 2021 yanglu <yanglu60@huawei.com> - 0.2.4-1
- update to 0.2.4