From 80151dae9cb40e26e6ea49ee8fa9c71c57081fb8 Mon Sep 17 00:00:00 2001
From: yeah_wang <wangye70@huawei.com>
Date: Fri, 19 Mar 2021 16:01:57 +0800
Subject: [PATCH] fix CVE-2020-36241

---
 backport-CVE-2020-36241.patch | 101 ++++++++++++++++++++++++++++++++++
 gnome-autoar.spec             |  10 +++-
 2 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2020-36241.patch

diff --git a/backport-CVE-2020-36241.patch b/backport-CVE-2020-36241.patch
new file mode 100644
index 0000000..eb968e3
--- /dev/null
+++ b/backport-CVE-2020-36241.patch
@@ -0,0 +1,101 @@
+diff -Naur gnome-autoar-0.2.4.old/gnome-autoar/autoar-extractor.c gnome-autoar-0.2.4/gnome-autoar/autoar-extractor.c
+--- gnome-autoar-0.2.4.old/gnome-autoar/autoar-extractor.c	2019-03-09 00:53:15.000000000 +0800
++++ gnome-autoar-0.2.4/gnome-autoar/autoar-extractor.c	2021-03-18 22:01:20.838393707 +0800
+@@ -881,32 +881,67 @@
+   return prefix;
+ }
+ 
++static gboolean
++is_valid_filename (GFile *file, GFile *destination)
++{
++  g_autoptr (GFile) parent = NULL;
++  g_autoptr (GFileInfo) info = NULL;
++
++  if (g_file_equal (file, destination))
++    return TRUE;
++
++  if (!g_file_has_prefix (file, destination))
++    return FALSE;
++
++  /* Resolve symbolic link ancestors to confirm file is actually inside destination. */
++  parent = g_file_get_parent (file);
++  info = g_file_query_info (parent,
++                            G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK ","
++                            G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET,
++                            G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
++                            NULL,
++                            NULL);
++  if (info == NULL)
++    return FALSE;
++
++  if (g_file_info_get_is_symlink (info)) {
++    g_autoptr (GFile) cwd = NULL;
++    const gchar *target;
++
++    target = g_file_info_get_symlink_target (info);
++    if (g_path_is_absolute (target))
++      return FALSE;
++
++    cwd = g_file_get_parent (parent);
++    g_object_unref (parent);
++    parent = g_file_resolve_relative_path (cwd, target);
++  }
++
++  /* Climb up the path to resolve every symbolic link ancestor found */
++  return is_valid_filename (parent, destination);
++}
++
+ static GFile*
+ autoar_extractor_do_sanitize_pathname (AutoarExtractor *self,
+                                        const char      *pathname_bytes)
+ {
+   GFile *extracted_filename;
+   gboolean valid_filename;
+-  g_autofree char *sanitized_pathname;
++  g_autofree char *sanitized_pathname = NULL;
+   g_autofree char *utf8_pathname;
+ 
+   utf8_pathname = autoar_common_get_utf8_pathname (pathname_bytes);
+   extracted_filename = g_file_get_child (self->destination_dir,
+                                          utf8_pathname ?  utf8_pathname : pathname_bytes);
+ 
+-  valid_filename =
+-    g_file_equal (extracted_filename, self->destination_dir) ||
+-    g_file_has_prefix (extracted_filename, self->destination_dir);
+-
++  valid_filename = is_valid_filename (extracted_filename, self->destination_dir);
+   if (!valid_filename) {
+-    g_autofree char *basename;
+-
+-    basename = g_file_get_basename (extracted_filename);
+-
++    g_warning ("autoar_extractor_do_sanitize_pathname: %s is outside of the destination dir",
++                g_file_peek_path (extracted_filename));
++				
+     g_object_unref (extracted_filename);
+ 
+-    extracted_filename = g_file_get_child (self->destination_dir,
+-                                           basename);
++    return NULL;
+   }
+ 
+   if (self->prefix != NULL && self->new_prefix != NULL) {
+@@ -1862,10 +1897,17 @@
+ 
+     extracted_filename =
+       autoar_extractor_do_sanitize_pathname (self, pathname);
+-
++    if (extracted_filename == NULL) {
++      archive_read_data_skip (a);
++      continue;
++    }
+     if (hardlink != NULL) {
+       hardlink_filename =
+         autoar_extractor_do_sanitize_pathname (self, hardlink);
++        if (hardlink_filename == NULL) {
++          archive_read_data_skip (a);
++          continue;
++        }
+     }
+ 
+     /* Attempt to solve any name conflict before doing any operations */
diff --git a/gnome-autoar.spec b/gnome-autoar.spec
index 8954f18..398152d 100644
--- a/gnome-autoar.spec
+++ b/gnome-autoar.spec
@@ -1,11 +1,13 @@
 Name:           gnome-autoar
 Version:        0.2.4
-Release:        1
+Release:        2
 Summary:        Creating and extracting archives
 License:        LGPLv2+
 URL:            https://git.gnome.org/browse/gnome-autoar
 Source0:        https://download.gnome.org/sources/gnome-autoar/0.2/gnome-autoar-%{version}.tar.xz
 
+Patch6000:      backport-CVE-2020-36241.patch 
+
 BuildRequires:  gcc vala pkgconfig(gio-2.0) pkgconfig(glib-2.0) pkgconfig(gobject-2.0) gdb
 BuildRequires:  pkgconfig(gobject-introspection-1.0) pkgconfig(gtk+-3.0) pkgconfig(libarchive)
 
@@ -48,6 +50,12 @@ make check
 %{_datadir}/vala/vapi/*.vapi
 
 %changelog
+* Fri Mar 19 2021 Dehui Fan <fandehui1@huawei.com> - 0.2.4-2
+Type: CVE
+ID:   CVE-2020-36241
+SUG:  NA
+DESC: fix CVE-2020-36241
+
 * Fri Jan 29 2021 yanglu <yanglu60@huawei.com> - 0.2.4-1
 - update to 0.2.4