!5 fix CVE-2020-36241

From: @linker99 Reviewed-by: @yanan-rock Signed-off-by: @yanan-rock
2021-03-22 14:51:11 +08:00 · 2021-03-22 14:51:11 +08:00 · 911a112467
commit 911a112467
parent 448025b93e 80151dae9c
2 changed files with 110 additions and 1 deletions
--- a/backport-CVE-2020-36241.patch
+++ b/backport-CVE-2020-36241.patch
@ -0,0 +1,101 @@
+diff -Naur gnome-autoar-0.2.4.old/gnome-autoar/autoar-extractor.c gnome-autoar-0.2.4/gnome-autoar/autoar-extractor.c
+--- gnome-autoar-0.2.4.old/gnome-autoar/autoar-extractor.c	2019-03-09 00:53:15.000000000 +0800
+++ gnome-autoar-0.2.4/gnome-autoar/autoar-extractor.c	2021-03-18 22:01:20.838393707 +0800
+@@ -881,32 +881,67 @@
+   return prefix;
+ }
+ 
+static gboolean
+is_valid_filename (GFile *file, GFile *destination)
+{
+  g_autoptr (GFile) parent = NULL;
+  g_autoptr (GFileInfo) info = NULL;
+
+  if (g_file_equal (file, destination))
+    return TRUE;
+
+  if (!g_file_has_prefix (file, destination))
+    return FALSE;
+
+  /* Resolve symbolic link ancestors to confirm file is actually inside destination. */
+  parent = g_file_get_parent (file);
+  info = g_file_query_info (parent,
+                            G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK ","
+                            G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET,
+                            G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
+                            NULL,
+                            NULL);
+  if (info == NULL)
+    return FALSE;
+
+  if (g_file_info_get_is_symlink (info)) {
+    g_autoptr (GFile) cwd = NULL;
+    const gchar *target;
+
+    target = g_file_info_get_symlink_target (info);
+    if (g_path_is_absolute (target))
+      return FALSE;
+
+    cwd = g_file_get_parent (parent);
+    g_object_unref (parent);
+    parent = g_file_resolve_relative_path (cwd, target);
+  }
+
+  /* Climb up the path to resolve every symbolic link ancestor found */
+  return is_valid_filename (parent, destination);
+}
+
+ static GFile*
+ autoar_extractor_do_sanitize_pathname (AutoarExtractor *self,
+                                        const char      *pathname_bytes)
+ {
+   GFile *extracted_filename;
+   gboolean valid_filename;
+-  g_autofree char *sanitized_pathname;
+  g_autofree char *sanitized_pathname = NULL;
+   g_autofree char *utf8_pathname;
+ 
+   utf8_pathname = autoar_common_get_utf8_pathname (pathname_bytes);
+   extracted_filename = g_file_get_child (self->destination_dir,
+                                          utf8_pathname ?  utf8_pathname : pathname_bytes);
+ 
+-  valid_filename =
+-    g_file_equal (extracted_filename, self->destination_dir) ||
+-    g_file_has_prefix (extracted_filename, self->destination_dir);
+-
+  valid_filename = is_valid_filename (extracted_filename, self->destination_dir);
+   if (!valid_filename) {
+-    g_autofree char *basename;
+-
+-    basename = g_file_get_basename (extracted_filename);
+-
+    g_warning ("autoar_extractor_do_sanitize_pathname: %s is outside of the destination dir",
+                g_file_peek_path (extracted_filename));
+				
+     g_object_unref (extracted_filename);
+ 
+-    extracted_filename = g_file_get_child (self->destination_dir,
+-                                           basename);
+    return NULL;
+   }
+ 
+   if (self->prefix != NULL && self->new_prefix != NULL) {
+@@ -1862,10 +1897,17 @@
+ 
+     extracted_filename =
+       autoar_extractor_do_sanitize_pathname (self, pathname);
+-
+    if (extracted_filename == NULL) {
+      archive_read_data_skip (a);
+      continue;
+    }
+     if (hardlink != NULL) {
+       hardlink_filename =
+         autoar_extractor_do_sanitize_pathname (self, hardlink);
+        if (hardlink_filename == NULL) {
+          archive_read_data_skip (a);
+          continue;
+        }
+     }
+ 
+     /* Attempt to solve any name conflict before doing any operations */
--- a/gnome-autoar.spec
+++ b/gnome-autoar.spec
@ -1,11 +1,13 @@
 Name:           gnome-autoar
 Version:        0.2.4
-Release:        1
+Release:        2
 Summary:        Creating and extracting archives
 License:        LGPLv2+
 URL:            https://git.gnome.org/browse/gnome-autoar
 Source0:        https://download.gnome.org/sources/gnome-autoar/0.2/gnome-autoar-%{version}.tar.xz

+Patch6000:      backport-CVE-2020-36241.patch 
+
 BuildRequires:  gcc vala pkgconfig(gio-2.0) pkgconfig(glib-2.0) pkgconfig(gobject-2.0) gdb
 BuildRequires:  pkgconfig(gobject-introspection-1.0) pkgconfig(gtk+-3.0) pkgconfig(libarchive)

@ -48,6 +50,12 @@ make check
 %{_datadir}/vala/vapi/*.vapi

 %changelog
+* Fri Mar 19 2021 Dehui Fan <fandehui1@huawei.com> - 0.2.4-2
+Type: CVE
+ID:   CVE-2020-36241
+SUG:  NA
+DESC: fix CVE-2020-36241
+
 * Fri Jan 29 2021 yanglu <yanglu60@huawei.com> - 0.2.4-1
 - update to 0.2.4