pool/gcab
SHA256
11
0
Fork 1
Code Issues Pull Requests Activity

Accepting request 290062 from home:Zaitor:branches:GNOME:Apps

Browse Source 
New stable

OBS-URL: https://build.opensuse.org/request/show/290062
OBS-URL: https://build.opensuse.org/package/show/GNOME:Apps/gcab?expand=0&rev=5
This commit is contained in:
Dominique Leuenberger
2015-03-10 09:25:56 +00:00
committed by Git OBS Bridge
parent 774c2ebeaa
commit 38c80e8b16
5 changed files with 16 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
gcab-0.4.tar.xz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f907b16f1246fbde9397363d9c4ad2291f2a8a53dcd4f5979d3912bb856991b8
size 294684

3
gcab-0.5.tar.xz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9b127e7f5976045f22d4d37ff1a52599e06ed15fda1c9ddf4f499bb9cf123d52
size 311752

50
gcab-CVE-2015-0552.patch
View File

@@ -1,50 +0,0 @@
From 0ccdf564b6a3e26522a8eb1858f1828844fa3536 Mon Sep 17 00:00:00 2001
From: Stephen Kitt <steve@sk2.org>
Date: Mon, 5 Jan 2015 06:28:00 +0000
Subject: Avoid path traversal
gcab suffers from a directory traversal bug: it doesn't filter leading
slashes from paths in CAB files.
(see https://bugs.debian.org/774580)
The attached patch fixes this, at the cost of ugly paths when faced with
relative traversals. At least all the CAB's contents can be extracted,
without overwriting anything outside the extraction path.
https://bugzilla.gnome.org/show_bug.cgi?id=742331
diff --git a/libgcab/gcab-folder.c b/libgcab/gcab-folder.c
index a140e2c..9510cf3 100644
--- a/libgcab/gcab-folder.c
+++ b/libgcab/gcab-folder.c
@@ -362,9 +362,25 @@ gcab_folder_extract (GCabFolder *self,
fname[i] = '/';
GFile *gfile = g_file_resolve_relative_path (path, fname);
- GFile *parent = g_file_get_parent (gfile);
g_free (fname);
+ if (!g_file_has_prefix (gfile, path)) {
+ // "Rebase" the file in the given path, to ensure we never escape it
+ char *rawpath = g_file_get_path (gfile);
+ if (rawpath != NULL) {
+ char *newpath = rawpath;
+ while (*newpath != 0 && *newpath == G_DIR_SEPARATOR) {
+ newpath++;
+ }
+ GFile *newgfile = g_file_resolve_relative_path (path, newpath);
+ g_free (rawpath);
+ g_object_unref (gfile);
+ gfile = newgfile;
+ }
+ }
+
+ GFile *parent = g_file_get_parent (gfile);
+
if (!g_file_make_directory_with_parents (parent, cancellable, &my_error)) {
if (g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_EXISTS))
g_clear_error (&my_error);
--
cgit v0.10.1

10
gcab.changes
View File

@@ -1,3 +1,13 @@
-------------------------------------------------------------------
Mon Mar 9 16:34:49 UTC 2015 - zaitor@opensuse.org
- Update to version 0.5:
+ Fix path traversal: do not escape from output directory.
+ Add gcab_cabinet_get_signature().
+ Build warning fixes.
+ Updated translations.
- Drop gcab-CVE-2015-0552.patch: fixed upstream.
-------------------------------------------------------------------
Tue Jan 6 11:08:14 UTC 2015 - dimstar@opensuse.org

9
gcab.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package gcab
#
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,15 +17,13 @@
Name: gcab
Version: 0.4
Version: 0.5
Release: 0
Summary: Cabinet file library and tool
License: LGPL-2.1+
Group: Productivity/Archiving/Compression
Url: http://ftp.gnome.org/pub/GNOME/sources/gcab
Source: http://ftp.acc.umu.se/pub/GNOME/sources/gcab/0.4/gcab-0.4.tar.xz
# PATCH-FIX-UPSTREAM gcab-CVE-2015-0552.patch boo#911814 bgo#742331 CVE-2015-0552 dimstar@opensuse.org -- Avoid path traversal
Patch0: gcab-CVE-2015-0552.patch
Source: http://ftp.acc.umu.se/pub/GNOME/sources/gcab/0.5/gcab-0.5.tar.xz
BuildRequires: gobject-introspection >= 0.9.4
BuildRequires: intltool >= 0.40.0
BuildRequires: vala >= 0.14
@@ -68,7 +66,6 @@ This package provides development files to build code against libgcab
%lang_package
%prep
%setup -q
%patch0 -p1
%build
%configure \