Accepting request 280056 from GNOME:Apps

1 OBS-URL: https://build.opensuse.org/request/show/280056 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gcab?expand=0&rev=4
2015-01-08 22:02:06 +00:00 · 2015-01-08 22:02:06 +00:00 · 92ccda5b8f
commit 92ccda5b8f
parent b60fd786f6 774c2ebeaa
3 changed files with 64 additions and 4 deletions
--- a/gcab-CVE-2015-0552.patch
+++ b/gcab-CVE-2015-0552.patch
@ -0,0 +1,50 @@
+From 0ccdf564b6a3e26522a8eb1858f1828844fa3536 Mon Sep 17 00:00:00 2001
+From: Stephen Kitt <steve@sk2.org>
+Date: Mon, 5 Jan 2015 06:28:00 +0000
+Subject: Avoid path traversal
+
+gcab suffers from a directory traversal bug: it doesn't filter leading
+slashes from paths in CAB files.
+(see https://bugs.debian.org/774580)
+
+The attached patch fixes this, at the cost of ugly paths when faced with
+relative traversals. At least all the CAB's contents can be extracted,
+without overwriting anything outside the extraction path.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=742331
+
+diff --git a/libgcab/gcab-folder.c b/libgcab/gcab-folder.c
+index a140e2c..9510cf3 100644
+--- a/libgcab/gcab-folder.c
+++ b/libgcab/gcab-folder.c
+@@ -362,9 +362,25 @@ gcab_folder_extract (GCabFolder *self,
+                 fname[i] = '/';
+ 
+         GFile *gfile = g_file_resolve_relative_path (path, fname);
+-        GFile *parent = g_file_get_parent (gfile);
+         g_free (fname);
+ 
+        if (!g_file_has_prefix (gfile, path)) {
+            // "Rebase" the file in the given path, to ensure we never escape it
+            char *rawpath = g_file_get_path (gfile);
+            if (rawpath != NULL) {
+                char *newpath = rawpath;
+                while (*newpath != 0 && *newpath == G_DIR_SEPARATOR) {
+                    newpath++;
+                }
+                GFile *newgfile = g_file_resolve_relative_path (path, newpath);
+                g_free (rawpath);
+                g_object_unref (gfile);
+                gfile = newgfile;
+            }
+        }
+
+        GFile *parent = g_file_get_parent (gfile);
+
+         if (!g_file_make_directory_with_parents (parent, cancellable, &my_error)) {
+             if (g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_EXISTS))
+                 g_clear_error (&my_error);
+-- 
+cgit v0.10.1
+
+
--- a/gcab.changes
+++ b/gcab.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jan  6 11:08:14 UTC 2015 - dimstar@opensuse.org
+
+- Add gcab-CVE-2015-0552.patch: Avoid path traversal (boo#911814,
+  bgo#742331, CVE-2015-0552).
+
 -------------------------------------------------------------------
 Wed Mar  6 20:29:35 UTC 2013 - dimstar@opensuse.org

--- a/gcab.spec
+++ b/gcab.spec
@ -1,7 +1,7 @@
 #
-# spec file for package
+# spec file for package gcab
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -15,14 +15,17 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #

+
 Name:           gcab
 Version:        0.4
 Release:        0
-License:        LGPL-2.1+
 Summary:        Cabinet file library and tool
-Url:            http://ftp.gnome.org/pub/GNOME/sources/gcab
+License:        LGPL-2.1+
 Group:          Productivity/Archiving/Compression
+Url:            http://ftp.gnome.org/pub/GNOME/sources/gcab
 Source:         http://ftp.acc.umu.se/pub/GNOME/sources/gcab/0.4/gcab-0.4.tar.xz
+# PATCH-FIX-UPSTREAM gcab-CVE-2015-0552.patch boo#911814 bgo#742331 CVE-2015-0552 dimstar@opensuse.org -- Avoid path traversal
+Patch0:         gcab-CVE-2015-0552.patch
 BuildRequires:  gobject-introspection >= 0.9.4
 BuildRequires:  intltool >= 0.40.0
 BuildRequires:  vala >= 0.14
@ -65,6 +68,7 @@ This package provides development files to build code against libgcab
 %lang_package
 %prep
 %setup -q
+%patch0 -p1

 %build
 %configure \