diff --git a/mc-vfs-fish-deleted_source_file.patch b/mc-vfs-fish-deleted_source_file.patch new file mode 100644 index 0000000..ae40f45 --- /dev/null +++ b/mc-vfs-fish-deleted_source_file.patch @@ -0,0 +1,120 @@ +diff -rup mc-4.8.11.orig/src/filemanager/file.c mc-4.8.11/src/filemanager/file.c +--- mc-4.8.11.orig/src/filemanager/file.c 2013-11-29 19:27:07.000000000 +0100 ++++ mc-4.8.11/src/filemanager/file.c 2014-01-14 00:09:30.540439661 +0100 +@@ -1914,6 +1914,8 @@ copy_file_file (FileOpTotalContext * tct + continue; + if (temp_status == FILE_ABORT) + return_status = temp_status; ++ if (temp_status == FILE_SKIP) ++ return_status = temp_status; + if (temp_status == FILE_SKIPALL) + ctx->skip_all = TRUE; + break; +@@ -1924,6 +1926,8 @@ copy_file_file (FileOpTotalContext * tct + temp_status = file_error (_("Cannot close target file \"%s\"\n%s"), dst_path); + if (temp_status == FILE_RETRY) + continue; ++ if (temp_status == FILE_SKIP) ++ return_status = temp_status; + if (temp_status == FILE_SKIPALL) + ctx->skip_all = TRUE; + return_status = temp_status; +@@ -1957,10 +1961,10 @@ copy_file_file (FileOpTotalContext * tct + if (temp_status == FILE_SKIPALL) + { + ctx->skip_all = TRUE; +- return_status = FILE_CONT; ++ return_status = FILE_SKIPALL; + } + if (temp_status == FILE_SKIP) +- return_status = FILE_CONT; ++ return_status = FILE_SKIP; + break; + } + } +@@ -1977,10 +1981,10 @@ copy_file_file (FileOpTotalContext * tct + if (temp_status == FILE_SKIPALL) + { + ctx->skip_all = TRUE; +- return_status = FILE_CONT; ++ return_status = FILE_SKIPALL; + } + if (temp_status == FILE_SKIP) +- return_status = FILE_CONT; ++ return_status = FILE_SKIP; + break; + } + } +diff -rup mc-4.8.11.orig/src/vfs/fish/fishdef.h mc-4.8.11/src/vfs/fish/fishdef.h +--- mc-4.8.11.orig/src/vfs/fish/fishdef.h 2013-04-10 22:04:31.000000000 +0200 ++++ mc-4.8.11/src/vfs/fish/fishdef.h 2014-01-13 23:54:30.773582204 +0100 +@@ -145,13 +145,19 @@ + "FILESIZE=${FISH_FILESIZE}\n" \ + "#STOR $FILESIZE $FILENAME\n" \ + "echo \"### 001\"\n" \ ++"touch $FILENAME 2>/dev/null\n" \ ++"if [ -f $FILENAME ]; then\n" \ ++"rm $FILENAME\n" \ + "{\n" \ + " while [ $FILESIZE -gt 0 ]; do\n" \ + " cnt=`expr \\( $FILESIZE + 255 \\) / 256`\n" \ + " n=`dd bs=256 count=$cnt | tee -a \"${FILENAME}\" | wc -c`\n" \ + " FILESIZE=`expr $FILESIZE - $n`\n" \ + " done\n" \ +-"}; echo \"### 200\"\n" ++"}; echo \"### 200\"\n" \ ++"else\n" \ ++" echo \"### 500\"\n" \ ++"fi\n" + + /* default 'appe' script */ + #define FISH_APPEND_DEF_CONTENT "" \ +diff -rup mc-4.8.11.orig/src/vfs/fish/helpers/chmod mc-4.8.11/src/vfs/fish/helpers/chmod +--- mc-4.8.11.orig/src/vfs/fish/helpers/chmod 2013-04-10 22:04:31.000000000 +0200 ++++ mc-4.8.11/src/vfs/fish/helpers/chmod 2014-01-13 23:54:30.773582204 +0100 +@@ -1,6 +1,7 @@ + #CHMOD $FISH_FILEMODE $FISH_FILENAME +-if chmod ${FISH_FILEMODE} "/${FISH_FILENAME}" 2>/dev/null; then +- echo "### 000" +-else ++chmod ${FISH_FILEMODE} "/${FISH_FILENAME}" 2>/dev/null ++if [ $? -ne 0 ]; then + echo "### 500" ++else ++ echo "### 000" + fi +diff -rup mc-4.8.11.orig/src/vfs/fish/helpers/chown mc-4.8.11/src/vfs/fish/helpers/chown +--- mc-4.8.11.orig/src/vfs/fish/helpers/chown 2013-04-10 22:04:31.000000000 +0200 ++++ mc-4.8.11/src/vfs/fish/helpers/chown 2014-01-13 23:54:30.774582155 +0100 +@@ -1,6 +1,7 @@ + #CHOWN $FISH_FILEOWNER:$FISH_FILEGROUP $FISH_FILENAME +-if chown ${FISH_FILEOWNER}:${FISH_FILEGROUP} "/${FISH_FILENAME}" ; then +- echo "### 000" +-else ++chown ${FISH_FILEOWNER}:${FISH_FILEGROUP} "/${FISH_FILENAME}" ++if [ $? -ne 0 ]; then + echo "### 500" ++else ++ echo "### 000" + fi +diff -rup mc-4.8.11.orig/src/vfs/fish/helpers/send mc-4.8.11/src/vfs/fish/helpers/send +--- mc-4.8.11.orig/src/vfs/fish/helpers/send 2013-04-10 22:04:31.000000000 +0200 ++++ mc-4.8.11/src/vfs/fish/helpers/send 2014-01-13 23:54:30.774582155 +0100 +@@ -1,6 +1,9 @@ + #STOR $FISH_FILESIZE $FISH_FILENAME + FILENAME="/${FISH_FILENAME}" + echo "### 001" ++touch $FILENAME 2>/dev/null ++if [ -f $FILENAME ]; then ++rm $FILENAME 2>/dev/null + { + > "${FILENAME}" + bss=4096 +@@ -15,3 +18,6 @@ echo "### 001" + FISH_FILESIZE=`expr $FISH_FILESIZE - $n` + done + }; echo "### 200" ++else ++ echo "### 500" ++fi + diff --git a/mc-vfs_fish_helpers_ls-formatstring.diff b/mc-vfs_fish_helpers_ls-formatstring.diff new file mode 100644 index 0000000..ff567c6 --- /dev/null +++ b/mc-vfs_fish_helpers_ls-formatstring.diff @@ -0,0 +1,18 @@ +--- src/vfs/fish/helpers/ls.orig 2013-04-10 22:04:31.000000000 +0200 ++++ src/vfs/fish/helpers/ls 2014-03-15 15:35:18.000000000 +0100 +@@ -137,9 +137,13 @@ + if (S_ISLNK ($mode)) { + my $linkname = readlink ("$dirname/$filename"); + $linkname =~ $strutils_shell_escape_regex; +- printf("R%%o %%o $uid.$gid\nS$size\nd$mloctime\n:\"$e_filename\" -> \"$linkname\"\n\n", S_IMODE($mode), S_IFMT($mode)); ++ printf("R%%o %%o %%i.%%i\nS%%lld\nd%%s\n:\"%%s\" -> \"%%s\"\n\n", ++ S_IMODE($mode), S_IFMT($mode), ++ $uid, $gid, $size, $mloctime, $e_filename, $linkname); + } else { +- printf("R%%o %%o $uid.$gid\nS$size\nd$mloctime\n:\"$e_filename\"\n\n", S_IMODE($mode), S_IFMT($mode)); ++ printf("R%%o %%o %%i.%%i\nS%%lld\nd%%s\n:\"%%s\"\n\n", ++ S_IMODE($mode), S_IFMT($mode), ++ $uid, $gid, $size, $mloctime, $e_filename); + } + } + printf("### 200\n"); diff --git a/mc.changes b/mc.changes index 6d627ad..6e3515c 100644 --- a/mc.changes +++ b/mc.changes @@ -1,9 +1,31 @@ +------------------------------------------------------------------- +Sat Mar 15 15:35:23 UTC 2014 - dnh@opensuse.org + +- fix bug ("%i" is not an appropriate format for off_t) in + mc-vfs_fish_helpers_ls-formatstring.diff, thanks to andrew_b + of upstream in mc-ticket:2983 + +Sat Mar 15 13:58:42 UTC 2014 - dnh@opensuse.org + +- add mc-vfs_fish_helpers_ls-formatstring.diff + fixing possible format-string attack via filename + http://www.midnight-commander.org/ticket/2983 + until http://www.midnight-commander.org/ticket/3128 + is fixed, fish should stay disabled though! + ------------------------------------------------------------------- Thu Jan 30 21:47:13 UTC 2014 - jengelh@inai.de - Spec metadata update, remove redundant %clean section, do parallel build with %_smp_mflags +------------------------------------------------------------------- +Tue Jan 14 03:37:35 UTC 2014 - dnh@opensuse.org + +- add preliminary patch by Sebastian Siebert + mc-vfs-fish-deleted_source_file.patch + bnc#856501 and http://www.midnight-commander.org/ticket/3128 + ------------------------------------------------------------------- Fri Jan 10 20:51:29 UTC 2014 - dnh@opensuse.org diff --git a/mc.spec b/mc.spec index daf1d74..7c74f30 100644 --- a/mc.spec +++ b/mc.spec @@ -45,11 +45,20 @@ Patch17: mc-rpm.patch Patch20: mc-f-keys.patch Patch21: mc-extfs-helpers-deb.patch +# add patch. bnc#856501 +# http://www.midnight-commander.org/ticket/3128 +Patch22: mc-vfs-fish-deleted_source_file.patch + # add mc-extfs-iso9660-xorriso.patch # fixing iso9660 extfs directory handling using xorriso # http://www.midnight-commander.org/ticket/3122 Patch23: mc-extfs-iso9660-xorriso.patch +# add mc-vfs_fish_helpers_ls-formatstring.diff +# fixing possible format-string attack via filename +# bnc#850803, http://www.midnight-commander.org/ticket/2983 +Patch25: mc-vfs_fish_helpers_ls-formatstring.diff + #debian fixes for vfs Patch24: 02_ignore_ftp_chmod_error.patch #Debian fixes @@ -118,6 +127,8 @@ isoinfo (from mkisofs) or xorriso for the iso:// extension. %patch18 %patch20 %patch21 +%patch22 -p1 +%patch25 %patch23 -p1 %patch24 %patch31