From 685a78b6052f4df6eac6d625a545cfb54a6ac0e1 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Tue, 1 Feb 2011 11:21:15 +0100
Subject: Do not let a malicious patch create files above current directory

This addresses CVE-2010-4651, reported by Jakub Wilk.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
* src/util.c (strip_leading_slashes): Reject absolute file names
and file names containing a component of "..".
* tests/bad-filenames: New file.  Test for this.
* tests/Makefile.am (TESTS): Add it.
Improvements by Andreas Gruenbacher.
---
 ChangeLog           | 13 ++++++++++++-
 src/pch.c           |  2 +-
 src/util.c          | 13 ++++++++++++-
 tests/Makefile.am   |  3 ++-
 tests/bad-filenames | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 76 insertions(+), 4 deletions(-)
 create mode 100644 tests/bad-filenames

diff --git a/ChangeLog b/ChangeLog
index bbe5fe7..20810cb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2011-02-01  Jim Meyering  <meyering@redhat.com>
+	and Andreas Gruenbacher <agruen@linbit.com>
+
+	Do not let a malicious patch create files above current directory
+	This addresses CVE-2010-4651, reported by Jakub Wilk.
+	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
+	* src/util.c (strip_leading_slashes): Reject absolute file names and
+	file names containing a component of "..".
+	* tests/bad-filenames: New file.  Test for this.
+	* tests/Makefile.am (TESTS): Add it.
+
 2010-12-04  Andreas Gruenbacher <agruen@linbit.com>
 
 	* src/util.c (make_tempfile): Create missing directories when
@@ -3594,7 +3605,7 @@ Sun Dec 17 17:29:48 1989  Jim Kingdon  (kingdon at hobbes.ai.mit.edu)
 Copyright (C) 1984, 1985, 1986, 1987, 1988 Larry Wall.
 
 Copyright (C) 1989, 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
-2002, 2009, 2010 Free Software Foundation, Inc.
+2002, 2009, 2010, 2011 Free Software Foundation, Inc.
 
 This file is part of GNU Patch.
 
diff --git a/src/pch.c b/src/pch.c
index 1653ee4..8e64298 100644
--- a/src/pch.c
+++ b/src/pch.c
@@ -3,7 +3,7 @@
 /* Copyright (C) 1986, 1987, 1988 Larry Wall
 
    Copyright (C) 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2000, 2001,
-   2002, 2003, 2006, 2009, 2010 Free Software Foundation, Inc.
+   2002, 2003, 2006, 2009, 2010, 2011 Free Software Foundation, Inc.
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
diff --git a/src/util.c b/src/util.c
index e03e48a..553cfbd 100644
--- a/src/util.c
+++ b/src/util.c
@@ -3,7 +3,7 @@
 /* Copyright (C) 1986 Larry Wall
 
    Copyright (C) 1992, 1993, 1997, 1998, 1999, 2001, 2002, 2003, 2006,
-   2009, 2010 Free Software Foundation, Inc.
+   2009, 2010, 2011 Free Software Foundation, Inc.
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1415,6 +1415,17 @@ strip_leading_slashes (char *name, int strip_leading)
 	      n = p+1;
 	}
     }
+  if (IS_ABSOLUTE_FILE_NAME (n))
+    fatal ("rejecting absolute file name: %s", quotearg (n));
+  for (p = n; *p; )
+    {
+      if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p)))
+	fatal ("rejecting file name with \"..\" component: %s", quotearg (n));
+      while (*p && ! ISSLASH (*p))
+	p++;
+      while (ISSLASH (*p))
+	p++;
+    }
   if ((strip_leading < 0 || s <= 0) && *n)
     {
       memmove (name, n, strlen (n) + 1);
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ffe02af..cca8a87 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,5 +1,5 @@
 # Copyright (C) 1989, 1990, 1991, 1992, 1993, 1997, 1998, 1999, 2002,
-# 2003, 2006, 2009, 2010 Free Software Foundation, Inc.
+# 2003, 2006, 2009, 2010, 2011 Free Software Foundation, Inc.
 
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -19,6 +19,7 @@
 TESTS = \
 	asymmetric-hunks \
 	backup-prefix-suffix \
+	bad-filenames \
 	copy-rename \
 	corrupt-reject-files \
 	create-delete \
diff --git a/tests/bad-filenames b/tests/bad-filenames
new file mode 100644
index 0000000..f53a613
--- /dev/null
+++ b/tests/bad-filenames
@@ -0,0 +1,49 @@
+# Copyright (C) 2011 Free Software Foundation, Inc.
+#
+# Copying and distribution of this file, with or without modification,
+# in any medium, are permitted without royalty provided the copyright
+# notice and this notice are preserved.
+
+. $srcdir/test-lib.sh
+
+use_local_patch
+
+# ================================================================
+
+emit_patch()
+{
+cat <<EOF
+--- /dev/null
++++ $1
+@@ -0,0 +1 @@
++x
+EOF
+}
+
+# Ensure that patch rejects an output file name that is absolute
+# or that contains a ".." component.
+
+check 'emit_patch /absolute/path | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting absolute file name: /absolute/path
+status: 2
+EOF
+
+check 'emit_patch a/../z | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting file name with ".." component: a/../z
+status: 2
+EOF
+
+check 'emit_patch a/../z | patch -p1; echo status: $?' <<EOF
+$PATCH: **** rejecting file name with ".." component: ../z
+status: 2
+EOF
+
+check 'emit_patch a/.. | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting file name with ".." component: a/..
+status: 2
+EOF
+
+check 'emit_patch ../z | patch -p0; echo status: $?' <<EOF
+$PATCH: **** rejecting file name with ".." component: ../z
+status: 2
+EOF
-- 
cgit v1.2.1