Hi, I am going to 0-day NMU this package. The attached bug fixes this issue. It will be also archived on: http://people.debian.org/~nion/nmu-diff/lha_1.14i-10.1_1.14i-10.2.patch
Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u lha-1.14i/debian/changelog lha-1.14i/debian/changelog
--- lha-1.14i/debian/changelog
+++ lha-1.14i/debian/changelog
@@ -1,3 +1,11 @@
+lha (1.14i-10.2) unstable; urgency=high
+
+ * Non-maintainer upload by testing security team.
+ * Included patch.CVE-2007-2030.patch to fix insecure handling of
+ temporary files (CVE-2007-2030) (Closes: #437621).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Sun, 09 Sep 2007 14:49:16 +0200
+
lha (1.14i-10.1) unstable; urgency=high
* Security NMU for vulnerabilities inherited from GNU Gzip:
diff -u lha-1.14i/debian/rules lha-1.14i/debian/rules
--- lha-1.14i/debian/rules
+++ lha-1.14i/debian/rules
@@ -19,6 +19,7 @@
patch -p0 < debian/patch.header-overflow
patch -p1 < debian/patch.redhat-sec2
patch -p1 < debian/patch.CVE-2006-4335-CVE-2006-4337-CVE-2006-4338
+ patch -p1 < debian/patch.CVE-2007-2030.patch
touch configure-stamp
only in patch2:
unchanged:
--- lha-1.14i.orig/debian/patch.CVE-2007-2030.patch
+++ lha-1.14i/debian/patch.CVE-2007-2030.patch
@@ -0,0 +1,86 @@
+--- lha-114i/src/lhadd.c
++++ lha-114i/src/lhadd.c
+@@ -35,6 +35,8 @@ add_one(fp, nafp, hdr)
+ if ((hdr->unix_mode & UNIX_FILE_SYMLINK) == UNIX_FILE_SYMLINK) {
+ char buf[256], *b1, *b2;
+ if (!quiet) {
++ /* make sure we use a zero-terminated buffer */
++ hdr->name[255] = 0;
+ strcpy(buf, hdr->name);
+ b1 = strtok(buf, "|");
+ b2 = strtok(NULL, "|");
+@@ -211,8 +213,11 @@ find_update_files(oafp)
+ add_sp(&sp, hdr.name, strlen(hdr.name) + 1);
+ }
+ else if ((hdr.unix_mode & UNIX_FILE_TYPEMASK) == UNIX_FILE_DIRECTORY) {
++ /* make sure we use a zero-terminated buffer */
++ hdr.name[sizeof(hdr.name)-1] = 0;
+ strcpy(name, hdr.name);
+ len = strlen(name);
++ /* XXX thomas: what about multiple '/' or about ".." */
+ if (len > 0 && name[len - 1] == '/')
+ name[--len] = '\0'; /* strip tail '/' */
+ if (stat(name, &stbuf) >= 0) /* exist ? */
+@@ -237,17 +242,21 @@ delete(oafp, nafp)
+
+ old_header_pos = ftell(oafp);
+ while (get_header(oafp, &ahdr)) {
++ /* make sure we use a zero-terminated buffer */
++ ahdr.name[sizeof(ahdr.name)-1] = 0;
+ strcpy(lpath, ahdr.name);
+ b1 = strtok(lpath, "|");
+ b2 = strtok(NULL, "|");
+ if (need_file(b1)) { /* skip */
+ fseek(oafp, ahdr.packed_size, SEEK_CUR);
+ if (noexec || !quiet)
++ {
+ if (b2 != NULL)
+ printf("delete %s -> %s\n", b1, b2);
+ else
+ printf("delete %s\n", b1);
+ }
++ }
+ else { /* copy */
+ if (noexec) {
+ fseek(oafp, ahdr.packed_size, SEEK_CUR);
+@@ -276,7 +285,7 @@ build_temporary_file()
+ signal(SIGHUP, interrupt);
+
+ old_umask = umask(077);
+- afp = xfopen(temporary_name, WRITE_BINARY);
++ afp = xfopen(temporary_name, "!" WRITE_BINARY);
+ remove_temporary_at_error = TRUE;
+ temporary_fp = afp;
+ umask(old_umask);
+--- lha-114i/src/lharc.c
++++ lha-114i/src/lharc.c
+@@ -1005,10 +1005,18 @@ FILE *
+ xfopen(name, mode)
+ char *name, *mode;
+ {
+- FILE *fp;
++ FILE *fp = NULL;
++
++ if (mode[0] == '!') {
++ int fd;
+
++ fd = open(name, O_RDWR|O_CREAT|O_EXCL, 0600);
++ if (fd < 0 || (fp = fdopen(fd, mode + 1)) == NULL)
++ fatal_error(name);
++ } else {
+ if ((fp = fopen(name, mode)) == NULL)
+ fatal_error(name);
++ }
+
+ return fp;
+ }
+--- lha-114i/src/lhext.c
++++ lha-114i/src/lhext.c
+@@ -360,7 +360,6 @@ extract_one(afp, hdr)
+ }
+
+ unlink(bb1);
+- make_parent_path(bb1);
+ l_code = symlink(bb2, bb1);
+ if (l_code < 0) {
+ if (quiet != TRUE)
pgpDRiKf2U875.pgp
Description: PGP signature
