.NET Core CLI tools and runtime
CentOS Sources
2018-11-27 6a54302de21f88cf52567bb8b03bf24e6aabd088
import rh-dotnet21-dotnet-2.1.500-5.el7
1 files added
1 files modified
67 ■■■■■ changed files
SOURCES/corefx-32165-out-of-directory-extract.patch 53 ●●●●● patch | view | raw | blame | history
SPECS/dotnet.spec 14 ●●●● patch | view | raw | blame | history
SOURCES/corefx-32165-out-of-directory-extract.patch
New file
@@ -0,0 +1,53 @@
From 65a19e18d7d4b94f50772bd3118c0b9868766af5 Mon Sep 17 00:00:00 2001
From: Maryam Ariyan <maryam.ariyan@microsoft.com>
Date: Fri, 7 Sep 2018 10:53:25 -0700
Subject: [PATCH] Fixes extract out of directory by ensuring trailing separator
 for nested paths.
Related to PR #32127
---
 .../System/IO/Compression/ZipFileExtensions.cs  |  2 ++
 .../tests/ZipFileConvenienceMethods.cs          | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)
diff --git a/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs b/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs
index 3fef7883c953..c749c8250f9c 100644
--- a/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs
+++ b/src/System.IO.Compression.ZipFile/src/System/IO/Compression/ZipFileExtensions.cs
@@ -160,6 +160,8 @@ public static void ExtractToDirectory(this ZipArchive source, string destination
             // Note that this will give us a good DirectoryInfo even if destinationDirectoryName exists:
             DirectoryInfo di = Directory.CreateDirectory(destinationDirectoryName);
             string destinationDirectoryFullPath = di.FullName;
+            if (!destinationDirectoryFullPath.EndsWith(Path.DirectorySeparatorChar))
+                destinationDirectoryFullPath += Path.DirectorySeparatorChar;
             foreach (ZipArchiveEntry entry in source.Entries)
             {
diff --git a/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs b/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs
index 69c822e3fc7e..3a0255d03862 100644
--- a/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs
+++ b/src/System.IO.Compression.ZipFile/tests/ZipFileConvenienceMethods.cs
@@ -186,6 +186,23 @@ public void ExtractToDirectoryExtension_Unicode()
             }
         }
+        [Theory]
+        [InlineData("../Foo")]
+        [InlineData("../Barbell")]
+        [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework, "Second case fails.")]
+        public void ExtractOutOfRoot(string entryName)
+        {
+            string archivePath = GetTestFilePath();
+            using (FileStream stream = new FileStream(archivePath, FileMode.Create))
+            using (ZipArchive archive = new ZipArchive(stream, ZipArchiveMode.Create, leaveOpen: true))
+            {
+                ZipArchiveEntry entry = archive.CreateEntry(entryName);
+            }
+
+            DirectoryInfo destination = Directory.CreateDirectory(Path.Combine(GetTestFilePath(), "Bar"));
+            Assert.Throws<IOException>(() => ZipFile.ExtractToDirectory(archivePath, destination.FullName));
+        }
+
         [Fact]
         public void CreatedEmptyDirectoriesRoundtrip()
         {
SPECS/dotnet.spec
@@ -35,7 +35,7 @@
Name:           %{?scl_prefix}dotnet
Version:        %{sdk_version}
Release:        3%{?dist}
Release:        5%{?dist}
Group:          Development/Languages
Summary:        .NET Core CLI tools and runtime
License:        MIT and ASL 2.0 and BSD
@@ -51,8 +51,10 @@
Source0:        dotnet-v%{runtime_version}a.tar.gz
Source1:        check-debug-symbols.py
Patch100:         corefx-32956-alpn.patch
Patch300:         core-setup-4510-commit-id.patch
Patch100:       corefx-32956-alpn.patch
Patch101:       corefx-32165-out-of-directory-extract.patch
Patch300:       core-setup-4510-commit-id.patch
ExclusiveArch:  x86_64
@@ -171,6 +173,7 @@
pushd src/corefx
%patch100 -p1
%patch101 -p1
popd
pushd src/core-setup
@@ -255,6 +258,11 @@
%{_libdir}/%{pkg_name}/sdk/%{sdk_version}
%changelog
* Wed Nov 14 2018 Omair Majid <omajid@redhat.com> - 2.1.500-5
- Fix extract out of directory
- Resolves: CVE-2018-8416
- Resolves: rhbz#1649693
* Fri Nov 09 2018 Omair Majid <omajid@redhat.com> - 2.1.500-3
- Fix linking alpn support by linking to OpenSSL correctly
- Fix commit ids in dotnet --info