|
 |
f686d7 |
From c3fec0b136d938704d8b0ba82424eea8d17f86ab Mon Sep 17 00:00:00 2001
|
|
|
f686d7 |
From: Oliver Kiddle <okiddle@yahoo.co.uk>
|
|
|
f686d7 |
Date: Sat, 24 Mar 2018 15:02:41 +0100
|
|
|
f686d7 |
Subject: [PATCH 1/2] 42518, CVE-2018-1071: check bounds when copying path in
|
|
|
f686d7 |
hashcmd()
|
|
|
f686d7 |
|
|
|
f686d7 |
Upstream-commit: 679b71ec4d852037fe5f73d35bf557b0f406c8d4
|
|
|
f686d7 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
f686d7 |
---
|
|
|
f686d7 |
Src/exec.c | 2 +-
|
|
|
f686d7 |
Src/utils.c | 6 +++---
|
|
|
f686d7 |
2 files changed, 4 insertions(+), 4 deletions(-)
|
|
|
f686d7 |
|
|
|
f686d7 |
diff --git a/Src/exec.c b/Src/exec.c
|
|
|
f686d7 |
index 6d47935..b9ffb35 100644
|
|
|
f686d7 |
--- a/Src/exec.c
|
|
|
f686d7 |
+++ b/Src/exec.c
|
|
|
f686d7 |
@@ -860,7 +860,7 @@ hashcmd(char *arg0, char **pp)
|
|
|
f686d7 |
for (; *pp; pp++)
|
|
|
f686d7 |
if (**pp == '/') {
|
|
|
f686d7 |
s = buf;
|
|
|
f686d7 |
- strucpy(&s, *pp);
|
|
|
f686d7 |
+ struncpy(&s, *pp, PATH_MAX);
|
|
|
f686d7 |
*s++ = '/';
|
|
|
f686d7 |
if ((s - buf) + strlen(arg0) >= PATH_MAX)
|
|
|
f686d7 |
continue;
|
|
|
f686d7 |
diff --git a/Src/utils.c b/Src/utils.c
|
|
|
f686d7 |
index 391d020..c6eba63 100644
|
|
|
f686d7 |
--- a/Src/utils.c
|
|
|
f686d7 |
+++ b/Src/utils.c
|
|
|
f686d7 |
@@ -2010,10 +2010,10 @@ struncpy(char **s, char *t, int n)
|
|
|
f686d7 |
{
|
|
|
f686d7 |
char *u = *s;
|
|
|
f686d7 |
|
|
|
f686d7 |
- while (n--)
|
|
|
f686d7 |
- *u++ = *t++;
|
|
|
f686d7 |
+ while (n-- && (*u++ = *t++));
|
|
|
f686d7 |
*s = u;
|
|
|
f686d7 |
- *u = '\0';
|
|
|
f686d7 |
+ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
|
|
|
f686d7 |
+ *u = '\0';
|
|
|
f686d7 |
}
|
|
|
f686d7 |
|
|
|
f686d7 |
/* Return the number of elements in an array of pointers. *
|
|
|
f686d7 |
--
|
|
|
f686d7 |
2.14.3
|
|
|
f686d7 |
|
|
|
f686d7 |
|
|
|
f686d7 |
From 88b8110331ac616a8450fab0b87a65df715ee3a8 Mon Sep 17 00:00:00 2001
|
|
|
f686d7 |
From: Oliver Kiddle <okiddle@yahoo.co.uk>
|
|
|
f686d7 |
Date: Wed, 28 Mar 2018 09:00:58 +0200
|
|
|
f686d7 |
Subject: [PATCH 2/2] 42539: prevent overflow of PATH_MAX-sized buffer in
|
|
|
f686d7 |
spelling correction
|
|
|
f686d7 |
|
|
|
f686d7 |
Upstream-commit: c053c6a0799397632df9ba88f8812a1da49c67f1
|
|
|
f686d7 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
f686d7 |
---
|
|
|
f686d7 |
Src/utils.c | 14 +++++++++-----
|
|
|
f686d7 |
1 file changed, 9 insertions(+), 5 deletions(-)
|
|
|
f686d7 |
|
|
|
f686d7 |
diff --git a/Src/utils.c b/Src/utils.c
|
|
|
f686d7 |
index 3989c8c..bac12a9 100644
|
|
|
f686d7 |
--- a/Src/utils.c
|
|
|
f686d7 |
+++ b/Src/utils.c
|
|
|
f686d7 |
@@ -2010,7 +2010,8 @@ struncpy(char **s, char *t, int n)
|
|
|
f686d7 |
{
|
|
|
f686d7 |
char *u = *s;
|
|
|
f686d7 |
|
|
|
f686d7 |
- while (n-- && (*u++ = *t++));
|
|
|
f686d7 |
+ while (n-- && (*u = *t++))
|
|
|
f686d7 |
+ u++;
|
|
|
f686d7 |
*s = u;
|
|
|
f686d7 |
if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
|
|
|
f686d7 |
*u = '\0';
|
|
|
f686d7 |
@@ -3745,17 +3746,20 @@ spname(char *oldname)
|
|
|
f686d7 |
* odd to the human reader, and we may make use of the total *
|
|
|
f686d7 |
* distance for all corrections at some point in the future. */
|
|
|
f686d7 |
if (bestdist < maxthresh) {
|
|
|
f686d7 |
- strcpy(new, spnameguess);
|
|
|
f686d7 |
- strcat(new, old);
|
|
|
f686d7 |
- return newname;
|
|
|
f686d7 |
+ struncpy(&new, spnameguess, sizeof(newname) - (new - newname));
|
|
|
f686d7 |
+ struncpy(&new, old, sizeof(newname) - (new - newname));
|
|
|
f686d7 |
+ return (new - newname) >= (sizeof(newname)-1) ? NULL : newname;
|
|
|
f686d7 |
} else
|
|
|
f686d7 |
return NULL;
|
|
|
f686d7 |
} else {
|
|
|
f686d7 |
maxthresh = bestdist + thresh;
|
|
|
f686d7 |
bestdist += thisdist;
|
|
|
f686d7 |
}
|
|
|
f686d7 |
- for (p = spnamebest; (*new = *p++);)
|
|
|
f686d7 |
+ for (p = spnamebest; (*new = *p++);) {
|
|
|
f686d7 |
+ if ((new - newname) >= (sizeof(newname)-1))
|
|
|
f686d7 |
+ return NULL;
|
|
|
f686d7 |
new++;
|
|
|
f686d7 |
+ }
|
|
|
f686d7 |
}
|
|
|
f686d7 |
}
|
|
|
f686d7 |
|
|
|
f686d7 |
--
|
|
|
f686d7 |
2.17.2
|
|
|
f686d7 |
|