oss-security - Re: CVE request: patch directory traversal flaw

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <20110218165125.GA4245@albatros>
Date: Fri, 18 Feb 2011 19:51:25 +0300
From: Vasiliy Kulikov <segoon@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: patch directory traversal flaw

The patch of Jim Meyering introduces interdiff regression:

$ interdiff -z john-1.7.6-jumbo-9.diff.gz john-1.7.6-jumbo-10.diff.gz
patch: **** rejecting absolute target file name: /tmp/.private/genie/interdiff-1.7yovIC
interdiff: Error applying patch1 to reconstructed file

interdiff creates a patch with absolute filenames, but doesn't pass the
target filename as an argument to patch.

It is fixed in the latest upstream version 0.3.2.  The fix itself is as
follows:

--- patchutils-0.3.1.orig/src/interdiff.c	2011-02-18 17:57:05.000000000 +0300
+++ patchutils-0.3.1/src/interdiff.c	2011-02-18 17:57:24.000000000 +0300
@@ -808,7 +808,7 @@ apply_patch (FILE *patch, const char *fi
 	FILE *w;
 
 	w = xpipe(PATCH, &child, "w", PATCH,
-		  reverted ? "-Rsp0" : "-sp0", NULL);
+		  reverted ? "-Rsp0" : "-sp0", file, NULL);
 
 	fprintf (w, "--- %s\n+++ %s\n", file, file);
 	line = NULL;
--


Thanks,

-- 
Vasiliy

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.