rpms/bzip2/FC-3 bzip2-1.0.2-bomb.patch, NONE, 1.1 bzip2-1.0.2-chmod.patch, NONE, 1.1 bzip2.spec, 1.10, 1.11
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu May 19 12:49:16 UTC 2005
Author: jryska
Update of /cvs/dist/rpms/bzip2/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv4776
Modified Files:
bzip2.spec
Added Files:
bzip2-1.0.2-bomb.patch bzip2-1.0.2-chmod.patch
Log Message:
fixed permission setting for decompressed files #155742
fixed decompression bomb (DoS) #157548
bzip2-1.0.2-bomb.patch:
bzlib.c | 44 +++++++++++++++++++++++++++++++-------------
1 files changed, 31 insertions(+), 13 deletions(-)
--- NEW FILE bzip2-1.0.2-bomb.patch ---
--- bzip2-1.0.2/bzlib.c.bomb 2005-05-16 10:24:40.000000000 +0200
+++ bzip2-1.0.2/bzlib.c 2005-05-16 10:36:24.000000000 +0200
@@ -575,7 +575,7 @@
/*---------------------------------------------------*/
static
-void unRLE_obuf_to_output_FAST ( DState* s )
+Bool unRLE_obuf_to_output_FAST ( DState* s )
{
UChar k1;
@@ -584,7 +584,7 @@
while (True) {
/* try to finish existing run */
while (True) {
- if (s->strm->avail_out == 0) return;
+ if (s->strm->avail_out == 0) return False;
if (s->state_out_len == 0) break;
*( (UChar*)(s->strm->next_out) ) = s->state_out_ch;
BZ_UPDATE_CRC ( s->calculatedBlockCRC, s->state_out_ch );
@@ -596,8 +596,11 @@
}
/* can a new run be started? */
- if (s->nblock_used == s->save_nblock+1) return;
-
+ if (s->nblock_used == s->save_nblock+1) return False;
+
+ /* Only caused by corrupt data stream? */
+ if (s->nblock_used > s->save_nblock+1)
+ return True;
s->state_out_len = 1;
s->state_out_ch = s->k0;
@@ -667,6 +670,10 @@
cs_avail_out--;
}
}
+ /* Only caused by corrupt data stream? */
+ if (c_nblock_used > s_save_nblockPP)
+ return True;
+
/* can a new run be started? */
if (c_nblock_used == s_save_nblockPP) {
c_state_out_len = 0; goto return_notr;
@@ -712,6 +719,7 @@
s->strm->avail_out = cs_avail_out;
/* end save */
}
+ return False;
}
@@ -733,7 +741,7 @@
/*---------------------------------------------------*/
static
-void unRLE_obuf_to_output_SMALL ( DState* s )
+Bool unRLE_obuf_to_output_SMALL ( DState* s )
{
UChar k1;
@@ -742,7 +750,7 @@
while (True) {
/* try to finish existing run */
while (True) {
- if (s->strm->avail_out == 0) return;
+ if (s->strm->avail_out == 0) return False;
if (s->state_out_len == 0) break;
*( (UChar*)(s->strm->next_out) ) = s->state_out_ch;
BZ_UPDATE_CRC ( s->calculatedBlockCRC, s->state_out_ch );
@@ -754,8 +762,11 @@
}
/* can a new run be started? */
- if (s->nblock_used == s->save_nblock+1) return;
+ if (s->nblock_used == s->save_nblock+1) return False;
+ /* Only caused by corrupt data stream? */
+ if (s->nblock_used > s->save_nblock+1)
+ return True;
s->state_out_len = 1;
s->state_out_ch = s->k0;
@@ -788,7 +799,7 @@
while (True) {
/* try to finish existing run */
while (True) {
- if (s->strm->avail_out == 0) return;
+ if (s->strm->avail_out == 0) return False;
if (s->state_out_len == 0) break;
*( (UChar*)(s->strm->next_out) ) = s->state_out_ch;
BZ_UPDATE_CRC ( s->calculatedBlockCRC, s->state_out_ch );
@@ -800,7 +811,12 @@
}
/* can a new run be started? */
- if (s->nblock_used == s->save_nblock+1) return;
+ if (s->nblock_used == s->save_nblock+1) return False;
+
+ /* Only caused by corrupt data stream? */
+ if (s->nblock_used > s->save_nblock+1)
+ return True;
+
s->state_out_len = 1;
s->state_out_ch = s->k0;
@@ -830,6 +846,7 @@
/*---------------------------------------------------*/
int BZ_API(BZ2_bzDecompress) ( bz_stream *strm )
{
+ Bool corrupt;
DState* s;
if (strm == NULL) return BZ_PARAM_ERROR;
s = strm->state;
@@ -840,12 +857,13 @@
if (s->state == BZ_X_IDLE) return BZ_SEQUENCE_ERROR;
if (s->state == BZ_X_OUTPUT) {
if (s->smallDecompress)
- unRLE_obuf_to_output_SMALL ( s ); else
- unRLE_obuf_to_output_FAST ( s );
+ corrupt = unRLE_obuf_to_output_SMALL ( s ); else
+ corrupt = unRLE_obuf_to_output_FAST ( s );
+ if (corrupt) return BZ_DATA_ERROR;
if (s->nblock_used == s->save_nblock+1 && s->state_out_len == 0) {
BZ_FINALISE_CRC ( s->calculatedBlockCRC );
if (s->verbosity >= 3)
- VPrintf2 ( " {0x%x, 0x%x}", s->storedBlockCRC,
+ VPrintf2 ( " {0x%08x, 0x%08x}", s->storedBlockCRC,
s->calculatedBlockCRC );
if (s->verbosity >= 2) VPrintf0 ( "]" );
if (s->calculatedBlockCRC != s->storedBlockCRC)
@@ -863,7 +881,7 @@
Int32 r = BZ2_decompress ( s );
if (r == BZ_STREAM_END) {
if (s->verbosity >= 3)
- VPrintf2 ( "\n combined CRCs: stored = 0x%x, computed = 0x%x",
+ VPrintf2 ( "\n combined CRCs: stored = 0x%08x, computed = 0x%08x",
s->storedCombinedCRC, s->calculatedCombinedCRC );
if (s->calculatedCombinedCRC != s->storedCombinedCRC)
return BZ_DATA_ERROR;
bzip2-1.0.2-chmod.patch:
bzip2.c | 35 ++++++++++++++++++++++++++++-------
1 files changed, 28 insertions(+), 7 deletions(-)
--- NEW FILE bzip2-1.0.2-chmod.patch ---
--- bzip2-1.0.2/bzip2.c.nochmod 2005-05-10 16:19:45.000000000 +0200
+++ bzip2-1.0.2/bzip2.c 2005-05-10 16:22:00.000000000 +0200
@@ -312,6 +312,7 @@
static void copyFileName ( Char*, Char* );
static void* myMalloc ( Int32 );
+static int applySavedFileAttrToOutputFile ( int fd );
@@ -457,6 +458,10 @@
ret = fflush ( zStream );
if (ret == EOF) goto errhandler_io;
if (zStream != stdout) {
+ int fd = fileno ( zStream );
+ if (fd < 0) goto errhandler_io;
+ ret = applySavedFileAttrToOutputFile ( fd );
+ if (ret != 0) goto errhandler_io;
ret = fclose ( zStream );
outputHandleJustInCase = NULL;
if (ret == EOF) goto errhandler_io;
@@ -567,6 +572,12 @@
closeok:
if (ferror(zStream)) goto errhandler_io;
+ if ( stream != stdout) {
+ int fd = fileno ( stream );
+ if (fd < 0) goto errhandler_io;
+ ret = applySavedFileAttrToOutputFile ( fd );
+ if (ret != 0) goto errhandler_io;
+ }
ret = fclose ( zStream );
if (ret == EOF) goto errhandler_io;
@@ -1125,7 +1136,7 @@
static
-void applySavedMetaInfoToOutputFile ( Char *dstName )
+void applySavedTimeInfoToOutputFile ( Char *dstName )
{
# if BZ_UNIX
IntNative retVal;
@@ -1134,16 +1145,26 @@
uTimBuf.actime = fileMetaInfo.st_atime;
uTimBuf.modtime = fileMetaInfo.st_mtime;
- retVal = chmod ( dstName, fileMetaInfo.st_mode );
- ERROR_IF_NOT_ZERO ( retVal );
-
retVal = utime ( dstName, &uTimBuf );
ERROR_IF_NOT_ZERO ( retVal );
+# endif
+}
+
+static
+int applySavedFileAttrToOutputFile ( int fd )
+{
+# if BZ_UNIX
+ IntNative retVal;
+
+ retVal = fchmod ( fd, fileMetaInfo.st_mode );
+ if (retVal != 0)
+ return retVal;
- retVal = chown ( dstName, fileMetaInfo.st_uid, fileMetaInfo.st_gid );
+ (void) fchown ( fd, fileMetaInfo.st_uid, fileMetaInfo.st_gid );
/* chown() will in many cases return with EPERM, which can
be safely ignored.
*/
+ return 0;
# endif
}
@@ -1366,7 +1387,7 @@
/*--- If there was an I/O error, we won't get here. ---*/
if ( srcMode == SM_F2F ) {
- applySavedMetaInfoToOutputFile ( outName );
+ applySavedTimeInfoToOutputFile ( outName );
deleteOutputOnInterrupt = False;
if ( !keepInputFiles ) {
IntNative retVal = remove ( inName );
@@ -1544,7 +1565,7 @@
/*--- If there was an I/O error, we won't get here. ---*/
if ( magicNumberOK ) {
if ( srcMode == SM_F2F ) {
- applySavedMetaInfoToOutputFile ( outName );
+ applySavedTimeInfoToOutputFile ( outName );
deleteOutputOnInterrupt = False;
if ( !keepInputFiles ) {
IntNative retVal = remove ( inName );
Index: bzip2.spec
===================================================================
RCS file: /cvs/dist/rpms/bzip2/FC-3/bzip2.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- bzip2.spec 9 Sep 2004 03:41:34 -0000 1.10
+++ bzip2.spec 19 May 2005 12:49:14 -0000 1.11
@@ -1,12 +1,14 @@
Summary: A file compression utility.
Name: bzip2
Version: 1.0.2
-Release: 13
+Release: 13.FC3
License: BSD
Group: Applications/File
URL: http://sources.redhat.com/bzip2/
Source: ftp://sources.redhat.com/pub/bzip2/v102/bzip2-%{version}.tar.gz
-Patch: bzip2-1.0.2-saneso.patch
+Patch0: bzip2-1.0.2-saneso.patch
+Patch1: bzip2-1.0.2-chmod.patch
+PAtch2: bzip2-1.0.2-bomb.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Requires: bzip2-libs = %{version}
@@ -41,7 +43,9 @@
%prep
%setup -q
-%patch -p1
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
%build
@@ -101,6 +105,10 @@
%{_libdir}/*so
%changelog
+* Thu May 19 2005 Jiri Ryska <jryska at redhat.com>
+- fixed permission setting for decompressed files #155742
+- fixed decompression bomb (DoS) #157548
+
* Tue Jun 15 2004 Elliot Lee <sopwith at redhat.com>
- rebuilt
More information about the fedora-cvs-commits
mailing list