rpms/deluge/F-9 deluge-0.5.9.3-CVE-2009-1760.diff,NONE,1.1
Peter Gordon
pgordon at fedoraproject.org
Thu Jun 18 08:27:05 UTC 2009
- Previous message (by thread): rpms/deluge/F-9 .cvsignore, 1.36, 1.37 deluge.spec, 1.58, 1.59 sources, 1.36, 1.37
- Next message (by thread): rpms/crontabs/F-11 .cvsignore, 1.4, 1.5 crontab, 1.4, 1.5 crontabs.spec, 1.33, 1.34 run-parts, 1.9, 1.10 sources, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pgordon
Update of /cvs/pkgs/rpms/deluge/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14825
Added Files:
deluge-0.5.9.3-CVE-2009-1760.diff
Log Message:
Actually add the patch...Oops.
deluge-0.5.9.3-CVE-2009-1760.diff:
--- NEW FILE deluge-0.5.9.3-CVE-2009-1760.diff ---
diff -up ./src/torrent_info.cpp.old ./src/torrent_info.cpp
--- libtorrent/src/torrent_info.cpp.old 2009-06-18 01:00:20.532610534 -0700
+++ libtorrent/src/torrent_info.cpp 2009-06-18 01:05:02.777611171 -0700
@@ -39,6 +39,7 @@ POSSIBILITY OF SUCH DAMAGE.
#include <iterator>
#include <algorithm>
#include <set>
+#include <string>
#ifdef _MSC_VER
#pragma warning(push, 1)
@@ -74,6 +75,29 @@ namespace
str += 0x80 | (chr & 0x3f);
}
+ bool valid_path_element(std::string const& element)
+ {
+ if (element.empty()
+ || element == "." || element == ".."
+ || element[0] == '/' || element[0] == '\\'
+ || element[element.size()-1] == ':')
+ return false;
+ return true;
+ }
+
+ fs::path sanitize_path(fs::path const& p)
+ {
+ fs::path new_path;
+ for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i)
+ {
+ if (!valid_path_element(*i)) continue;
+ std::string pe = *i;
+ new_path /= pe;
+ }
+ assert(!new_path.is_complete());
+ return new_path;
+ }
+
void verify_encoding(file_entry& target)
{
std::string tmp_path;
@@ -184,9 +208,9 @@ namespace
for (entry::list_type::const_iterator i = list->begin();
i != list->end(); ++i)
{
- if (i->string() != "..")
- target.path /= i->string();
+ target.path /= i->string();
}
+ target.path = sanitize_path(target.path);
verify_encoding(target);
if (target.path.is_complete()) throw std::runtime_error("torrent contains "
"a file with an absolute path: '"
@@ -349,23 +373,8 @@ namespace libtorrent
else
{ m_name = info["name"].string(); }
- fs::path tmp = m_name;
- if (tmp.is_complete())
- {
- m_name = tmp.leaf();
- }
- else if (tmp.has_branch_path())
- {
- fs::path p;
- for (fs::path::iterator i = tmp.begin()
- , end(tmp.end()); i != end; ++i)
- {
- if (*i == "." || *i == "..") continue;
- p /= *i;
- }
- m_name = p.string();
- }
- if (m_name == ".." || m_name == ".")
+ m_name = sanitize_path(m_name).string();
+ if (!valid_path_element(m_name))
throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)");
// extract file list
- Previous message (by thread): rpms/deluge/F-9 .cvsignore, 1.36, 1.37 deluge.spec, 1.58, 1.59 sources, 1.36, 1.37
- Next message (by thread): rpms/crontabs/F-11 .cvsignore, 1.4, 1.5 crontab, 1.4, 1.5 crontabs.spec, 1.33, 1.34 run-parts, 1.9, 1.10 sources, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list