diff options
| author |   millert <millert@openbsd.org> | 2019-05-27 15:11:01 +0000 |
|---|---|---|
| committer | millert <millert@openbsd.org> | 2019-05-27 15:11:01 +0000 |
| commit | 02899aaf1f8948c77a1ed6ab149cd55b4dd2cfac (patch) | |
| tree | ee806623b29178788200dd9a2128634989d96677 | |
| parent | disable virtio. a serially careless & procedure violating developer (diff) | |
| download | wireguard-openbsd-02899aaf1f8948c77a1ed6ab149cd55b4dd2cfac.tar.xz wireguard-openbsd-02899aaf1f8948c77a1ed6ab149cd55b4dd2cfac.zip | |
For "gunzip -N", only use the basename of the stored path.
Fixes a directory traversal bug when the stored name includes a
directory component. Both GNU gzip and our gzip store the basename
of the path when compressing but a malicious .gz file could contain
an arbitrary path. Problem found by elvis alien. OK deraadt@
| -rw-r--r-- | usr.bin/compress/main.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/usr.bin/compress/main.c b/usr.bin/compress/main.c index cc1e8a407b9..471b7051a69 100644 --- a/usr.bin/compress/main.c +++ b/usr.bin/compress/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.94 2016/09/03 13:26:50 tedu Exp $ */ +/* $OpenBSD: main.c,v 1.95 2019/05/27 15:11:01 millert Exp $ */ /* * Copyright (c) 1992, 1993 @@ -657,7 +657,7 @@ dodecompress(const char *in, char *out, struct stat *sb) return -1; } - /* XXX - open constrains outfile to MAXPATHLEN so this is safe */ + /* XXX - open constrains outfile to PATH_MAX so this is safe */ oldname[0] = '\0'; if ((cookie = method->ropen(ifd, oldname, 1)) == NULL) { if (verbose >= 0) @@ -666,12 +666,13 @@ dodecompress(const char *in, char *out, struct stat *sb) return (FAILURE); } if (storename && oldname[0] != '\0') { + char *oldbase = basename(oldname); char *cp = strrchr(out, '/'); if (cp != NULL) { *(cp + 1) = '\0'; - strlcat(out, oldname, PATH_MAX); + strlcat(out, oldbase, PATH_MAX); } else - strlcpy(out, oldname, PATH_MAX); + strlcpy(out, oldbase, PATH_MAX); cat = 0; /* XXX should -c override? */ } |