head 1.14; access; symbols OPENPKG_E1_MP_HEAD:1.11 OPENPKG_E1_MP:1.11 OPENPKG_E1_MP_2_STABLE:1.4.4.1 OPENPKG_E1_FP:1.4.4.1 OPENPKG_2_STABLE_MP:1.12 OPENPKG_2_STABLE_20061018:1.4.4.1 OPENPKG_2_STABLE_20060622:1.4 OPENPKG_2_STABLE:1.4.0.4 OPENPKG_2_STABLE_BP:1.4 OPENPKG_2_5_RELEASE:1.4 OPENPKG_2_5_SOLID:1.4.0.2 OPENPKG_2_5_SOLID_BP:1.4 OPENPKG_2_4_RELEASE:1.3 OPENPKG_2_4_SOLID:1.3.0.2 OPENPKG_2_4_SOLID_BP:1.3 OPENPKG_CW_FP:1.2 OPENPKG_2_3_RELEASE:1.2 OPENPKG_2_3_SOLID:1.2.0.8 OPENPKG_2_3_SOLID_BP:1.2 OPENPKG_2_2_RELEASE:1.2 OPENPKG_2_2_SOLID:1.2.0.6 OPENPKG_2_2_SOLID_BP:1.2 OPENPKG_2_1_RELEASE:1.2 OPENPKG_2_1_SOLID:1.2.0.4 OPENPKG_2_1_SOLID_BP:1.2 OPENPKG_2_0_RELEASE:1.2 OPENPKG_2_0_SOLID:1.2.0.2 OPENPKG_2_0_SOLID_BP:1.2 OPENPKG_1_3_RELEASE:1.1.2.1 OPENPKG_1_3_SOLID:1.1.2.1.0.2 OPENPKG_1_3_SOLID_BP:1.1.2.1 OPENPKG_1_STABLE_MP:1.1 OPENPKG_1_1_SOLID:1.1.0.6 OPENPKG_1_2_SOLID:1.1.0.4 OPENPKG_1_STABLE:1.1.0.2; locks; strict; comment @# @; 1.14 date 2009.10.07.06.03.20; author rse; state Exp; branches; next 1.13; commitid EC6SIvGHaLmL9z6u; 1.13 date 2007.06.05.19.49.53; author rse; state Exp; branches; next 1.12; commitid x5li3HTLjXqedLks; 1.12 date 2007.02.06.16.25.27; author rse; state Exp; branches; next 1.11; commitid MsU58tZOojRgUr5s; 1.11 date 2007.01.01.17.50.10; author rse; state Exp; branches; next 1.10; commitid Rw4evwFrzpV4xP0s; 1.10 date 2006.12.10.09.15.16; author rse; state Exp; branches; next 1.9; commitid cWXQqcBe17ehoXXr; 1.9 date 2006.12.07.15.49.04; author rse; state Exp; branches; next 1.8; commitid vqQaXit7g1gmFBXr; 1.8 date 2006.12.07.15.45.32; author rse; state Exp; branches; next 1.7; commitid WsMkWUnVBN29EBXr; 1.7 date 2006.12.06.11.04.05; author rse; state Exp; branches; next 1.6; commitid c8Nwu06O1H0A7sXr; 1.6 date 2006.11.23.17.15.40; author rse; state Exp; branches; next 1.5; commitid 8vX1NyeG6D7YAOVr; 1.5 date 2006.09.20.11.22.27; author rse; state Exp; branches; next 1.4; commitid P94cesltwTVkHyNr; 1.4 date 2005.07.24.17.20.26; author mk; state Exp; branches 1.4.2.1 1.4.4.1; next 1.3; 1.3 date 2005.06.11.08.06.42; author rse; state Exp; branches 1.3.2.1; next 1.2; 1.2 date 2003.10.07.09.27.51; author rse; state Exp; branches 1.2.6.1 1.2.8.1; next 1.1; 1.1 date 2003.06.10.15.03.38; author rse; state Exp; branches 1.1.2.1 1.1.4.1 1.1.6.1; next ; 1.4.2.1 date 2006.09.20.11.23.47; author rse; state Exp; branches; next ; commitid bt6OlsUSEjXNHyNr; 1.4.4.1 date 2006.09.20.11.23.10; author rse; state Exp; branches; next 1.4.4.2; commitid oZA9g3CV1dlAHyNr; 1.4.4.2 date 2006.12.21.18.42.08; author thl; state Exp; branches; next 1.4.4.3; commitid Fh5aLL1Uk6dOaqZr; 1.4.4.3 date 2007.01.06.17.58.47; author thl; state Exp; branches; next 1.4.4.4; commitid 812VxMyEX1X3qt1s; 1.4.4.4 date 2007.02.07.20.36.28; author thl; state Exp; branches; next ; commitid buiDpkvFRFCkgB5s; 1.3.2.1 date 2005.07.26.15.36.54; author rse; state Exp; branches; next ; 1.2.6.1 date 2005.06.10.15.47.31; author ms; state Exp; branches; next ; 1.2.8.1 date 2005.06.10.15.48.34; author ms; state Exp; branches; next ; 1.1.2.1 date 2003.06.10.15.05.57; author rse; state Exp; branches; next ; 1.1.4.1 date 2003.06.10.15.07.22; author rse; state Exp; branches; next ; 1.1.6.1 date 2003.06.10.15.08.10; author rse; state Exp; branches; next ; desc @@ 1.14 log @modifying package: gzip-1.3.13 20091007 again @ text @Security Fix Index: gzip.c --- gzip.c.orig 2009-09-26 20:56:02 +0200 +++ gzip.c 2009-10-07 07:59:53 +0200 @@@@ -168,7 +168,7 @@@@ DECLARE(uch, inbuf, INBUFSIZ +INBUF_EXTRA); DECLARE(uch, outbuf, OUTBUFSIZ+OUTBUF_EXTRA); DECLARE(ush, d_buf, DIST_BUFSIZE); -DECLARE(uch, window, 2L*WSIZE); +DECLARE(uch, window, 2L*WSIZE + 4096); /* enlarge to avoid crashs due to peeking beyond the buffer end */ #ifndef MAXSEG_64K DECLARE(ush, tab_prefix, 1L< 16) + error("Bad table\n"); + else + count[bitlen[i]]++; + } start[1] = 0; for (i = 1; i <= 16; i++) start[i + 1] = start[i] + (count[i] << (16 - i)); - if ((start[17] & 0xffff) != 0) + if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */ gzip_error ("Bad table\n"); jutbits = 16 - tablebits; @@@@ -161,15 +166,15 @@@@ i = start[tablebits + 1] >> jutbits; if (i != 0) { - k = 1 << tablebits; - while (i != k) table[i++] = 0; + k = MIN(1 << tablebits, DIST_BUFSIZE); + while (i < k) table[i++] = 0; } avail = nchar; mask = (unsigned) 1 << (15 - tablebits); for (ch = 0; ch < (unsigned)nchar; ch++) { if ((len = bitlen[ch]) == 0) continue; - nextcode = start[len] + weight[len]; + nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE); if (len <= (unsigned)tablebits) { if ((unsigned) 1 << tablebits < nextcode) gzip_error ("Bad table\n"); @@@@ -212,7 +217,7 @@@@ for (i = 0; i < 256; i++) pt_table[i] = c; } else { i = 0; - while (i < n) { + while (i < MIN(n,NPT)) { c = bitbuf >> (BITBUFSIZ - 3); if (c == 7) { mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3); @@@@ -224,7 +229,7 @@@@ pt_len[i++] = c; if (i == i_special) { c = getbits(2); - while (--c >= 0) pt_len[i++] = 0; + while (--c >= 0 && i < NPT) pt_len[i++] = 0; } } while (i < nn) pt_len[i++] = 0; @@@@ -244,7 +249,7 @@@@ for (i = 0; i < 4096; i++) c_table[i] = c; } else { i = 0; - while (i < n) { + while (i < MIN(n,NC)) { c = pt_table[bitbuf >> (BITBUFSIZ - 8)]; if (c >= NT) { mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8); @@@@ -252,14 +257,14 @@@@ if (bitbuf & mask) c = right[c]; else c = left [c]; mask >>= 1; - } while (c >= NT); + } while (c >= NT && (mask || c != left[c])); } fillbuf((int) pt_len[c]); if (c <= 2) { if (c == 0) c = 1; else if (c == 1) c = getbits(4) + 3; else c = getbits(CBIT) + 20; - while (--c >= 0) c_len[i++] = 0; + while (--c >= 0 && i < NC) c_len[i++] = 0; } else c_len[i++] = c - 2; } while (i < NC) c_len[i++] = 0; @@@@ -288,7 +293,7 @@@@ if (bitbuf & mask) j = right[j]; else j = left [j]; mask >>= 1; - } while (j >= NC); + } while (j >= NC && (mask || j != left[j])); } fillbuf((int) c_len[j]); return j; @@@@ -305,7 +310,7 @@@@ if (bitbuf & mask) j = right[j]; else j = left [j]; mask >>= 1; - } while (j >= NP); + } while (j >= NP && (mask || j != left[j])); } fillbuf((int) pt_len[j]); if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1)); @@@@ -352,7 +357,7 @@@@ while (--j >= 0) { buffer[r] = buffer[i]; i = (i + 1) & (DICSIZ - 1); - if (++r == count) return r; + if (++r >= count) return r; } for ( ; ; ) { c = decode_c(); @@@@ -362,14 +367,14 @@@@ } if (c <= UCHAR_MAX) { buffer[r] = c; - if (++r == count) return r; + if (++r >= count) return r; } else { j = c - (UCHAR_MAX + 1 - THRESHOLD); i = (r - decode_p() - 1) & (DICSIZ - 1); while (--j >= 0) { buffer[r] = buffer[i]; i = (i + 1) & (DICSIZ - 1); - if (++r == count) return r; + if (++r >= count) return r; } } } Index: unpack.c --- unpack.c.orig 2009-09-26 20:43:28 +0200 +++ unpack.c 2009-10-07 07:59:53 +0200 @@@@ -22,7 +22,6 @@@@ #include "gzip.h" #include "crypt.h" -#define MIN(a,b) ((a) <= (b) ? (a) : (b)) /* The arguments must not have side effects. */ #define MAX_BITLEN 25 @@@@ -146,7 +145,7 @@@@ /* Remember where the literals of this length start in literal[] : */ lit_base[len] = base; /* And read the literals: */ - for (n = leaves[len]; n > 0; n--) { + for (n = leaves[len]; n > 0 && base < LITERALS; n--) { literal[base++] = (uch)get_byte(); } } @@@@ -182,7 +181,7 @@@@ prefixp = &prefix_len[1< prefix_len) *--prefixp = (uch)len; } /* The length of all other codes is unknown: */ while (prefixp > prefix_len) *--prefixp = 0; @ 1.13 log @upgrading package: gzip 1.3.11 -> 1.3.12 @ text @d4 3 a6 3 --- gzip.c.orig 2007-03-20 06:09:51 +0100 +++ gzip.c 2007-06-05 21:47:35 +0200 @@@@ -170,7 +170,7 @@@@ d25 2 a26 2 --- gzip.h.orig 2007-03-20 06:09:51 +0100 +++ gzip.h 2007-06-05 21:47:35 +0200 d37 3 a39 3 --- unlzh.c.orig 2006-11-20 09:40:34 +0100 +++ unlzh.c 2007-06-05 21:47:35 +0200 @@@@ -145,12 +145,17 @@@@ d59 1 a59 1 @@@@ -165,15 +170,15 @@@@ d78 1 a78 1 @@@@ -216,7 +221,7 @@@@ d87 1 a87 1 @@@@ -228,7 +233,7 @@@@ d96 1 a96 1 @@@@ -248,7 +253,7 @@@@ d105 1 a105 1 @@@@ -256,14 +261,14 @@@@ d122 1 a122 1 @@@@ -292,7 +297,7 @@@@ d131 1 a131 1 @@@@ -309,7 +314,7 @@@@ d140 1 a140 1 @@@@ -356,7 +361,7 @@@@ d149 1 a149 1 @@@@ -366,14 +371,14 @@@@ d167 3 a169 3 --- unpack.c.orig 2006-11-20 09:40:34 +0100 +++ unpack.c 2007-06-05 21:47:35 +0200 @@@@ -26,7 +26,6 @@@@ d177 1 a177 1 @@@@ -150,7 +149,7 @@@@ d186 1 a186 1 @@@@ -186,7 +185,7 @@@@ @ 1.12 log @adjust patch to fit exactly gzip 1.3.11 @ text @d4 3 a6 3 --- gzip.c.orig 2007-02-05 21:54:26 +0100 +++ gzip.c 2007-02-06 17:23:02 +0100 @@@@ -177,7 +177,7 @@@@ d25 3 a27 3 --- gzip.h.orig 2006-12-11 19:54:39 +0100 +++ gzip.h 2007-02-06 17:23:02 +0100 @@@@ -220,6 +220,8 @@@@ d38 1 a38 1 +++ unlzh.c 2007-02-06 17:23:02 +0100 d168 1 a168 1 +++ unpack.c 2007-02-06 17:23:02 +0100 @ 1.11 log @adjust the patch for 1.3.10 @ text @d4 2 a5 2 --- gzip.c.orig 2006-12-27 09:00:43 +0100 +++ gzip.c 2007-01-01 18:48:10 +0100 d26 1 a26 1 +++ gzip.h 2007-01-01 18:48:10 +0100 d38 1 a38 1 +++ unlzh.c 2007-01-01 18:48:10 +0100 d168 1 a168 1 +++ unpack.c 2007-01-01 18:48:10 +0100 @ 1.10 log @upgrading package: gzip 1.3.7 -> 1.3.8 @ text @d4 3 a6 3 --- gzip.c.orig 2006-12-09 02:19:52 +0100 +++ gzip.c 2006-12-10 09:35:19 +0100 @@@@ -172,7 +172,7 @@@@ d25 3 a27 3 --- gzip.h.orig 2006-12-09 02:19:52 +0100 +++ gzip.h 2006-12-10 09:35:19 +0100 @@@@ -228,6 +228,8 @@@@ d38 1 a38 1 +++ unlzh.c 2006-12-10 09:35:19 +0100 d168 1 a168 1 +++ unpack.c 2006-12-10 09:35:19 +0100 @ 1.9 log @ops, add back comments @ text @d4 3 a6 3 --- gzip.c.orig 2006-12-07 07:58:13 +0100 +++ gzip.c 2006-12-07 16:47:45 +0100 @@@@ -176,7 +176,7 @@@@ d25 3 a27 3 --- gzip.h.orig 2006-11-20 09:40:33 +0100 +++ gzip.h 2006-12-07 16:47:45 +0100 @@@@ -220,6 +220,8 @@@@ d38 1 a38 1 +++ unlzh.c 2006-12-07 16:47:45 +0100 d168 1 a168 1 +++ unpack.c 2006-12-07 16:47:45 +0100 @ 1.8 log @modifying package: gzip-1.3.7 20061207 again @ text @d1 2 d5 1 a5 1 +++ gzip.c 2006-12-07 16:43:35 +0100 d15 9 d26 1 a26 1 +++ gzip.h 2006-12-07 16:43:35 +0100 d38 1 a38 1 +++ unlzh.c 2006-12-07 16:43:35 +0100 d168 1 a168 1 +++ unpack.c 2006-12-07 16:43:35 +0100 @ 1.7 log @fix offset in patch to avoid fuzz matching @ text @a0 2 Security Fix d2 3 a4 3 --- gzip.c.orig 2006-11-20 09:40:33 +0100 +++ gzip.c 2006-12-06 12:02:25 +0100 @@@@ -167,7 +167,7 @@@@ a12 9 ----------------------------------------------------------------------------- Security Fixes - OOB write (CVE-2006-4335) - Buffer underflow (CVE-2006-4336) - Buffer overflow (CVE-2006-4337) - Infinite loop (CVE-2006-4338) d15 1 a15 1 +++ gzip.h 2006-11-23 17:49:52 +0100 d27 1 a27 1 +++ unlzh.c 2006-11-23 18:02:12 +0100 d157 1 a157 1 +++ unpack.c 2006-11-23 17:49:52 +0100 @ 1.6 log @upgrading package: gzip 1.3.5 -> 1.3.6 @ text @d4 3 a6 3 --- gzip.c.orig 2005-06-11 10:02:57 +0200 +++ gzip.c 2005-06-11 10:03:02 +0200 @@@@ -205,7 +236,7 @@@@ @ 1.5 log @Security Fixes (CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338) @ text @a0 16 --- znew.in.orig Fri Sep 27 08:17:09 2002 +++ znew.in Tue Jun 10 16:30:29 2003 @@@@ -16,8 +16,8 @@@@ warn="(does not preserve modes and timestamp)" tmp=/tmp/zfoo.$$ set -C -echo hi > $tmp.1 -echo hi > $tmp.2 +echo hi > $tmp.1 || exit 1 +echo hi > $tmp.2 || exit 1 if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then cpmod=${CPMOD-cpmod} warn="" ----------------------------------------------------------------------------- a17 25 Security Fix Index: gzip.c --- gzip.c.orig 2002-09-28 09:38:43.000000000 +0200 +++ gzip.c 2005-07-24 18:20:41.621179000 +0200 @@@@ -1225,6 +1225,7 @@@@ char magic[2]; /* magic header */ int imagic1; /* like magic[1], but can represent EOF */ ulg stamp; /* time stamp */ + char *base2; /* If --force and --stdout, zcat == cat, so do not complain about * premature end of file: use try_byte instead of get_byte. @@@@ -1324,6 +1325,8 @@@@ error("corrupted input -- file name too large"); } } + base2 = base_name (base); + strcpy(base, base2); /* If necessary, adapt the name to local OS conventions: */ if (!list) { MAKE_LEGAL_NAME(base); ----------------------------------------------------------------------------- a18 1 - NULL dereference (CVE-2006-4334) d25 3 a27 3 --- gzip.h.orig 2001-10-01 08:53:41 +0200 +++ gzip.h 2006-09-20 12:53:27 +0200 @@@@ -198,6 +198,8 @@@@ a35 12 Index: inflate.c --- inflate.c.orig 2002-09-25 23:20:13 +0200 +++ inflate.c 2006-09-20 12:50:53 +0200 @@@@ -337,7 +337,7 @@@@ { *t = (struct huft *)NULL; *m = 0; - return 0; + return 2; } d37 3 a39 3 --- unlzh.c.orig 1999-10-06 07:00:00 +0200 +++ unlzh.c 2006-09-20 12:56:33 +0200 @@@@ -149,12 +149,17 @@@@ d56 1 a56 1 error("Bad table\n"); d59 1 a59 1 @@@@ -169,15 +174,15 @@@@ d76 3 a78 3 for (i = start[len]; i < nextcode; i++) table[i] = ch; } else { @@@@ -218,7 +223,7 @@@@ d167 3 a169 3 --- unpack.c.orig 1999-10-06 07:00:00 +0200 +++ unpack.c 2006-09-20 12:50:53 +0200 @@@@ -13,7 +13,6 @@@@ d177 1 a177 1 @@@@ -133,7 +132,7 @@@@ d186 1 a186 1 @@@@ -169,7 +168,7 @@@@ @ 1.4 log @Changed security fix for OpenPKG-SA-2005.009-gzip.html. The previous version caused gzip to always put the results in the current directory. @ text @d14 5 d31 5 d56 193 @ 1.4.2.1 log @MFC: Security Fixes (CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338) @ text @a13 5 ----------------------------------------------------------------------------- Security Fix a25 5 ----------------------------------------------------------------------------- Security Fix a45 193 ----------------------------------------------------------------------------- Security Fixes - NULL dereference (CVE-2006-4334) - OOB write (CVE-2006-4335) - Buffer underflow (CVE-2006-4336) - Buffer overflow (CVE-2006-4337) - Infinite loop (CVE-2006-4338) Index: gzip.h --- gzip.h.orig 2001-10-01 08:53:41 +0200 +++ gzip.h 2006-09-20 12:53:27 +0200 @@@@ -198,6 +198,8 @@@@ extern int to_stdout; /* output to stdout (-c) */ extern int save_orig_name; /* set if original name must be saved */ +#define MIN(a,b) ((a) <= (b) ? (a) : (b)) + #define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0)) #define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1)) Index: inflate.c --- inflate.c.orig 2002-09-25 23:20:13 +0200 +++ inflate.c 2006-09-20 12:50:53 +0200 @@@@ -337,7 +337,7 @@@@ { *t = (struct huft *)NULL; *m = 0; - return 0; + return 2; } Index: unlzh.c --- unlzh.c.orig 1999-10-06 07:00:00 +0200 +++ unlzh.c 2006-09-20 12:56:33 +0200 @@@@ -149,12 +149,17 @@@@ unsigned i, k, len, ch, jutbits, avail, nextcode, mask; for (i = 1; i <= 16; i++) count[i] = 0; - for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++; + for (i = 0; i < (unsigned)nchar; i++) { + if (bitlen[i] > 16) + error("Bad table\n"); + else + count[bitlen[i]]++; + } start[1] = 0; for (i = 1; i <= 16; i++) start[i + 1] = start[i] + (count[i] << (16 - i)); - if ((start[17] & 0xffff) != 0) + if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */ error("Bad table\n"); jutbits = 16 - tablebits; @@@@ -169,15 +174,15 @@@@ i = start[tablebits + 1] >> jutbits; if (i != 0) { - k = 1 << tablebits; - while (i != k) table[i++] = 0; + k = MIN(1 << tablebits, DIST_BUFSIZE); + while (i < k) table[i++] = 0; } avail = nchar; mask = (unsigned) 1 << (15 - tablebits); for (ch = 0; ch < (unsigned)nchar; ch++) { if ((len = bitlen[ch]) == 0) continue; - nextcode = start[len] + weight[len]; + nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE); if (len <= (unsigned)tablebits) { for (i = start[len]; i < nextcode; i++) table[i] = ch; } else { @@@@ -218,7 +223,7 @@@@ for (i = 0; i < 256; i++) pt_table[i] = c; } else { i = 0; - while (i < n) { + while (i < MIN(n,NPT)) { c = bitbuf >> (BITBUFSIZ - 3); if (c == 7) { mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3); @@@@ -228,7 +233,7 @@@@ pt_len[i++] = c; if (i == i_special) { c = getbits(2); - while (--c >= 0) pt_len[i++] = 0; + while (--c >= 0 && i < NPT) pt_len[i++] = 0; } } while (i < nn) pt_len[i++] = 0; @@@@ -248,7 +253,7 @@@@ for (i = 0; i < 4096; i++) c_table[i] = c; } else { i = 0; - while (i < n) { + while (i < MIN(n,NC)) { c = pt_table[bitbuf >> (BITBUFSIZ - 8)]; if (c >= NT) { mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8); @@@@ -256,14 +261,14 @@@@ if (bitbuf & mask) c = right[c]; else c = left [c]; mask >>= 1; - } while (c >= NT); + } while (c >= NT && (mask || c != left[c])); } fillbuf((int) pt_len[c]); if (c <= 2) { if (c == 0) c = 1; else if (c == 1) c = getbits(4) + 3; else c = getbits(CBIT) + 20; - while (--c >= 0) c_len[i++] = 0; + while (--c >= 0 && i < NC) c_len[i++] = 0; } else c_len[i++] = c - 2; } while (i < NC) c_len[i++] = 0; @@@@ -292,7 +297,7 @@@@ if (bitbuf & mask) j = right[j]; else j = left [j]; mask >>= 1; - } while (j >= NC); + } while (j >= NC && (mask || j != left[j])); } fillbuf((int) c_len[j]); return j; @@@@ -309,7 +314,7 @@@@ if (bitbuf & mask) j = right[j]; else j = left [j]; mask >>= 1; - } while (j >= NP); + } while (j >= NP && (mask || j != left[j])); } fillbuf((int) pt_len[j]); if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1)); @@@@ -356,7 +361,7 @@@@ while (--j >= 0) { buffer[r] = buffer[i]; i = (i + 1) & (DICSIZ - 1); - if (++r == count) return r; + if (++r >= count) return r; } for ( ; ; ) { c = decode_c(); @@@@ -366,14 +371,14 @@@@ } if (c <= UCHAR_MAX) { buffer[r] = c; - if (++r == count) return r; + if (++r >= count) return r; } else { j = c - (UCHAR_MAX + 1 - THRESHOLD); i = (r - decode_p() - 1) & (DICSIZ - 1); while (--j >= 0) { buffer[r] = buffer[i]; i = (i + 1) & (DICSIZ - 1); - if (++r == count) return r; + if (++r >= count) return r; } } } Index: unpack.c --- unpack.c.orig 1999-10-06 07:00:00 +0200 +++ unpack.c 2006-09-20 12:50:53 +0200 @@@@ -13,7 +13,6 @@@@ #include "gzip.h" #include "crypt.h" -#define MIN(a,b) ((a) <= (b) ? (a) : (b)) /* The arguments must not have side effects. */ #define MAX_BITLEN 25 @@@@ -133,7 +132,7 @@@@ /* Remember where the literals of this length start in literal[] : */ lit_base[len] = base; /* And read the literals: */ - for (n = leaves[len]; n > 0; n--) { + for (n = leaves[len]; n > 0 && base < LITERALS; n--) { literal[base++] = (uch)get_byte(); } } @@@@ -169,7 +168,7 @@@@ prefixp = &prefix_len[1< prefix_len) *--prefixp = (uch)len; } /* The length of all other codes is unknown: */ while (prefixp > prefix_len) *--prefixp = 0; @ 1.4.4.1 log @MFC: Security Fixes (CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338) @ text @a13 5 ----------------------------------------------------------------------------- Security Fix a25 5 ----------------------------------------------------------------------------- Security Fix a45 193 ----------------------------------------------------------------------------- Security Fixes - NULL dereference (CVE-2006-4334) - OOB write (CVE-2006-4335) - Buffer underflow (CVE-2006-4336) - Buffer overflow (CVE-2006-4337) - Infinite loop (CVE-2006-4338) Index: gzip.h --- gzip.h.orig 2001-10-01 08:53:41 +0200 +++ gzip.h 2006-09-20 12:53:27 +0200 @@@@ -198,6 +198,8 @@@@ extern int to_stdout; /* output to stdout (-c) */ extern int save_orig_name; /* set if original name must be saved */ +#define MIN(a,b) ((a) <= (b) ? (a) : (b)) + #define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0)) #define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1)) Index: inflate.c --- inflate.c.orig 2002-09-25 23:20:13 +0200 +++ inflate.c 2006-09-20 12:50:53 +0200 @@@@ -337,7 +337,7 @@@@ { *t = (struct huft *)NULL; *m = 0; - return 0; + return 2; } Index: unlzh.c --- unlzh.c.orig 1999-10-06 07:00:00 +0200 +++ unlzh.c 2006-09-20 12:56:33 +0200 @@@@ -149,12 +149,17 @@@@ unsigned i, k, len, ch, jutbits, avail, nextcode, mask; for (i = 1; i <= 16; i++) count[i] = 0; - for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++; + for (i = 0; i < (unsigned)nchar; i++) { + if (bitlen[i] > 16) + error("Bad table\n"); + else + count[bitlen[i]]++; + } start[1] = 0; for (i = 1; i <= 16; i++) start[i + 1] = start[i] + (count[i] << (16 - i)); - if ((start[17] & 0xffff) != 0) + if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */ error("Bad table\n"); jutbits = 16 - tablebits; @@@@ -169,15 +174,15 @@@@ i = start[tablebits + 1] >> jutbits; if (i != 0) { - k = 1 << tablebits; - while (i != k) table[i++] = 0; + k = MIN(1 << tablebits, DIST_BUFSIZE); + while (i < k) table[i++] = 0; } avail = nchar; mask = (unsigned) 1 << (15 - tablebits); for (ch = 0; ch < (unsigned)nchar; ch++) { if ((len = bitlen[ch]) == 0) continue; - nextcode = start[len] + weight[len]; + nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE); if (len <= (unsigned)tablebits) { for (i = start[len]; i < nextcode; i++) table[i] = ch; } else { @@@@ -218,7 +223,7 @@@@ for (i = 0; i < 256; i++) pt_table[i] = c; } else { i = 0; - while (i < n) { + while (i < MIN(n,NPT)) { c = bitbuf >> (BITBUFSIZ - 3); if (c == 7) { mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3); @@@@ -228,7 +233,7 @@@@ pt_len[i++] = c; if (i == i_special) { c = getbits(2); - while (--c >= 0) pt_len[i++] = 0; + while (--c >= 0 && i < NPT) pt_len[i++] = 0; } } while (i < nn) pt_len[i++] = 0; @@@@ -248,7 +253,7 @@@@ for (i = 0; i < 4096; i++) c_table[i] = c; } else { i = 0; - while (i < n) { + while (i < MIN(n,NC)) { c = pt_table[bitbuf >> (BITBUFSIZ - 8)]; if (c >= NT) { mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8); @@@@ -256,14 +261,14 @@@@ if (bitbuf & mask) c = right[c]; else c = left [c]; mask >>= 1; - } while (c >= NT); + } while (c >= NT && (mask || c != left[c])); } fillbuf((int) pt_len[c]); if (c <= 2) { if (c == 0) c = 1; else if (c == 1) c = getbits(4) + 3; else c = getbits(CBIT) + 20; - while (--c >= 0) c_len[i++] = 0; + while (--c >= 0 && i < NC) c_len[i++] = 0; } else c_len[i++] = c - 2; } while (i < NC) c_len[i++] = 0; @@@@ -292,7 +297,7 @@@@ if (bitbuf & mask) j = right[j]; else j = left [j]; mask >>= 1; - } while (j >= NC); + } while (j >= NC && (mask || j != left[j])); } fillbuf((int) c_len[j]); return j; @@@@ -309,7 +314,7 @@@@ if (bitbuf & mask) j = right[j]; else j = left [j]; mask >>= 1; - } while (j >= NP); + } while (j >= NP && (mask || j != left[j])); } fillbuf((int) pt_len[j]); if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1)); @@@@ -356,7 +361,7 @@@@ while (--j >= 0) { buffer[r] = buffer[i]; i = (i + 1) & (DICSIZ - 1); - if (++r == count) return r; + if (++r >= count) return r; } for ( ; ; ) { c = decode_c(); @@@@ -366,14 +371,14 @@@@ } if (c <= UCHAR_MAX) { buffer[r] = c; - if (++r == count) return r; + if (++r >= count) return r; } else { j = c - (UCHAR_MAX + 1 - THRESHOLD); i = (r - decode_p() - 1) & (DICSIZ - 1); while (--j >= 0) { buffer[r] = buffer[i]; i = (i + 1) & (DICSIZ - 1); - if (++r == count) return r; + if (++r >= count) return r; } } } Index: unpack.c --- unpack.c.orig 1999-10-06 07:00:00 +0200 +++ unpack.c 2006-09-20 12:50:53 +0200 @@@@ -13,7 +13,6 @@@@ #include "gzip.h" #include "crypt.h" -#define MIN(a,b) ((a) <= (b) ? (a) : (b)) /* The arguments must not have side effects. */ #define MAX_BITLEN 25 @@@@ -133,7 +132,7 @@@@ /* Remember where the literals of this length start in literal[] : */ lit_base[len] = base; /* And read the literals: */ - for (n = leaves[len]; n > 0; n--) { + for (n = leaves[len]; n > 0 && base < LITERALS; n--) { literal[base++] = (uch)get_byte(); } } @@@@ -169,7 +168,7 @@@@ prefixp = &prefix_len[1< prefix_len) *--prefixp = (uch)len; } /* The length of all other codes is unknown: */ while (prefixp > prefix_len) *--prefixp = 0; @ 1.4.4.2 log @MFC: make up leeway for 2_STABLE by virtue of build-time results @ text @d1 16 d20 3 a22 3 --- gzip.c.orig 2006-12-09 02:19:52 +0100 +++ gzip.c 2006-12-10 09:35:19 +0100 @@@@ -172,7 +172,7 @@@@ d34 25 d60 1 d67 3 a69 3 --- gzip.h.orig 2006-12-09 02:19:52 +0100 +++ gzip.h 2006-12-10 09:35:19 +0100 @@@@ -228,6 +228,8 @@@@ d78 12 d91 3 a93 3 --- unlzh.c.orig 2006-11-20 09:40:34 +0100 +++ unlzh.c 2006-12-10 09:35:19 +0100 @@@@ -145,12 +145,17 @@@@ d110 1 a110 1 gzip_error ("Bad table\n"); d113 1 a113 1 @@@@ -165,15 +170,15 @@@@ d130 3 a132 3 if ((unsigned) 1 << tablebits < nextcode) gzip_error ("Bad table\n"); @@@@ -216,7 +221,7 @@@@ d221 3 a223 3 --- unpack.c.orig 2006-11-20 09:40:34 +0100 +++ unpack.c 2006-12-10 09:35:19 +0100 @@@@ -26,7 +26,6 @@@@ d231 1 a231 1 @@@@ -150,7 +149,7 @@@@ d240 1 a240 1 @@@@ -186,7 +185,7 @@@@ @ 1.4.4.3 log @MFC: make up leeway for 2_STABLE by virtue of build-time results @ text @d4 3 a6 3 --- gzip.c.orig 2006-12-27 09:00:43 +0100 +++ gzip.c 2007-01-01 18:48:10 +0100 @@@@ -177,7 +177,7 @@@@ d25 3 a27 3 --- gzip.h.orig 2006-12-11 19:54:39 +0100 +++ gzip.h 2007-01-01 18:48:10 +0100 @@@@ -220,6 +220,8 @@@@ d38 1 a38 1 +++ unlzh.c 2007-01-01 18:48:10 +0100 d168 1 a168 1 +++ unpack.c 2007-01-01 18:48:10 +0100 @ 1.4.4.4 log @MFC: make up leeway for 2_STABLE by virtue of build-time results @ text @d4 2 a5 2 --- gzip.c.orig 2007-02-05 21:54:26 +0100 +++ gzip.c 2007-02-06 17:23:02 +0100 d26 1 a26 1 +++ gzip.h 2007-02-06 17:23:02 +0100 d38 1 a38 1 +++ unlzh.c 2007-02-06 17:23:02 +0100 d168 1 a168 1 +++ unpack.c 2007-02-06 17:23:02 +0100 @ 1.3 log @apply security fix (OpenPKG-SA-2005.009) @ text @d26 8 a33 5 @@@@ -915,6 +946,7 @@@@ { struct stat ostat; /* stat for ofname */ int flags = O_WRONLY | O_CREAT | O_EXCL | O_BINARY; + char *baseout; d35 11 a45 12 if (ascii && decompress) { flags &= ~O_BINARY; /* force ascii text mode */ @@@@ -927,6 +959,9 @@@@ } /* Create the output file */ remove_ofname = 1; + baseout = base_name(ofname); + strncpy(ofname, baseout, sizeof(ofname)); + ofname[sizeof(ofname) - 1] = '\0'; ofd = OPEN(ofname, flags, RW_USER); if (ofd == -1) { progerror(ofname); @ 1.3.2.1 log @MFC: Changed security fix for OpenPKG-SA-2005.009-gzip.html. The previous version caused gzip to always put the results in the current directory. @ text @d26 5 a30 8 Index: gzip.c --- gzip.c.orig 2002-09-28 09:38:43.000000000 +0200 +++ gzip.c 2005-07-24 18:20:41.621179000 +0200 @@@@ -1225,6 +1225,7 @@@@ char magic[2]; /* magic header */ int imagic1; /* like magic[1], but can represent EOF */ ulg stamp; /* time stamp */ + char *base2; d32 12 a43 11 /* If --force and --stdout, zcat == cat, so do not complain about * premature end of file: use try_byte instead of get_byte. @@@@ -1324,6 +1325,8 @@@@ error("corrupted input -- file name too large"); } } + base2 = base_name (base); + strcpy(base, base2); /* If necessary, adapt the name to local OS conventions: */ if (!list) { MAKE_LEGAL_NAME(base); @ 1.2 log @include bugfix patch from RedHat @ text @d14 4 a17 3 --- gzip.c.orig Thu Jan 30 21:19:36 2003 +++ gzip.c Thu Jan 30 21:09:52 2003 @@@@ -198,7 +198,7 @@@@ d26 18 @ 1.2.8.1 log @correct for OpenPKG-SA-2005.009-gzip (CAN-2005-1228) @ text @a24 17 OpenPKG-SA-2005.009 and CAN-2005-1228, Patch taken from Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi/gzip.dirtraversal.patch?bug=305255&msg=3&att=2 --- gzip.c.orig 2002-09-28 09:38:43 +0200 +++ gzip.c 2005-06-09 13:42:12 +0200 @@@@ -927,6 +927,10 @@@@ } /* Create the output file */ remove_ofname = 1; + char *baseout; + baseout = base_name(ofname); + strncpy(ofname, baseout, sizeof(ofname)); + ofname[sizeof(ofname) - 1] = '\0'; ofd = OPEN(ofname, flags, RW_USER); if (ofd == -1) { progerror(ofname); @ 1.2.6.1 log @correct for OpenPKG-SA-2005.009-gzip (CAN-2005-1228) @ text @a24 17 OpenPKG-SA-2005.009 and CAN-2005-1228, Patch taken from Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi/gzip.dirtraversal.patch?bug=305255&msg=3&att=2 --- gzip.c.orig 2002-09-28 09:38:43 +0200 +++ gzip.c 2005-06-09 13:42:12 +0200 @@@@ -927,6 +927,10 @@@@ } /* Create the output file */ remove_ofname = 1; + char *baseout; + baseout = base_name(ofname); + strncpy(ofname, baseout, sizeof(ofname)); + ofname[sizeof(ofname) - 1] = '\0'; ofd = OPEN(ofname, flags, RW_USER); if (ofd == -1) { progerror(ofname); @ 1.1 log @- include security bugfix for znew(1) - simplify packaging by using (now existing) DESTDIR support - redirect to use (internal -- to avoid extra dep) Bash because the scripts heavily use the "set -C" (noclobber) feature @ text @d14 11 @ 1.1.6.1 log @apply security bugfix @ text @@ 1.1.4.1 log @apply security bugfix @ text @@ 1.1.2.1 log @apply security bugfix @ text @@