#! /bin/sh -e
## 15_CAN-2005-0638.dpatch
##
## DP: Description: Fix shell metacharacters vulnerability with compressed
## DP: images (#298926).
## DP: Author: xli upstream via Gentoo
## DP: Upstream status: Not submitted
## DP: Date: 2005-03-10
if [ $# -ne 1 ]; then
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1
fi
case "$1" in
-patch) patch -f --no-backup-if-mismatch -p1 < $0;;
-unpatch) patch -f --no-backup-if-mismatch -R -p1 < $0;;
*)
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1;;
esac
exit 0
@DPATCH@
diff -urNad --exclude=CVS --exclude=.svn ./zio.c /tmp/dpep-work.7hAKRd/xloadimage-4.1/zio.c
--- ./zio.c 1993-10-28 17:10:02.000000000 +0000
+++ /tmp/dpep-work.7hAKRd/xloadimage-4.1/zio.c 2005-10-08 04:12:08.000000000 +0100
@@ -210,9 +210,30 @@
if ((strlen(name) > strlen(filter->extension)) &&
!strcmp(filter->extension,
name + (strlen(name) - strlen(filter->extension)))) {
- debug(("Filtering image through '%s'\n", filter->filter));
- zf->type= ZPIPE;
- sprintf(buf, "%s %s", filter->filter, name);
+ char *fname, *t, *s;
+
+ /* meta-char protection from xli.
+ *
+ * protect in single quotes, replacing single quotes
+ * with '"'"', so worst-case expansion is 5x
+ */
+
+ s = fname = (char *) lmalloc(1 + (5 * strlen(name)) + 1 + 1);
+ *s++ = '\'';
+ for (t = name; *t; ++t) {
+ if ('\'' == *t) {
+ /* 'foo'bar' -> 'foo'"'"'bar' */
+ strcpy(s, "'\"'\"'");
+ s += strlen(s);
+ } else {
+ *s++ = *t;
+ }
+ }
+ strcpy (s, "'");
+ debug(("Filtering image through '%s'\n", filter->filter));
+ zf->type= ZPIPE;
+ sprintf(buf, "%s %s", filter->filter, fname);
+ lfree (fname);
if (! (zf->stream= popen(buf, "r"))) {
lfree((byte *)zf->filename);
zf->filename= NULL;