Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
amanda.2358
amanda-3.3.6-CVE-2016-10729.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File amanda-3.3.6-CVE-2016-10729.patch of Package amanda.2358
From 2ba9a5fb84ba2faaeb95695a03bd7f26cbdfedb8 Mon Sep 17 00:00:00 2001 From: Jean-Louis Martineau <martineau@zmanda.com> Date: Fri, 22 Jan 2016 19:17:45 +0000 Subject: [PATCH] * client-src/runtar.c: Filter tar arguments * installcheck/runtar.pl: Check runtar errorr * installcheck/Makefile.am: Add runtar.pl git-svn-id: https://svn.code.sf.net/p/amanda/code/amanda/trunk@6479 a8d146d6-cc15-0410-8900-af154a0219e0 --- Note: only the first part of the upstream patch is applied --- Index: amanda-3.3.6/client-src/runtar.c =================================================================== --- amanda-3.3.6.orig/client-src/runtar.c +++ amanda-3.3.6/client-src/runtar.c @@ -51,6 +51,7 @@ main( char *dbf; char *cmdline; #endif + int good_option; if (argc > 1 && argv && argv[1] && g_str_equal(argv[1], "--version")) { printf("runtar-%s\n", VERSION); @@ -141,12 +142,54 @@ main( argv++; cmdline = stralloc(GNUTAR); + good_option = 0; for (i = 1; argv[i]; i++) { + if (good_option <= 0) { + if (g_str_has_prefix(argv[i],"--rsh-command") || + g_str_has_prefix(argv[i],"--to-command") || + g_str_has_prefix(argv[i],"--info-script") || + g_str_has_prefix(argv[i],"--new-volume-script") || + g_str_has_prefix(argv[i],"--rmt-command") || + g_str_has_prefix(argv[i],"--use-compress-program")) { + /* Filter potential malicious option */ + good_option = 0; + } else if (g_str_has_prefix(argv[i],"--create") || + g_str_has_prefix(argv[i],"--totals") || + g_str_has_prefix(argv[i],"--dereference") || + g_str_has_prefix(argv[i],"--no-recursion") || + g_str_has_prefix(argv[i],"--one-file-system") || + g_str_has_prefix(argv[i],"--incremental") || + g_str_has_prefix(argv[i],"--atime-preserve") || + g_str_has_prefix(argv[i],"--sparse") || + g_str_has_prefix(argv[i],"--ignore-failed-read") || + g_str_has_prefix(argv[i],"--numeric-owner")) { + /* Accept theses options */ + good_option++; + } else if (g_str_has_prefix(argv[i],"--blocking-factor") || + g_str_has_prefix(argv[i],"--file") || + g_str_has_prefix(argv[i],"--directory") || + g_str_has_prefix(argv[i],"--exclude") || + g_str_has_prefix(argv[i],"--transform") || + g_str_has_prefix(argv[i],"--listed-incremental") || + g_str_has_prefix(argv[i],"--newer") || + g_str_has_prefix(argv[i],"--exclude-from") || + g_str_has_prefix(argv[i],"--files-from")) { + /* Accept theses options with the following argument */ + good_option += 2; + } else if (argv[i][0] != '-') { + good_option++; + } + } + if (good_option <= 0) { + error("error [%s invalid option: %s]", get_pname(), argv[i]); + } + char *quoted; quoted = quote_string(argv[i]); cmdline = vstrextend(&cmdline, " ", quoted, NULL); amfree(quoted); + good_option--; } dbprintf(_("running: %s\n"), cmdline); amfree(cmdline);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor