File gnome-autoar-CVE-2020-36241.patch of Package gnome-autoar.18407

Overview Repositories Revisions Requests Users Attributes Meta

File gnome-autoar-CVE-2020-36241.patch of Package gnome-autoar.18407

diff --unified --recursive --text gnome-autoar-0.2.3.old/gnome-autoar/autoar-extractor.c gnome-autoar-0.2.3.new/gnome-autoar/autoar-extractor.c
--- gnome-autoar-0.2.3.old/gnome-autoar/autoar-extractor.c	2021-02-22 14:38:35.656655413 +0800
+++ gnome-autoar-0.2.3.new/gnome-autoar/autoar-extractor.c	2021-02-22 14:47:44.487781173 +0800
@@ -843,32 +843,73 @@
   return prefix;
 }
 
+static gboolean
+is_valid_filename (GFile *file, GFile *destination)
+{
+  g_autoptr (GFile) parent = NULL;
+  g_autoptr (GFileInfo) info = NULL;
+
+  if (g_file_equal (file, destination))
+    return TRUE;
+
+  if (!g_file_has_prefix (file, destination))
+    return FALSE;
+
+  /* Resolve symbolic link ancestors to confirm file is actually inside destination. */
+  parent = g_file_get_parent (file);
+  info = g_file_query_info (parent,
+                            G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK ","
+                            G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET,
+                            G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
+                            NULL,
+                            NULL);
+  if (info == NULL)
+    return FALSE;
+
+  if (g_file_info_get_is_symlink (info)) {
+    g_autoptr (GFile) cwd = NULL;
+    const gchar *target;
+
+    target = g_file_info_get_symlink_target (info);
+    if (g_path_is_absolute (target))
+      return FALSE;
+
+    cwd = g_file_get_parent (parent);
+    g_object_unref (parent);
+    parent = g_file_resolve_relative_path (cwd, target);
+  }
+
+  /* Climb up the path to resolve every symbolic link ancestor found */
+  return is_valid_filename (parent, destination);
+}
+
 static GFile*
 autoar_extractor_do_sanitize_pathname (AutoarExtractor *self,
                                        const char      *pathname_bytes)
 {
   GFile *extracted_filename;
   gboolean valid_filename;
-  g_autofree char *sanitized_pathname;
+  g_autofree char *sanitized_pathname = NULL;
   g_autofree char *utf8_pathname;
 
   utf8_pathname = autoar_common_get_utf8_pathname (pathname_bytes);
   extracted_filename = g_file_get_child (self->destination_dir,
                                          utf8_pathname ?  utf8_pathname : pathname_bytes);
 
-  valid_filename =
-    g_file_equal (extracted_filename, self->destination_dir) ||
-    g_file_has_prefix (extracted_filename, self->destination_dir);
-
+  valid_filename = is_valid_filename (extracted_filename, self->destination_dir);
   if (!valid_filename) {
-    g_autofree char *basename;
-
-    basename = g_file_get_basename (extracted_filename);
+    /**
+     * g_file_peek_path requires GLib 2.56 or higher, so use g_file_get_path
+     * with g_free here instead.
+     */
+    char *local_path = g_file_get_path (extracted_filename);
+    g_warning ("autoar_extractor_do_sanitize_pathname: %s is outside of the destination dir",
+                local_path);
+    g_free(local_path);
 
     g_object_unref (extracted_filename);
 
-    extracted_filename = g_file_get_child (self->destination_dir,
-                                           basename);
+    return NULL;
   }
 
   if (self->prefix != NULL && self->new_prefix != NULL) {
@@ -1830,10 +1871,18 @@
 
     extracted_filename =
       autoar_extractor_do_sanitize_pathname (self, pathname);
+    if (extracted_filename == NULL) {
+      archive_read_data_skip (a);
+      continue;
+    }
 
     if (hardlink != NULL) {
       hardlink_filename =
         autoar_extractor_do_sanitize_pathname (self, hardlink);
+        if (hardlink_filename == NULL) {
+          archive_read_data_skip (a);
+          continue;
+        }
     }
 
     /* Attempt to solve any name conflict before doing any operations */

Places

File gnome-autoar-CVE-2020-36241.patch of Package gnome-autoar.18407

Places