head 1.5; access; symbols pkgsrc-2020Q3:1.4.0.88 pkgsrc-2020Q3-base:1.4 pkgsrc-2020Q2:1.4.0.84 pkgsrc-2020Q2-base:1.4 pkgsrc-2020Q1:1.4.0.64 pkgsrc-2020Q1-base:1.4 pkgsrc-2019Q4:1.4.0.86 pkgsrc-2019Q4-base:1.4 pkgsrc-2019Q3:1.4.0.82 pkgsrc-2019Q3-base:1.4 pkgsrc-2019Q2:1.4.0.80 pkgsrc-2019Q2-base:1.4 pkgsrc-2019Q1:1.4.0.78 pkgsrc-2019Q1-base:1.4 pkgsrc-2018Q4:1.4.0.76 pkgsrc-2018Q4-base:1.4 pkgsrc-2018Q3:1.4.0.74 pkgsrc-2018Q3-base:1.4 pkgsrc-2018Q2:1.4.0.72 pkgsrc-2018Q2-base:1.4 pkgsrc-2018Q1:1.4.0.70 pkgsrc-2018Q1-base:1.4 pkgsrc-2017Q4:1.4.0.68 pkgsrc-2017Q4-base:1.4 pkgsrc-2017Q3:1.4.0.66 pkgsrc-2017Q3-base:1.4 pkgsrc-2017Q2:1.4.0.62 pkgsrc-2017Q2-base:1.4 pkgsrc-2017Q1:1.4.0.60 pkgsrc-2017Q1-base:1.4 pkgsrc-2016Q4:1.4.0.58 pkgsrc-2016Q4-base:1.4 pkgsrc-2016Q3:1.4.0.56 pkgsrc-2016Q3-base:1.4 pkgsrc-2016Q2:1.4.0.54 pkgsrc-2016Q2-base:1.4 pkgsrc-2016Q1:1.4.0.52 pkgsrc-2016Q1-base:1.4 pkgsrc-2015Q4:1.4.0.50 pkgsrc-2015Q4-base:1.4 pkgsrc-2015Q3:1.4.0.48 pkgsrc-2015Q3-base:1.4 pkgsrc-2015Q2:1.4.0.46 pkgsrc-2015Q2-base:1.4 pkgsrc-2015Q1:1.4.0.44 pkgsrc-2015Q1-base:1.4 pkgsrc-2014Q4:1.4.0.42 pkgsrc-2014Q4-base:1.4 pkgsrc-2014Q3:1.4.0.40 pkgsrc-2014Q3-base:1.4 pkgsrc-2014Q2:1.4.0.38 pkgsrc-2014Q2-base:1.4 pkgsrc-2014Q1:1.4.0.36 pkgsrc-2014Q1-base:1.4 pkgsrc-2013Q4:1.4.0.34 pkgsrc-2013Q4-base:1.4 pkgsrc-2013Q3:1.4.0.32 pkgsrc-2013Q3-base:1.4 pkgsrc-2013Q2:1.4.0.30 pkgsrc-2013Q2-base:1.4 pkgsrc-2013Q1:1.4.0.28 pkgsrc-2013Q1-base:1.4 pkgsrc-2012Q4:1.4.0.26 pkgsrc-2012Q4-base:1.4 pkgsrc-2012Q3:1.4.0.24 pkgsrc-2012Q3-base:1.4 pkgsrc-2012Q2:1.4.0.22 pkgsrc-2012Q2-base:1.4 pkgsrc-2012Q1:1.4.0.20 pkgsrc-2012Q1-base:1.4 pkgsrc-2011Q4:1.4.0.18 pkgsrc-2011Q4-base:1.4 pkgsrc-2011Q3:1.4.0.16 pkgsrc-2011Q3-base:1.4 pkgsrc-2011Q2:1.4.0.14 pkgsrc-2011Q2-base:1.4 pkgsrc-2011Q1:1.4.0.12 pkgsrc-2011Q1-base:1.4 pkgsrc-2010Q4:1.4.0.10 pkgsrc-2010Q4-base:1.4 pkgsrc-2010Q3:1.4.0.8 pkgsrc-2010Q3-base:1.4 pkgsrc-2010Q2:1.4.0.6 pkgsrc-2010Q2-base:1.4 pkgsrc-2010Q1:1.4.0.4 pkgsrc-2010Q1-base:1.4 pkgsrc-2009Q4:1.4.0.2 pkgsrc-2009Q4-base:1.4 pkgsrc-2009Q3:1.3.0.48 pkgsrc-2009Q3-base:1.3 pkgsrc-2009Q2:1.3.0.46 pkgsrc-2009Q2-base:1.3 pkgsrc-2009Q1:1.3.0.44 pkgsrc-2009Q1-base:1.3 pkgsrc-2008Q4:1.3.0.42 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.3.0.40 pkgsrc-2008Q3-base:1.3 cube-native-xorg:1.3.0.38 cube-native-xorg-base:1.3 pkgsrc-2008Q2:1.3.0.36 pkgsrc-2008Q2-base:1.3 cwrapper:1.3.0.34 pkgsrc-2008Q1:1.3.0.32 pkgsrc-2008Q1-base:1.3 pkgsrc-2007Q4:1.3.0.30 pkgsrc-2007Q4-base:1.3 pkgsrc-2007Q3:1.3.0.28 pkgsrc-2007Q3-base:1.3 pkgsrc-2007Q2:1.3.0.26 pkgsrc-2007Q2-base:1.3 pkgsrc-2007Q1:1.3.0.24 pkgsrc-2007Q1-base:1.3 pkgsrc-2006Q4:1.3.0.22 pkgsrc-2006Q4-base:1.3 pkgsrc-2006Q3:1.3.0.20 pkgsrc-2006Q3-base:1.3 pkgsrc-2006Q2:1.3.0.18 pkgsrc-2006Q2-base:1.3 pkgsrc-2006Q1:1.3.0.16 pkgsrc-2006Q1-base:1.3 pkgsrc-2005Q4:1.3.0.14 pkgsrc-2005Q4-base:1.3 pkgsrc-2005Q3:1.3.0.12 pkgsrc-2005Q3-base:1.3 pkgsrc-2005Q2:1.3.0.10 pkgsrc-2005Q2-base:1.3 pkgsrc-2005Q1:1.3.0.8 pkgsrc-2005Q1-base:1.3 pkgsrc-2004Q4:1.3.0.6 pkgsrc-2004Q4-base:1.3 pkgsrc-2004Q3:1.3.0.4 pkgsrc-2004Q3-base:1.3 pkgsrc-2004Q2:1.3.0.2 pkgsrc-2004Q2-base:1.3 pkgsrc-2004Q1:1.2.0.4 pkgsrc-2004Q1-base:1.2 pkgsrc-2003Q4:1.2.0.2 pkgsrc-2003Q4-base:1.2 buildlink2-base:1.2 netbsd-1-5-PATCH001:1.1 netbsd-1-5-RELEASE:1.1 netbsd-1-4-PATCH003:1.1 netbsd-1-4-PATCH002:1.1; locks; strict; comment @# @; 1.5 date 2020.12.19.15.03.14; author rhialto; state dead; branches; next 1.4; commitid 0GliTZr7Vo1SDmAC; 1.4 date 2010.01.09.19.10.46; author dholland; state Exp; branches; next 1.3; 1.3 date 2004.05.13.11.42.43; author taca; state Exp; branches; next 1.2; 1.2 date 2001.12.06.05.09.48; author jlam; state dead; branches; next 1.1; 1.1 date 99.11.30.01.54.16; author sakamoto; state Exp; branches; next ; desc @@ 1.5 log @archivers/lha: distfile unavailable, so switch to maintained version elsewhere. Documentation is mostly in Japanese (which I don't read) so no changelog is available. - Previous patches have ~all been integrated - Configuration with autotools - Is still maintained from time to time @ text @$NetBSD: patch-ad,v 1.4 2010/01/09 19:10:46 dholland Exp $ 1. security fix 2. utimes() fixes for netbsd-6 time_t upstream: (1) unknown (2) not reported, docs in .jp only, wakarimasen :( --- src/lhext.c.orig 2000-10-04 10:57:38.000000000 -0400 +++ src/lhext.c 2009-02-13 18:42:35.000000000 -0500 @@@@ -143,13 +143,15 @@@@ adjust_info(name, hdr) char *name; LzHeader *hdr; { - time_t utimebuf[2]; + struct timeval utimebuf[2]; /* adjust file stamp */ - utimebuf[0] = utimebuf[1] = hdr->unix_last_modified_stamp; + utimebuf[0].tv_sec = hdr->unix_last_modified_stamp; + utimebuf[0].tv_usec = 0; + utimebuf[1] = utimebuf[0]; if ((hdr->unix_mode & UNIX_FILE_TYPEMASK) != UNIX_FILE_SYMLINK) - utime(name, utimebuf); + utimes(name, utimebuf); if (hdr->extend_type == EXTEND_UNIX || hdr->extend_type == EXTEND_OS68K @@@@ -190,8 +192,13 @@@@ extract_one(afp, hdr) q = (char *) rindex(hdr->name, '/') + 1; } else { + if (is_directory_traversal(q)) { + fprintf(stderr, "Possible directory traversal hack attempt in %s\n", q); + exit(111); + } + if (*q == '/') { - q++; + while (*q == '/') { q++; } /* * if OSK then strip device name */ @@@@ -419,6 +426,33 @@@@ cmd_extract() return; } +int +is_directory_traversal(char *string) +{ + unsigned int type = 0; /* 0 = new, 1 = only dots, 2 = other chars than dots */ + char *temp; + + temp = string; + + while (*temp != 0) { + if (temp[0] == '/') { + if (type == 1) { return 1; } + type = 0; + temp++; + continue; + } + + if ((temp[0] == '.') && (type < 2)) + type = 1; + if (temp[0] != '.') + type = 2; + + temp++; + } /* while */ + + return (type == 1); +} + /* Local Variables: */ /* mode:c */ /* tab-width:4 */ @ 1.4 log @64-bit time_t fixes for NetBSD-current. PKGREVISION++. ok agc @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.3 2004/05/13 11:42:43 taca Exp $ @ 1.3 log @Fix security problem of lha package applying patches by David Ahmad < da at securityfocus dot com > on bugtraq mailing list. Bump pacakge revision to nb2. @ text @d1 1 a1 1 $NetBSD$ d3 27 a29 3 --- src/lhext.c.orig 2000-10-04 23:57:38.000000000 +0900 +++ src/lhext.c @@@@ -190,8 +190,13 @@@@ extract_one(afp, hdr) d44 1 a44 1 @@@@ -419,6 +424,33 @@@@ cmd_extract() @ 1.2 log @Update lha to 114.9 (114i). Package update provided by Masao Uebayashi in pkg/14824. Relevant changes from version 114f include: * dewey-ized package version number * fixed header Level 2 handling bug * fixed level 2 file append bug. * fixed symbolic link file append bug. * lh7 archive support. * fixed lh7 archive bug. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.1 1999/11/30 01:54:16 sakamoto Exp $ d3 51 a53 9 --- ./src/lhext.c.orig Sun Aug 29 01:36:16 1999 +++ ./src/lhext.c Tue Nov 30 10:31:41 1999 @@@@ -163,5 +163,5 @@@@ if (!getuid()) { #ifndef HAVE_NO_LCHOWN - if ((hdr->unix_mode & UNIX_FILE_TYPEMASK) != UNIX_FILE_SYMLINK) + if ((hdr->unix_mode & UNIX_FILE_TYPEMASK) == UNIX_FILE_SYMLINK) lchown(name, hdr->unix_uid, hdr->unix_gid); else @ 1.1 log @Update lha to 114f. Change MASTER_SITES. Changes 114c to 114f: some bugfix. support -lh6-. @ text @d1 1 a1 1 $NetBSD$ @