pidgin/pidgin

Fix a bug in the untar code that we use on Windows where we
release-2.x.y
2014-03-04, Mark Doliner
68b8eb10977f
Parents f38a5005e8a8
Children 6c4d5b524296
Fix a bug in the untar code that we use on Windows where we
weren't stripping the drive letter from the path of files in the
tar archive, which could allow a malicious tar file to overwrite
arbitrary files on the file system.

Thanks to Yves Younan of Sourcefire VRT for discovering this and
reporting it to us.
2 files changed, 18 insertions(+), 0 deletions(-)
  • +5 -0
    ChangeLog
  • +13 -0
    pidgin/win32/untar.c
    • --- a/ChangeLog Tue Mar 04 23:01:37 2014 -0800
    +++ b/ChangeLog Tue Mar 04 23:12:23 2014 -0800
    @@ -1,6 +1,11 @@
    Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
    version 2.10.10 (?/?/?):
    + Windows-Specific Changes:
    + * Don't allow overwriting arbitrary files on the file system when the
    + user installs a smiley theme from a tar file. (Discovered by Yves
    + Younan of Sourcefire VRT)
    +
    Finch:
    * Fix build against Python 3. (Ed Catmur) (#15969)
    --- a/pidgin/win32/untar.c Tue Mar 04 23:01:37 2014 -0800
    +++ b/pidgin/win32/untar.c Tue Mar 04 23:12:23 2014 -0800
    @@ -401,6 +401,19 @@
    sizeof (nbuf));
    }
    + /* Possibly strip the drive from the path */
    + if (!ABSPATH) {
    + /* If the path contains a colon, assume everything before the
    + * colon is intended to be a drive name and ignore it. This
    + * should be just a single drive letter, but it should be safe
    + * to drop it even if it's longer. */
    + const char *lastcolon = strrchr(nbuf, ':');
    + if (lastcolon) {
    + memmove(nbuf, lastcolon, strlen(lastcolon) + 1);
    + didabs = 1; /* Path was changed from absolute to relative */
    + }
    + }
    +
    /* Convert any backslashes to forward slashes, and guard
    * against doubled-up slashes. (Some DOS versions of "tar"
    * get this wrong.) Also strip off leading slashes.