/pidgin/main: 68b8eb10977f: Fix a bug in the untar code that we ...

Mark Doliner mark at kingant.net
Wed Oct 22 10:20:23 EDT 2014 

Changeset: 68b8eb10977fffba08975bd023a226b8e0911a8b
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-03-04 23:12 -0800
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/68b8eb10977f

Description:

Fix a bug in the untar code that we use on Windows where we
weren't stripping the drive letter from the path of files in the
tar archive, which could allow a malicious tar file to overwrite
arbitrary files on the file system.

Thanks to Yves Younan of Sourcefire VRT for discovering this and
reporting it to us.

diffstat:

 ChangeLog            |   5 +++++
 pidgin/win32/untar.c |  13 +++++++++++++
 2 files changed, 18 insertions(+), 0 deletions(-)

diffs (38 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,11 @@
 Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
 
 version 2.10.10 (?/?/?):
+	Windows-Specific Changes:
+	* Don't allow overwriting arbitrary files on the file system when the
+	  user installs a smiley theme from a tar file. (Discovered by Yves
+	  Younan of Sourcefire VRT)
+
 	Finch:
 	* Fix build against Python 3. (Ed Catmur) (#15969)
 
diff --git a/pidgin/win32/untar.c b/pidgin/win32/untar.c
--- a/pidgin/win32/untar.c
+++ b/pidgin/win32/untar.c
@@ -401,6 +401,19 @@ static int untar_block(Uchar_t *blk) {
 				sizeof (nbuf));
 		}
 
+		/* Possibly strip the drive from the path */
+		if (!ABSPATH) {
+			/* If the path contains a colon, assume everything before the
+			 * colon is intended to be a drive name and ignore it. This
+			 * should be just a single drive letter, but it should be safe
+			 * to drop it even if it's longer. */
+			const char *lastcolon = strrchr(nbuf, ':');
+			if (lastcolon) {
+				memmove(nbuf, lastcolon, strlen(lastcolon) + 1);
+				didabs = 1; /* Path was changed from absolute to relative */
+			}
+		}
+
 		/* Convert any backslashes to forward slashes, and guard
 		 * against doubled-up slashes. (Some DOS versions of "tar"
 		 * get this wrong.)  Also strip off leading slashes.

More information about the Commits mailing list