View | Details | Raw Unified | Return to bug 17533 | Differences between
and this patch

Collapse All | Expand All

(-)a/binutils/ar.c (+9 lines)
Lines 1034-1039 extract_file (bfd *abfd) Link Here
1034
  bfd_size_type size;
1034
  bfd_size_type size;
1035
  struct stat buf;
1035
  struct stat buf;
1036
1036
1037
  /* PR binutils/17533: Do not allow directory traversal
1038
     outside of the current directory tree.  */
1039
  if (! is_valid_archive_path (bfd_get_filename (abfd)))
1040
    {
1041
      non_fatal (_("illegal pathname found in archive member: %s"),
1042
		 bfd_get_filename (abfd));
1043
      return;
1044
    }
1045
1037
  if (bfd_stat_arch_elt (abfd, &buf) != 0)
1046
  if (bfd_stat_arch_elt (abfd, &buf) != 0)
1038
    /* xgettext:c-format */
1047
    /* xgettext:c-format */
1039
    fatal (_("internal stat error on %s"), bfd_get_filename (abfd));
1048
    fatal (_("internal stat error on %s"), bfd_get_filename (abfd));
(-)a/binutils/bucomm.c (+26 lines)
Lines 624-626 bfd_get_archive_filename (const bfd *abfd) Link Here
624
	   bfd_get_filename (abfd));
624
	   bfd_get_filename (abfd));
625
  return buf;
625
  return buf;
626
}
626
}
627
628
/* Returns TRUE iff PATHNAME, a filename of an archive member,
629
   is valid for writing.  For security reasons absolute paths
630
   and paths containing /../ are not allowed.  See PR 17533.  */
631
632
bfd_boolean
633
is_valid_archive_path (char const * pathname)
634
{
635
  const char * n = pathname;
636
637
  if (IS_ABSOLUTE_PATH (n))
638
    return FALSE;
639
640
  while (*n)
641
    {
642
      if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n)))
643
	return FALSE;
644
645
      while (*n && ! IS_DIR_SEPARATOR (*n))
646
	n++;
647
      while (IS_DIR_SEPARATOR (*n))
648
	n++;
649
    }
650
651
  return TRUE;
652
}
(-)a/binutils/bucomm.h (-4 / +8 lines)
Lines 21-26 Link Here
21
#ifndef _BUCOMM_H
21
#ifndef _BUCOMM_H
22
#define _BUCOMM_H
22
#define _BUCOMM_H
23
23
24
/* In bucomm.c.  */
25
24
/* Return the filename in a static buffer.  */
26
/* Return the filename in a static buffer.  */
25
const char *bfd_get_archive_filename (const bfd *);
27
const char *bfd_get_archive_filename (const bfd *);
26
28
Lines 56-75 bfd_vma parse_vma (const char *, const char *); Link Here
56
58
57
off_t get_file_size (const char *);
59
off_t get_file_size (const char *);
58
60
61
bfd_boolean is_valid_archive_path (char const *);
62
59
extern char *program_name;
63
extern char *program_name;
60
64
61
/* filemode.c */
65
/* In filemode.c.  */
62
void mode_string (unsigned long, char *);
66
void mode_string (unsigned long, char *);
63
67
64
/* version.c */
68
/* In version.c.  */
65
extern void print_version (const char *);
69
extern void print_version (const char *);
66
70
67
/* rename.c */
71
/* In rename.c.  */
68
extern void set_times (const char *, const struct stat *);
72
extern void set_times (const char *, const struct stat *);
69
73
70
extern int smart_rename (const char *, const char *, int);
74
extern int smart_rename (const char *, const char *, int);
71
75
72
/* libiberty.  */
76
/* In libiberty.  */
73
void *xmalloc (size_t);
77
void *xmalloc (size_t);
74
78
75
void *xrealloc (void *, size_t);
79
void *xrealloc (void *, size_t);
(-)a/binutils/doc/binutils.texi (-1 / +2 lines)
Lines 234-240 a normal archive. Instead the elements of the first archive are added Link Here
234
individually to the second archive.
234
individually to the second archive.
235
235
236
The paths to the elements of the archive are stored relative to the
236
The paths to the elements of the archive are stored relative to the
237
archive itself.
237
archive itself.  For security reasons absolute paths and paths with a
238
@code{/../} component are not allowed.
238
239
239
@cindex compatibility, @command{ar}
240
@cindex compatibility, @command{ar}
240
@cindex @command{ar} compatibility
241
@cindex @command{ar} compatibility
(-)a/binutils/objcopy.c (+6 lines)
Lines 2295-2300 copy_archive (bfd *ibfd, bfd *obfd, const char *output_target, Link Here
2295
      bfd_boolean del = TRUE;
2295
      bfd_boolean del = TRUE;
2296
      bfd_boolean ok_object;
2296
      bfd_boolean ok_object;
2297
2297
2298
      /* PR binutils/17533: Do not allow directory traversal
2299
	 outside of the current directory tree by archive members.  */
2300
      if (! is_valid_archive_path (bfd_get_filename (this_element)))
2301
	fatal (_("illegal pathname found in archive member: %s"),
2302
	       bfd_get_filename (this_element));
2303
2298
      /* Create an output file for this member.  */
2304
      /* Create an output file for this member.  */
2299
      output_name = concat (dir, "/",
2305
      output_name = concat (dir, "/",
2300
			    bfd_get_filename (this_element), (char *) 0);
2306
			    bfd_get_filename (this_element), (char *) 0);

Return to bug 17533