[kaffe] fastjar security issue

Dalibor Topic robilad at kaffe.org
Mon Mar 27 16:28:45 PST 2006


On Mon, 2006-03-27 at 21:25 +0200, Antoine Reilles wrote:
> Hi,
> 

Salut Antoine, hi Tom,

thanks for the bug report.

> The fastjar in kaffe/external/gcc/fastjar has a security problem
> as reported at:
> http://secunia.com/advisories/14902
> 
> There is a problem with input validation that allows to extract files
> to arbitrary locations, using ../ (see the url for more details).

I can confirm that the bug is indeed there in the version of fastjar
distributed in Kaffe 1.1.7. I've tried the steps described in
http://www.securiteam.com/securitynews/5IP0C0AFGW.html

> I adapted a patch joerg at netbsd.org wrote for the fastjar package in
> pkgsrc to the fastjar in kaffe, adding the necessary input checks to
> avoid that problem.

Thanks! I'd recommend using realpath or canonicalize_file_name, if
available, to do the canonicalisation, rather than writing one's own
function, though. See
http://www.gnu.org/software/libc/manual/html_node/Symbolic-Links.html#Symbolic-Links
for a description. 

I guess you could then simply chop the first char off if it is a file
separator. I am not sure what the POSIX-y way to find out the file
separator char/string is, though.

Just slashing '/'s may not work so well on systems where '\' is the
directory separator, like win32. So I'd recommend going with realpath or
canonicalize_filename.

If the patch fixes the issue, please check it in, though. We can improve
on it while the hole is plugged. I need to check if the fastjar code in
gcc has changed between gcc 4.0.2 and 4.0.3/4.1.0.

> Is it right to commit ? Also, a similar fix could be brought to the
> fastjar in gcc

I have not tried the fastjar code in gcc yet. I've fired off a gcc SVN
head build, but I don't know how long it will take. :/

cheers,
dalibor topic




More information about the kaffe mailing list