fastjar: apply fix for CVE-2010-0831

* bump PR

2 files changed, 115 insertions, 1 deletions

diff --git a/recipes/fastjar/fastjar_0.98.bb b/recipes/fastjar/fastjar_0.98.bb
index e9be4e14a9..bbfb44523f 100644
--- a/recipes/fastjar/fastjar_0.98.bb
+++ b/recipes/fastjar/fastjar_0.98.bb
@@ -1,6 +1,8 @@
 require fastjar.inc
 
-PR = "${INC_PR}.1"
+PR = "${INC_PR}.2"
+
+SRC_URI += "file://jartool.patch"
 
 SRC_URI[md5sum] = "d2d264d343d4d0e1575832cc1023c3bf"
 SRC_URI[sha256sum] = "f156abc5de8658f22ee8f08d7a72c88f9409ebd8c7933e9466b0842afeb2f145"
diff --git a/recipes/fastjar/files/jartool.patch b/recipes/fastjar/files/jartool.patch
new file mode 100644
index 0000000000..b589b626f6
--- /dev/null
+++ b/recipes/fastjar/files/jartool.patch
@@ -0,0 +1,112 @@
+--- a/jartool.c	2009/09/06 22:16:00	1.59
++++ b/jartool.c	2010/06/10 11:32:48	1.62
+@@ -790,6 +790,7 @@
+ 		   progname, jarfile);
+ 	  return 1;
+ 	}
++      ze->filename[len] = '\0';
+       len = UNPACK_UB4(header, CEN_EFLEN);
+       len += UNPACK_UB4(header, CEN_COMLEN);
+       if (lseek (fd, len, SEEK_CUR) == -1)
+@@ -1257,7 +1258,7 @@
+       exit_on_error("write");
+ 
+   /* write the file name to the zip file */
+-  if (1 == write(jfd, fname, file_name_length))
++  if (-1 == write(jfd, fname, file_name_length))
+     exit_on_error("write");
+ 
+   if(verbose){
+@@ -1730,7 +1731,17 @@
+       struct stat sbuf;
+       int depth = 0;
+ 
+-      tmp_buff = malloc(sizeof(char) * strlen((const char *)filename));
++      if(*filename == '/'){
++	fprintf(stderr, "Absolute path names are not allowed.\n");
++	exit(EXIT_FAILURE);
++      }
++
++      tmp_buff = malloc(strlen((const char *)filename));
++
++      if(tmp_buff == NULL) {
++	fprintf(stderr, "Out of memory.\n");
++	exit(EXIT_FAILURE);
++      }
+ 
+       for(;;){
+         const ub1 *idx = (const unsigned char *)strchr((const char *)start, '/');
+@@ -1738,25 +1749,28 @@
+         if(idx == NULL)
+           break;
+         else if(idx == start){
++	  tmp_buff[idx - filename] = '/';
+           start++;
+           continue;
+         }
+-        start = idx + 1;
+ 
+-        strncpy(tmp_buff, (const char *)filename, (idx - filename));
+-        tmp_buff[(idx - filename)] = '\0';
++	memcpy(tmp_buff + (start - filename), (const char *)start, (idx - start));
++	tmp_buff[idx - filename] = '\0';
+ 
+ #ifdef DEBUG    
+         printf("checking the existance of %s\n", tmp_buff);
+ #endif
+-	if(strcmp(tmp_buff, "..") == 0){
++	if(idx - start == 2 && memcmp(start, "..", 2) == 0){
+ 	  --depth;
+ 	  if (depth < 0){
+ 	    fprintf(stderr, "Traversal to parent directories during unpacking!\n");
+ 	    exit(EXIT_FAILURE);
+ 	  }
+-	} else if (strcmp(tmp_buff, ".") != 0)
++	} else if (idx - start != 1 || *start != '.')
+ 	  ++depth;
++
++        start = idx + 1;
++
+         if(stat(tmp_buff, &sbuf) < 0){
+           if(errno != ENOENT)
+             exit_on_error("stat");
+@@ -1765,6 +1779,7 @@
+ #ifdef DEBUG    
+           printf("Directory exists\n");
+ #endif
++	  tmp_buff[idx - filename] = '/';
+           continue;
+         }else {
+           fprintf(stderr, "Hmmm.. %s exists but isn't a directory!\n",
+@@ -1781,10 +1796,11 @@
+         if(verbose && handle)
+           printf("%10s: %s/\n", "created", tmp_buff);
+ 
++	tmp_buff[idx - filename] = '/';
+       }
+ 
+       /* only a directory */
+-      if(strlen((const char *)start) == 0)
++      if(*start == '\0')
+         dir = TRUE;
+ 
+ #ifdef DEBUG    
+@@ -1792,7 +1808,7 @@
+ #endif
+ 
+       /* If the entry was just a directory, don't write to file, etc */
+-      if(strlen((const char *)start) == 0)
++      if(*start == '\0')
+         f_fd = -1;
+ 
+       free(tmp_buff);
+@@ -1876,7 +1892,8 @@
+       exit(EXIT_FAILURE);
+     }
+ 
+-    close(f_fd);
++    if (f_fd != -1)
++      close(f_fd);
+ 
+     if(verbose && dir == FALSE && handle)
+       printf("%10s: %s\n",