From 1c2e21155cc6f5b4605c9f3d8a5eca0c1f2f16ff Mon Sep 17 00:00:00 2001
From: JinWang An <jinwang.an@samsung.com>
Date: Tue, 23 Feb 2021 21:17:49 +0900
Subject: [PATCH] [CVE-2010-4651] Do not let a malicious patch create files
 above current directory

This addresses CVE-2010-4651, reported by Jakub Wilk.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
* src/util.c (strip_leading_slashes): Reject absolute file names
and file names containing a component of "..".
* tests/bad-filenames: New file.  Test for this.
* tests/Makefile.am (TESTS): Add it.
Improvements by Andreas Gruenbacher.

Change-Id: I2f85671214a71c84461b1b2c805c7f48f3b3f922
Signed-off-by: JinWang An <jinwang.an@samsung.com>
---
 ChangeLog  | 11 +++++++++++
 src/util.c | 11 +++++++++++
 2 files changed, 22 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index bac2632..028a277 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -258,6 +258,17 @@
 	generated code in gnulib.mk may use += to append to them.
 	* configure.ac: Add AM_PROG_AR, to placate newer automake.
 
+2011-02-01  Jim Meyering  <meyering@redhat.com>
+    and Andreas Gruenbacher <agruen@linbit.com>
+
+    Do not let a malicious patch create files above current directory
+    This addresses CVE-2010-4651, reported by Jakub Wilk.
+    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4651
+    * src/util.c (strip_leading_slashes): Reject absolute file names and
+    file names containing a component of "..".
+    * tests/bad-filenames: New file.  Test for this.
+    * tests/Makefile.am (TESTS): Add it.
+
 2012-01-01  Jim Meyering  <meyering@redhat.com>
 
 	maint: enable the sc_space_tab syntax-check rule
diff --git a/src/util.c b/src/util.c
index e8e2ad4..c32a885 100644
--- a/src/util.c
+++ b/src/util.c
@@ -1418,6 +1418,17 @@ strip_leading_slashes (char *name, int strip_leading)
 	      n = p+1;
 	}
     }
+  if (IS_ABSOLUTE_FILE_NAME (n))
+    fatal ("rejecting absolute file name: %s", quotearg (n));
+  for (p = n; *p; )
+    {
+      if (*p == '.' && *++p == '.' && ( ! *++p || ISSLASH (*p)))
+    fatal ("rejecting file name with \"..\" component: %s", quotearg (n));
+      while (*p && ! ISSLASH (*p))
+    p++;
+      while (ISSLASH (*p))
+    p++;
+    }
   if ((strip_leading < 0 || s <= 0) && *n)
     {
       memmove (name, n, strlen (n) + 1);
-- 
2.34.1