components/shell/bash/patches/solaris-019.eaccess.c.patch

   1 # Fix for CVE-2012-3410.
   2 # Solaris-specific. There are no threads in bash, therefore
   3 # no concurrency issues on accessing a static buffer.
   4 # Not for upstream, their fix is too Linux-specific
   5 --- lib/sh/eaccess.c    2012-10-09 12:45:17.924274300 -0700
   6 +++ lib/sh/eaccess.c    2012-10-09 12:44:21.930979200 -0700
   7 @@ -40,6 +40,10 @@
   8  #if !defined (_POSIX_VERSION) && defined (HAVE_SYS_FILE_H)
   9  #  include <sys/file.h>
  10  #endif /* !_POSIX_VERSION */
  11 +
  12 +#include <string.h> /* memset(3C) */
  13 +#include <limits.h> /* _XOPEN_PATH_MAX */
  14 +
  15  #include "posixstat.h"
  16  #include "filecntl.h"
  17
  18 @@ -82,7 +86,7 @@
  19       const char *path;
  20       struct stat *finfo;
  21  {
  22 -  static char *pbuf = 0;
  23 +  static char pbuf[_XOPEN_PATH_MAX + 1];
  24
  25    if (*path == '\0')
  26      {
  27 @@ -108,9 +112,11 @@
  28       trailing slash.  Make sure /dev/fd/xx really uses DEV_FD_PREFIX/xx.
  29       On most systems, with the notable exception of linux, this is
  30       effectively a no-op. */
  31 -      pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8));
  32 +  /* The way CVE-2012-3410 was fixed is wrong */
  33 +      (void) memset (pbuf, '\0', sizeof(pbuf));
  34        strcpy (pbuf, DEV_FD_PREFIX);
  35 -      strcat (pbuf, path + 8);
  36 +      strncat (pbuf, path + 8,
  37 +          (size_t) (sizeof(pbuf) - sizeof(DEV_FD_PREFIX)));
  38        return (stat (pbuf, finfo));
  39  #endif /* !HAVE_DEV_FD */
  40      }