aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorglewis <glewis@FreeBSD.org>2005-05-12 05:18:39 +0800
committerglewis <glewis@FreeBSD.org>2005-05-12 05:18:39 +0800
commitbcb95fbdaab67e45a92222b48415b78cfec69737 (patch)
tree0fb1f28f75a46bae84dd5dc398906efd6e6f397c
parent2b48fb30b1cb031d51787ec9bdf3c1537ad34d7a (diff)
downloadfreebsd-ports-gnome-bcb95fbdaab67e45a92222b48415b78cfec69737.tar.gz
freebsd-ports-gnome-bcb95fbdaab67e45a92222b48415b78cfec69737.tar.zst
freebsd-ports-gnome-bcb95fbdaab67e45a92222b48415b78cfec69737.zip
. Ensure that when files are extracted that their fully resolved path lies
in or below the current working directory. Fixes a security problem with jar(1). This fix may change to be compatible with whatever fix Sun applies when they release a fixed version of 1.5. . Bump PORTREVISION for this fix. Approved by: maintainer timeout Security: http://vuxml.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html
-rw-r--r--java/jdk14/Makefile1
-rw-r--r--java/jdk14/files/patch-j2se-jar-Main.java58
-rw-r--r--java/jdk14/files/patch-j2se-resources-jar.properties13
3 files changed, 72 insertions, 0 deletions
diff --git a/java/jdk14/Makefile b/java/jdk14/Makefile
index 62a52c479798..688ed8196fbe 100644
--- a/java/jdk14/Makefile
+++ b/java/jdk14/Makefile
@@ -7,6 +7,7 @@
PORTNAME= jdk
PORTVERSION= ${JDK_VERSION}p${JDK_PATCHSET_VERSION}
+PORTREVISION= 1
CATEGORIES= java devel
MASTER_SITES= # http://www.sun.com/software/java2/download.html
# http://www.eyesbeyond.com/freebsddom/java/jdk14.html
diff --git a/java/jdk14/files/patch-j2se-jar-Main.java b/java/jdk14/files/patch-j2se-jar-Main.java
new file mode 100644
index 000000000000..bace7025507f
--- /dev/null
+++ b/java/jdk14/files/patch-j2se-jar-Main.java
@@ -0,0 +1,58 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/classes/sun/tools/jar/Main.java 22 Oct 2003 23:02:47 -0000 1.1.1.2
++++ ../../j2se/src/share/classes/sun/tools/jar/Main.java 27 Apr 2005 05:01:42 -0000
+@@ -32,6 +32,7 @@
+ Hashtable filesTable = new Hashtable();
+ Vector paths = new Vector();
+ Vector v;
++ String cwd;
+ CRC32 crc32 = new CRC32();
+ /* cflag: create
+ * uflag: update
+@@ -671,6 +672,19 @@
+ * Extracts specified entries from JAR file.
+ */
+ void extract(InputStream in, String files[]) throws IOException {
++ // Current working directory
++
++ cwd = System.getProperty("user.dir");
++ if (cwd == null) {
++ fatalError(getMsg("error.no.cwd"));
++ }
++ cwd = (new File(cwd)).getCanonicalPath();
++ if (!cwd.endsWith(File.separator)) {
++ cwd += File.separator;
++ }
++
++ // Extract the files
++
+ ZipInputStream zis = new ZipInputStream(in);
+ ZipEntry e;
+ while ((e = zis.getNextEntry()) != null) {
+@@ -695,6 +709,10 @@
+ void extractFile(ZipInputStream zis, ZipEntry e) throws IOException {
+ String name = e.getName();
+ File f = new File(e.getName().replace('/', File.separatorChar));
++ if (!f.getCanonicalPath().startsWith(cwd)) {
++ output(formatMsg("out.ignore.entry", name));
++ return;
++ }
+ if (e.isDirectory()) {
+ if (!f.exists() && !f.mkdirs() || !f.isDirectory()) {
+ throw new IOException(formatMsg("error.create.dir", f.getPath()));
+@@ -705,6 +723,10 @@
+ } else {
+ if (f.getParent() != null) {
+ File d = new File(f.getParent());
++ if (!d.getCanonicalPath().startsWith(cwd)) {
++ output(formatMsg("out.ignore.entry", name));
++ return;
++ }
+ if (!d.exists() && !d.mkdirs() || !d.isDirectory()) {
+ throw new IOException(formatMsg("error.create.dir", d.getPath()));
+ }
+Index: j2se/src/share/classes/sun/tools/jar/resources/jar.properties
+===================================================================
+RCS file: /var/jcvs/javasrc_1_4_scsl/j2se/src/share/classes/sun/tools/jar/resources/jar.properties,v
+retrieving revision 1.1.1.3
diff --git a/java/jdk14/files/patch-j2se-resources-jar.properties b/java/jdk14/files/patch-j2se-resources-jar.properties
new file mode 100644
index 000000000000..3d9d46286bb9
--- /dev/null
+++ b/java/jdk14/files/patch-j2se-resources-jar.properties
@@ -0,0 +1,13 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/classes/sun/tools/jar/resources/jar.properties 22 Oct 2003 23:02:47 -0000 1.1.1.3
++++ ../../j2se/src/share/classes/sun/tools/jar/resources/jar.properties 27 Apr 2005 05:01:59 -0000
+@@ -30,6 +30,8 @@
+ {0} : could not create directory
+ error.incorrect.length=\
+ incorrect length while processing: {0}
++error.no.cwd=\
++ {0} : could not determine current working directory
+ out.added.manifest=\
+ added manifest
+ out.update.manifest=\