Re: deb vfs security issue (CAN-2004-0494)

[Leonard den Ottolander <leonard den ottolander nl>]

Hi,

On Wed, 2004-08-18 at 16:31, Leonard den Ottolander wrote:
> I noticed this in Red Hat's bugzilla just now:
> http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127973 .

Attached is a patch that escapes all dangerous characters for function
arguments. More specifically, everything not in A-Z, a-z, 0-9, _, /, .,
- and +.

Could somebody on a system with dpkg installed verify that things still
work correctly after applying this patch? Thanks.

Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

--- deb.000	2004-06-18 02:02:02.000000000 +0200
+++ deb	2004-08-18 19:19:38.000000000 +0200
@@ -25,7 +25,9 @@
 #	CAVEAT: Hard links are listed as if they were symlinks
 #		Empty directories do not appear at all
 #
-	local($archivename)= _;
+	$_ = $_[0];
+	s/([^\w\/.+-])/\\$1/g;
+	local $archivename = $_;
 	chop($date=`LC_ALL=C date "+%b %d %Y %H:%M"`);
 	chop($info_size=`dpkg -I $archivename | wc -c`);
 	$install_size=length($pressinstall);
@@ -108,7 +110,15 @@
 
 sub mcdebfs_copyout
 {
-	local($archive,$filename,$destfile)= _;
+	$_ = $_[0];
+	s/([^\w\/.+-])/\\$1/g;
+	local $archive = $_;
+	$_ = $_[1];
+	s/([^\w\/.+-])/\\$1/g;
+	local $filename = $_;
+	$_ = $_[2];
+	s/([^\w\/.+-])/\\$1/g;
+	local $destfile = $_;
 
 	if($filename eq "INFO")
 	{
@@ -141,7 +151,12 @@
 
 sub mcdebfs_run
 {
-	local($archive,$filename)= _;
+	$_ = $_[0];
+	s/([^\w\/.+-])/\\$1/g;
+	local $archive = $_;
+	$_ = $_[1];
+	s/([^\w\/.+-])/\\$1/g;
+	local $filename = $_;
 	if($filename eq "INSTALL")
 	{
 		print "Installing $archive\n";