[arch-commits] Commit in simgear/trunk (PKGBUILD sec-fix.patch)

Mon Dec 19 15:04:54 UTC 2016

Date: Monday, December 19, 2016 @ 15:04:53
  Author: spupykin
Revision: 200314

upgpkg: simgear 2016.4.3-2

upd

Added:
  simgear/trunk/sec-fix.patch
Modified:
  simgear/trunk/PKGBUILD

---------------+
 PKGBUILD      |   13 ++++++++++---
 sec-fix.patch |   17 +++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================

--- PKGBUILD	2016-12-19 15:04:50 UTC (rev 200313)
+++ PKGBUILD	2016-12-19 15:04:53 UTC (rev 200314)
@@ -6,7 +6,7 @@
 pkgname=simgear
 pkgver=2016.4.3
 _pkgver=${pkgver%.*}
-pkgrel=1
+pkgrel=2
 pkgdesc="A set of open-source libraries designed to be used as building blocks for quickly assembling 3d simulations, games, and visualization applications."
 arch=(i686 x86_64)
 depends=('glu' 'glut' 'freealut' 'plib' 'openscenegraph')
@@ -14,10 +14,17 @@
 license=("GPL")
 url="http://www.flightgear.org/"
 options=('!makeflags' 'staticlibs')
-source=("http://downloads.sourceforge.net/project/flightgear/release-${_pkgver}/${pkgname}-${pkgver}.tar.bz2")
 #source=("git://git.code.sf.net/p/flightgear/simgear#commit=41f40a9a106520e92385d059b80c4ed3779eedcb")
-sha256sums=('6933550215818c2043b84df01b6bf5f7adef218c8648b510b8202e394003d2bd')
+source=("http://downloads.sourceforge.net/project/flightgear/release-${_pkgver}/${pkgname}-${pkgver}.tar.bz2"
+	sec-fix.patch)
+sha256sums=('6933550215818c2043b84df01b6bf5f7adef218c8648b510b8202e394003d2bd'
+            'bfd4234d23beb5d2b229dbcd28fa436cfc822c50c0ab03aca51c7ca1194dbd16')
 
+prepare() {
+  cd "$srcdir"/simgear-$pkgver
+  patch -p1 -i $srcdir/sec-fix.patch
+}
+
 build() {
   cd "$srcdir"/simgear-$pkgver
   cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_INSTALL_LIBDIR=lib .

Added: sec-fix.patch
===================================================================
--- sec-fix.patch	                        (rev 0)
+++ sec-fix.patch	2016-12-19 15:04:53 UTC (rev 200314)
@@ -0,0 +1,17 @@
+--- a/simgear/io/HTTPRepository.cxx
++++ b/simgear/io/HTTPRepository.cxx
+@@ -503,6 +503,14 @@
+                 SG_LOG(SG_TERRASYNC, SG_WARN, "malformed .dirindex file: invalid type in line '" << line << "', expected 'd' or 'f', (ignoring line)" );
+                 continue;
+             }
++
++            // security: prevent writing outside the repository via ../../.. filenames
++            // (valid filenames never contain / - subdirectories have their own .dirindex)
++            if ((tokens[1] == "..") || (tokens[1].find_first_of("/\\") != std::string::npos)) {
++                SG_LOG(SG_TERRASYNC, SG_WARN, "malformed .dirindex file: invalid filename in line '" << line << "', (ignoring line)" );
++                continue;
++            }
++
+             children.push_back(ChildInfo(typeData == "f" ? ChildInfo::FileType : ChildInfo::DirectoryType, tokens[1], tokens[2]));
+ 
+             if (tokens.size() > 3) {

