. Ensure that when files are extracted that their fully resolved path lies

in or below the current working directory. Fixes a security problem with jar(1). This fix may change to be compatible with whatever fix Sun applies when they release the next version of 1.5. . Bump PORTREVISION for this fix. Security: http://vuxml.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html Reviewed by: maintainer timeout
svn path=/head/; revision=135102
2025-07-18 17:59:20 -04:00 · 2005-05-12 04:14:52 +00:00 · 2005-05-12 04:14:52 +00:00 · 83c1e8c44a · 2021-03-31 03:12:20 +00:00
commit 83c1e8c44a
parent a4f95e9588
6 changed files with 144 additions and 2 deletions
--- a/java/jdk15/Makefile
+++ b/java/jdk15/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	jdk
 PORTVERSION=	${JDK_VERSION}p${JDK_PATCHSET_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	java devel
 MASTER_SITES=	# http://www.sun.com/software/java2/download.html
 #		 http://www.eyesbeyond.com/freebsddom/java/jdk15.html
--- a/java/jdk15/files/patch-j2se-jar-Main.java
+++ b/java/jdk15/files/patch-j2se-jar-Main.java
@ -0,0 +1,58 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/classes/sun/tools/jar/Main.java	8 Nov 2004 22:27:32 -0000	1.1.1.1
+++ ../../j2se/src/share/classes/sun/tools/jar/Main.java	20 Apr 2005 16:50:17 -0000
+@@ -31,6 +31,7 @@
+     Hashtable filesTable = new Hashtable();
+     Vector paths = new Vector();
+     Vector v;
+    String cwd;
+     CRC32 crc32 = new CRC32();
+     /* cflag: create
+      * uflag: update       
+@@ -670,6 +671,19 @@
+      * Extracts specified entries from JAR file.
+      */
+     void extract(InputStream in, String files[]) throws IOException {
+    	// Current working directory
+
+	cwd = System.getProperty("user.dir");
+	if (cwd == null) {
+            fatalError(getMsg("error.no.cwd"));
+	}
+	cwd = (new File(cwd)).getCanonicalPath();
+	if (!cwd.endsWith(File.separator)) {
+	    cwd += File.separator;
+	}
+
+	// Extract the files
+
+ 	ZipInputStream zis = new ZipInputStream(in);
+ 	ZipEntry e;
+ 	while ((e = zis.getNextEntry()) != null) {
+@@ -694,6 +708,10 @@
+     void extractFile(ZipInputStream zis, ZipEntry e) throws IOException {
+         String name = e.getName();
+ 	File f = new File(e.getName().replace('/', File.separatorChar));
+	if (!f.getCanonicalPath().startsWith(cwd)) {
+ 	    output(formatMsg("out.ignore.entry", name));
+	    return;
+	}
+ 	if (e.isDirectory()) {
+ 	    if (!f.exists() && !f.mkdirs() || !f.isDirectory()) {
+ 		throw new IOException(formatMsg("error.create.dir", f.getPath()));
+@@ -704,6 +722,10 @@
+ 	} else {
+ 	    if (f.getParent() != null) {
+ 		File d = new File(f.getParent());
+		if (!d.getCanonicalPath().startsWith(cwd)) {
+	 	    output(formatMsg("out.ignore.entry", name));
+		    return;
+		}
+ 		if (!d.exists() && !d.mkdirs() || !d.isDirectory()) {
+ 		    throw new IOException(formatMsg("error.create.dir", d.getPath()));
+ 		}
+Index: j2se/src/share/classes/sun/tools/jar/resources/jar.properties
+===================================================================
+RCS file: /var/jcvs/javasrc_1_5_scsl/j2se/src/share/classes/sun/tools/jar/resources/jar.properties,v
+retrieving revision 1.1.1.1
--- a/java/jdk15/files/patch-j2se-resources-jar.properties
+++ b/java/jdk15/files/patch-j2se-resources-jar.properties
@ -0,0 +1,13 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/classes/sun/tools/jar/resources/jar.properties	8 Nov 2004 22:27:32 -0000	1.1.1.1
+++ ../../j2se/src/share/classes/sun/tools/jar/resources/jar.properties	20 Apr 2005 15:50:41 -0000
+@@ -30,6 +30,8 @@
+         {0} : could not create directory
+ error.incorrect.length=\
+         incorrect length while processing: {0}
+error.no.cwd=\
+	{0} : could not determine current working directory
+ out.added.manifest=\
+         added manifest
+ out.update.manifest=\
--- a/java/jdk16/Makefile
+++ b/java/jdk16/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	jdk
 PORTVERSION=	${JDK_VERSION}p${JDK_PATCHSET_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	java devel
 MASTER_SITES=	# http://www.sun.com/software/java2/download.html
 #		 http://www.eyesbeyond.com/freebsddom/java/jdk15.html
--- a/java/jdk16/files/patch-j2se-jar-Main.java
+++ b/java/jdk16/files/patch-j2se-jar-Main.java
@ -0,0 +1,58 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/classes/sun/tools/jar/Main.java	8 Nov 2004 22:27:32 -0000	1.1.1.1
+++ ../../j2se/src/share/classes/sun/tools/jar/Main.java	20 Apr 2005 16:50:17 -0000
+@@ -31,6 +31,7 @@
+     Hashtable filesTable = new Hashtable();
+     Vector paths = new Vector();
+     Vector v;
+    String cwd;
+     CRC32 crc32 = new CRC32();
+     /* cflag: create
+      * uflag: update       
+@@ -670,6 +671,19 @@
+      * Extracts specified entries from JAR file.
+      */
+     void extract(InputStream in, String files[]) throws IOException {
+    	// Current working directory
+
+	cwd = System.getProperty("user.dir");
+	if (cwd == null) {
+            fatalError(getMsg("error.no.cwd"));
+	}
+	cwd = (new File(cwd)).getCanonicalPath();
+	if (!cwd.endsWith(File.separator)) {
+	    cwd += File.separator;
+	}
+
+	// Extract the files
+
+ 	ZipInputStream zis = new ZipInputStream(in);
+ 	ZipEntry e;
+ 	while ((e = zis.getNextEntry()) != null) {
+@@ -694,6 +708,10 @@
+     void extractFile(ZipInputStream zis, ZipEntry e) throws IOException {
+         String name = e.getName();
+ 	File f = new File(e.getName().replace('/', File.separatorChar));
+	if (!f.getCanonicalPath().startsWith(cwd)) {
+ 	    output(formatMsg("out.ignore.entry", name));
+	    return;
+	}
+ 	if (e.isDirectory()) {
+ 	    if (!f.exists() && !f.mkdirs() || !f.isDirectory()) {
+ 		throw new IOException(formatMsg("error.create.dir", f.getPath()));
+@@ -704,6 +722,10 @@
+ 	} else {
+ 	    if (f.getParent() != null) {
+ 		File d = new File(f.getParent());
+		if (!d.getCanonicalPath().startsWith(cwd)) {
+	 	    output(formatMsg("out.ignore.entry", name));
+		    return;
+		}
+ 		if (!d.exists() && !d.mkdirs() || !d.isDirectory()) {
+ 		    throw new IOException(formatMsg("error.create.dir", d.getPath()));
+ 		}
+Index: j2se/src/share/classes/sun/tools/jar/resources/jar.properties
+===================================================================
+RCS file: /var/jcvs/javasrc_1_5_scsl/j2se/src/share/classes/sun/tools/jar/resources/jar.properties,v
+retrieving revision 1.1.1.1
--- a/java/jdk16/files/patch-j2se-resources-jar.properties
+++ b/java/jdk16/files/patch-j2se-resources-jar.properties
@ -0,0 +1,13 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/classes/sun/tools/jar/resources/jar.properties	8 Nov 2004 22:27:32 -0000	1.1.1.1
+++ ../../j2se/src/share/classes/sun/tools/jar/resources/jar.properties	20 Apr 2005 15:50:41 -0000
+@@ -30,6 +30,8 @@
+         {0} : could not create directory
+ error.incorrect.length=\
+         incorrect length while processing: {0}
+error.no.cwd=\
+	{0} : could not determine current working directory
+ out.added.manifest=\
+         added manifest
+ out.update.manifest=\