Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
augeas
augeas-CVE-2017-7555.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File augeas-CVE-2017-7555.patch of Package augeas
From 4cca923b732990bec0c699b2e69911c2221b2498 Mon Sep 17 00:00:00 2001 From: David Lutterkort <lutter@watzmann.net> Date: Fri, 4 Aug 2017 17:13:52 -0700 Subject: [PATCH] * src/pathx.c (parse_name): correctly handle trailing whitespace in names When a name ended in whitespace, we incorrectly assumed it was always ok to trim that whitespace. That is not true if that whitespace is escaped, i.e. if the path expression is something like '/x\ '. In that case, the name really needs to be literally 'x ', i.e., we can not trim that whitespace. The incorrect behavior led to turning '/x\ ' first into 'x\' and then, because we assume that '\' is always followed by a character inside the string, when we removed the escaping '\', we would read beyond the end of the intermediate string result; if we were lucky, that would lead to a crash, otherwise we'd continue with junk. We now make sure that escaped whitespace at the end of a string does not get stripped, avoiding all these headaches. Fixes RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1475621 --- src/pathx.c | 27 +++++++++++++++++++------ tests/test-xpath.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 6 deletions(-) Index: augeas-1.2.0/src/pathx.c =================================================================== --- augeas-1.2.0.orig/src/pathx.c 2018-02-28 14:54:32.655132923 +0100 +++ augeas-1.2.0/src/pathx.c 2018-02-28 14:54:32.831135413 +0100 @@ -1643,6 +1643,16 @@ int pathx_escape_name(const char *in, ch return 0; } +/* Return true if POS is preceded by an odd number of backslashes, i.e., if + * POS is escaped. Stop the search when we get to START */ +static bool backslash_escaped(const char *pos, const char *start) { + bool result=false; + while (pos-- > start && *pos == '\\') { + result = !result; + } + return result; +} + /* * NameNoWS ::= [^][|/\= \t\n] | \\. * NameWS ::= [^][|/\=] | \\. @@ -1652,11 +1662,14 @@ static char *parse_name(struct state *st const char *s = state->pos; char *result; + /* Advance state->pos until it points to the first character that is + * not part of a name. */ while (*state->pos != '\0' && strchr(name_follow, *state->pos) == NULL) { - /* This is a hack: since we allow spaces in names, we need to avoid - * gobbling up stuff that is in follow(Name), e.g. 'or' so that - * things like [name1 or name2] still work. - */ + /* Since we allow spaces in names, we need to avoid gobbling up + * stuff that is in follow(Name), e.g. 'or' so that things like + * [name1 or name2] still work. In other words, we'll parse 'x frob + * y' as one name, but for 'x or y', we consider 'x' a name in its + * own right. */ if (STREQLEN(state->pos, " or ", strlen(" or ")) || STREQLEN(state->pos, " and ", strlen(" and "))) break; @@ -1671,10 +1684,12 @@ static char *parse_name(struct state *st state->pos += 1; } - /* Strip trailing white space */ + /* Strip trailing white space. Make sure we respect escaped whitespace + * and don't strip it as in "x\\ " */ if (state->pos > s) { state->pos -= 1; - while (isspace(*state->pos) && state->pos >= s) + while (isspace(*state->pos) && state->pos > s + && !backslash_escaped(state->pos, s)) state->pos -= 1; state->pos += 1; } Index: augeas-1.2.0/tests/test-xpath.c =================================================================== --- augeas-1.2.0.orig/tests/test-xpath.c 2012-11-21 01:14:39.000000000 +0100 +++ augeas-1.2.0/tests/test-xpath.c 2018-02-28 14:54:32.831135413 +0100 @@ -331,6 +331,62 @@ static int test_wrong_regexp_flag(struct return -1; } +static int test_trailing_ws_in_name(struct augeas *aug) { + int r; + + printf("%-30s ... ", "trailing_ws_in_name"); + + /* We used to incorrectly lop escaped whitespace off the end of a + * name. Make sure that we really create a tree node with label 'x ' + * with the below set, and look for it in a number of ways to ensure we + * are not lopping off trailing whitespace. */ + r = aug_set(aug, "/ws\\ ", "1"); + if (r < 0) { + fprintf(stderr, "failed to set '/ws ': %d\n", r); + goto fail; + } + /* We did not create a node with label 'ws' */ + r = aug_get(aug, "/ws", NULL); + if (r != 0) { + fprintf(stderr, "created '/ws' instead: %d\n", r); + goto fail; + } + + /* We did not create a node with label 'ws\t' (this also checks that we + * don't create something like 'ws\\' by dropping the last whitespace + * character. */ + r = aug_get(aug, "/ws\\\t", NULL); + if (r != 0) { + fprintf(stderr, "found '/ws\\t': %d\n", r); + goto fail; + } + + /* But we did create 'ws ' */ + r = aug_get(aug, "/ws\\ ", NULL); + if (r != 1) { + fprintf(stderr, "could not find '/ws ': %d\n", r); + goto fail; + } + + /* If the whitespace is preceded by an even number of '\\' chars, + * whitespace must be stripped */ + r = aug_set(aug, "/nows\\\\ ", "1"); + if (r < 0) { + fprintf(stderr, "set of '/nows' failed: %d\n", r); + goto fail; + } + r = aug_get(aug, "/nows\\\\", NULL); + if (r != 1) { + fprintf(stderr, "could not get '/nows\\'\n"); + goto fail; + } + printf("PASS\n"); + return 0; + fail: + printf("FAIL\n"); + return -1; +} + static int run_tests(struct test *tests, int argc, char **argv) { char *lensdir; struct augeas *aug = NULL; @@ -374,6 +430,9 @@ static int run_tests(struct test *tests, if (test_wrong_regexp_flag(aug) < 0) result = EXIT_FAILURE; + + if (test_trailing_ws_in_name(aug) < 0) + result = EXIT_FAILURE; } aug_close(aug);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor