casa-mp-base
Public
Commits
Rainer Müller authored 13d54192f8f
| 1 + | Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches/CVE-2015-0857.diff |
| 2 + | Edit: gnutar instead of tar |
| 3 + | |
| 4 + | Description: Fix local code execution when calling diff (CVE-2015-0857) |
| 5 + | Reported by Rainer Müller <raimue@codingfarm.de>. Implemented using |
| 6 + | Text::Diff instead of diff and backticks. |
| 7 + | Author: Axel Beckert <abe@debian.org> |
| 8 + | Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0857 |
| 9 + | |
| 10 + | Index: tardiff |
| 11 + | =================================================================== |
| 12 + | --- tardiff 2016-04-28 19:19:02.194646937 +0200 |
| 13 + | +++ tardiff 2016-04-28 19:36:41.253948109 +0200 |
| 14 + | |
| 15 + | # Published under GNU GPL conditions |
| 16 + | |
| 17 + | use strict; |
| 18 + | +use Text::Diff; |
| 19 + | |
| 20 + | my $VERSION = '0.1'; |
| 21 + | |
| 22 + | |
| 23 + | $flag = "-j"; |
| 24 + | } |
| 25 + | |
| 26 + | - my $list = `gnutar -C $tempdir $flag -xvf $tarball 2>/dev/null`; |
| 27 + | + open(TARLIST, '-|', qw(gnutar -C), $tempdir, $flag, qw(-xvf), $tarball) |
| 28 + | + or die "Can't call tar as expected: $!"; |
| 29 + | + local $/ = undef; # slurp mode |
| 30 + | + my $list = <TARLIST> or die "Couldn't read from tar"; |
| 31 + | + close(TARLIST) or warn "tar exited with non-zero exit code"; |
| 32 + | + |
| 33 + | return $list; |
| 34 + | } |
| 35 + | |
| 36 + | |
| 37 + | if(-d $file1 and -d $file2){ |
| 38 + | return 0; |
| 39 + | }elsif(-f $file1 and -f $file2){ |
| 40 + | - my $diff = `diff $file1 $file2`; |
| 41 + | + my $diff = diff $file1, $file2, { STYLE => "OldStyle" }; |
| 42 + | if($diff){ |
| 43 + | if($opt_stats){ |
| 44 + | my $plus = 0; |