diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..be4f3f8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/iniparser-3.1.tar.gz diff --git a/.iniparser.metadata b/.iniparser.metadata new file mode 100644 index 0000000..5c6ecb8 --- /dev/null +++ b/.iniparser.metadata @@ -0,0 +1 @@ +41eae7b414cad9cd42ae2c2a64394c10d7ab655e SOURCES/iniparser-3.1.tar.gz diff --git a/SOURCES/iniparser-3.1-Fix-crash-with-crafted-ini-files.patch b/SOURCES/iniparser-3.1-Fix-crash-with-crafted-ini-files.patch new file mode 100644 index 0000000..8af9500 --- /dev/null +++ b/SOURCES/iniparser-3.1-Fix-crash-with-crafted-ini-files.patch @@ -0,0 +1,40 @@ +From 654ea5fae25f0863d958e3ecd0bc0672603e0b4c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 10 Jan 2014 11:15:43 +0100 +Subject: [PATCH] Fix crash with crafted ini files. + +If the key or value is bigger than 1024 we will end up in a buffer +overflow. The overflow is caught by _FORTIFY_SOURCE, so it's definitely +DoS-only. Curiously, because of ample space in the stack frame, it does +not result in a crash without _FORTIFY_SOURCE in all cases. + +Signed-off-by: Andreas Schneider +--- + src/iniparser.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/iniparser.c b/src/iniparser.c +index 4430032..18dbbbe 100644 +--- a/src/iniparser.c ++++ b/src/iniparser.c +@@ -633,7 +633,7 @@ dictionary * iniparser_load(const char * ininame) + char line [ASCIILINESZ+1] ; + char section [ASCIILINESZ+1] ; + char key [ASCIILINESZ+1] ; +- char tmp [ASCIILINESZ+1] ; ++ char tmp [(ASCIILINESZ * 2) + 1] ; + char val [ASCIILINESZ+1] ; + + int last=0 ; +@@ -699,7 +699,7 @@ dictionary * iniparser_load(const char * ininame) + break ; + + case LINE_VALUE: +- sprintf(tmp, "%s:%s", section, key); ++ snprintf(tmp, sizeof(tmp), "%s:%s", section, key); + errs = dictionary_set(dict, tmp, val) ; + break ; + +-- +1.8.4.2 + diff --git a/SPECS/iniparser.spec b/SPECS/iniparser.spec new file mode 100644 index 0000000..9d464d8 --- /dev/null +++ b/SPECS/iniparser.spec @@ -0,0 +1,110 @@ +# Set --with test to run the Samba torture testsuite. +%bcond_with testsuite + +Name: iniparser +Version: 3.1 +Release: 5%{?dist} +Summary: C library for parsing "INI-style" files + +Group: System Environment/Libraries +License: MIT +URL: http://ndevilla.free.fr/%{name}/ +Source0: http://ndevilla.free.fr/%{name}/%{name}-%{version}.tar.gz +Patch0: iniparser-3.1-Fix-crash-with-crafted-ini-files.patch + +%description +iniParser is an ANSI C library to parse "INI-style" files, often used to +hold application configuration information. + +%package devel +Summary: Header files, libraries and development documentation for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +This package contains the header files, static libraries and development +documentation for %{name}. If you like to develop programs using %{name}, +you will need to install %{name}-devel. + +%prep +%setup -q -n %{name} +%patch0 -p1 -b .iniparser-3.1-Fix-crash-with-crafted-ini-files.patch + +%build +# remove library rpath from Makefile +sed -i 's|-Wl,-rpath -Wl,/usr/lib||g' Makefile +sed -i 's|-Wl,-rpath,/usr/lib||g' Makefile +# set the CFLAGS to Fedora standard +sed -i 's|^CFLAGS|CFLAGS = %{optflags} -fPIC\nNOCFLAGS|' Makefile +make %{?_smp_mflags} libiniparser.so + +%install +# iniParser doesn't have a 'make install' of its own :( +install -d %{buildroot}%{_includedir} %{buildroot}%{_libdir} +install -m 644 -t %{buildroot}%{_includedir}/ src/dictionary.h src/iniparser.h +install -m 755 -t %{buildroot}%{_libdir}/ libiniparser.so.0 +ln -s libiniparser.so.0 %{buildroot}%{_libdir}/libiniparser.so + +%if %{with testsuite} +%check +make +make check +./test/iniexample +./test/parse test/twisted.ini +%endif + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%doc README LICENSE +%{_libdir}/libiniparser.so.0 + +%files devel +%{_libdir}/libiniparser.so +%{_includedir}/*.h + +%changelog +* Fri Jan 24 2014 Daniel Mach - 3.1-5 +- Mass rebuild 2014-01-24 + +* Fri Jan 10 2014 - Andreas Schneider - 3.1-4 +- resolves: #1031119 - Fix possible crash with crafted ini files. + +* Fri Dec 27 2013 Daniel Mach - 3.1-3 +- Mass rebuild 2013-12-27 + +* Thu Feb 14 2013 Fedora Release Engineering - 3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Aug 10 2012 Jaromir Capik - 3.1-1 +- Update to 3.1 +- Minor spec file changes according to the latest guidelines + +* Thu Jul 19 2012 Fedora Release Engineering - 3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Simo Sorce - 3.0-1 +- Final 3.0 release + +* Fri Jan 13 2012 Fedora Release Engineering - 3.0-0.4.b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Feb 09 2011 Fedora Release Engineering - 3.0-0.3.b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Jul 24 2009 Fedora Release Engineering - 3.0-0.2.b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jan 26 2009 Alex Hudson - 3.0-0.1.b +- change version number to reflect "pre-release" status + +* Mon Jan 19 2009 Alex Hudson - 3.0b-3 +- ensure LICENSE file is installed + +* Wed Jan 14 2009 Alex Hudson - 3.0b-2 +- respond to review: added -fPIC to cflags, used 'install' + +* Tue Jan 13 2009 Alex Hudson - 3.0b-1 +- Initial packaging attempt