WebSVN - Log - Rev 32 - /trunk/debian/patches/CVE-2013-4420.patch

Rev	Age	Author	Path	Log message	Changes
32	3749d 14h	magnus	/trunk/debian/patches/	Add stdlib.h for malloc() in lib/decode.c	/trunk/debian/patches/CVE-2013-4420.patch<br/>/trunk/debian/patches/no_maxpathlen.patch<br/>/trunk/debian/patches/no_static_buffers.patch
31	3749d 14h	magnus	/trunk/debian/	[SECURITY] CVE-2013-4420.patch: When the prefix field is in use, the safer_name_suffix() function should certainly be applied to the combination of it and the name field, not just on the name field.	/trunk/debian/changelog<br/>/trunk/debian/patches/CVE-2013-4420.patch
24	3749d 16h	magnus	/trunk/debian/	[SECURITY] CVE-2013-4420.patch: Strip out leading slashes and any pathname prefix containing ".." components (Closes: #731860). This is done in th_get_pathname() (as well as to symlink targets when extracting symlinks), not merely when extracting files, which means applications calling that function will not see the stored filename. There is no way to disable this behaviour, but it can be expected that one will be provided when the issue is solved upstream.	/trunk/debian/patches/CVE-2013-4420.patch /trunk/debian/changelog<br/>/trunk/debian/patches/series

Subversion Repositories