Xarchiver 0.4.6 released

Christoph Wickert christoph.wickert at nurfuerspam.de
Sun Dec 10 02:21:46 CET 2006 

Giuseppe,
thanks for the quick reply, sorry for the long delay.

Am Mittwoch, den 29.11.2006, 07:53 +0100 schrieb Giuseppe Torelli: 
> On 11/29/06, Christoph Wickert <christoph.wickert at nurfuerspam.de> wrote:
> > > Also reading
> > > src/deb.c, it seems to me that the files in /tmp are not safely
> > > created, opening the possibility of a symlink in tmp attack. Maybe
> > > the manipulation should be done in a /tmp subdir. I haven't checked
> > > the other /tmp use, some look clearly right, for others there is
> > > a need to look at the code.
> 
> ??? Which attack? The .tar.gz file contained in the ar archive is
> simply extracted in /tmp and deleted when you close the archive or
> when you quit xarchiver. Are you talking about the read permission for
> group and others maybe?
> 
> > Can somebody please look at this, the code in deb.c looks a little
> > suspicious.
> 
> Please clarify this statement.

Unfortunately I can't, my programming skills are to low. I'll ask
Patrice to line out his concerns. I guess you realized that this is not
really sane, if I understand
http://bugzilla.xfce.org/show_bug.cgi?id=2616 correctly.

> > > $ ldd -u -r /usr/bin/xarchiver
> > > Unused direct dependencies:
> > >
> > >         /usr/lib/libatk-1.0.so.0
> > >         /lib/libm.so.6
> > >         /usr/lib/libpangocairo-1.0.so.0
> > >         /usr/lib/libpango-1.0.so.0
> > >         /usr/lib/libcairo.so.2
> > >         /lib/libgmodule-2.0.so.0
> > >         /lib/libdl.so.2
> 
> May someone else help me to share light on this matter? I don't know
> what to say here.

Sorry, I should have be more precise: The questionable ones are
libm.so.6 and libdl.so.2, which are provided by glibc-devel, not by the
glib-package. But this is most likely a bug in one of the *.pc files on
fedora, this is why I asked what it looks like for others.

We tested if xa also handles ar archives. .a files are detected as debs
and not as ar archives, callback.c should perhaps check for
"!<arch>\ndebian" instead of just "!<arch>\n", like libmagic does.
Patrice also found a segfault when trying to open an .a file, see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=217311#c9

While
$ xarchiver /usr/lib/libz.a 
only shows an error
$ cd /usr/lib/
$ xarchiver libz.a
segfaults 

> $ cd /usr/lib
> $ gdb /usr/bin/xarchiver 
> GNU gdb Red Hat Linux (6.5-13.fc6rh)
> Copyright (C) 2006 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".
> 
> (gdb) run libz.a
> Starting program: /usr/bin/xarchiver libz.a
> [Thread debugging using libthread_db enabled]
> [New Thread -1208379184 (LWP 4718)]
> 
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1208379184 (LWP 4718)]
> 0x4e8922ab in strlen () from /lib/libc.so.6
> (gdb) bt
> #0  0x4e8922ab in strlen () from /lib/libc.so.6
> #1  0x45a477a9 in g_strconcat () from /lib/libglib-2.0.so.0
> #2  0x0805b91d in OpenDeb (archive=0x9bc2a08) at deb.c:32
> #3  0x080580b7 in xa_open_archive (menuitem=0x0, data=0x9bb4e60) at callbacks.c:387
> #4  0x0804f78d in main (argc=Cannot access memory at address 0x1
> ) at main.c:235
> #5  0x4e83bf2c in __libc_start_main () from /lib/libc.so.6
> #6  0x0804df41 in _start ()
> (gdb) bt full
> #0  0x4e8922ab in strlen () from /lib/libc.so.6
> No symbol table info available.
> #1  0x45a477a9 in g_strconcat () from /lib/libglib-2.0.so.0
> No symbol table info available.
> #2  0x0805b91d in OpenDeb (archive=0x9bc2a08) at deb.c:32
>         archive_no_path = (gchar *) 0x1 <Address 0x1 out of bounds>
>         result = <value optimized out>
>         names = {0x9b65350 "", 0x4f56c68d "sensitive", 0x1849123 <Address 0x1849123 out of bounds>, 0x9bc2a08 "\003", 
>   0x0, 0x0, 0x4 <Address 0x4 out of bounds>}
>         types = {1079919363, 4, 1332174212, 162943824, 163270240, 3218840680, 1330821659}
> #3  0x080580b7 in xa_open_archive (menuitem=0x0, data=0x9bb4e60) at callbacks.c:387
>         path = (gchar *) 0x9bb4e60 "Luxi Sans"
>         current_page = 0
>         x = <value optimized out>
>         ext = <value optimized out>
> #4  0x0804f78d in main (argc=Cannot access memory at address 0x1
> ) at main.c:235
> No locals.
> #5  0x4e83bf2c in __libc_start_main () from /lib/libc.so.6
> No symbol table info available.
> #6  0x0804df41 in _start ()
> No symbol table info available.
> (gdb) 

Christoph

More information about the Xfce4-dev mailing list