bug #641069 - tnef plugin vulnerabilities

Resolves directory traversal and buffer overflow vulnerabilities.

bug #641069 - tnef plugin vulnerabilities
Resolves directory traversal and buffer overflow vulnerabilities.
a9fb511c · Punit Jain · c122f88a · a9fb511c
Commit a9fb511c authored Feb 01, 2011 by Punit Jain
--- a/plugins/tnef-attachments/tnef-plugin.c
+++ b/plugins/tnef-attachments/tnef-plugin.c
@@ -25,6 +25,7 @@

 /* We include gi18n-lib.h so that we have strings translated directly for this package */
 #include <glib/gi18n-lib.h>
+#include <glib/gprintf.h>
 #include <string.h>
 #include <stdio.h>

@@ -67,6 +68,19 @@ guchar getRruleCount (guchar a, guchar b);
 guchar getRruleMonthNum (guchar a, guchar b);
 gchar * getRruleDayname (guchar a);

+static gchar* 
+sanitize_filename (const gchar *filename)
+{
+	gchar * sanitized_name;
+	sanitized_name = g_path_get_basename (filename);
+	if (sanitized_name == NULL || !g_strcmp0 (sanitized_name, ".")) {
+		g_free (sanitized_name);
+		return NULL;
+	} else {
+		return g_strdelimit (sanitized_name, " ", '_');
+	}
+}
+
 void
 org_gnome_format_tnef (gpointer ep, EMFormatHookTarget *t)
 {
@@ -216,8 +230,9 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
    Attachment *p;
    gint RealAttachment;
    gint object;
-    gchar ifilename[256];
-    gint i, count;
+    gchar *ifilename = NULL;
+    gchar *absfilename, *file;
+    gint count;
    gint foundCal=0;

    FILE *fptr;
@@ -255,10 +270,13 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
                    != MAPI_UNDEFINED) {
                variableLength buf;
                if ((buf.data = (gchar *) DecompressRTF (filename, &buf.size)) != NULL) {
-                    sprintf(ifilename, "%s/%s.rtf", tmpdir, tnef->subject.data);
-                    for (i=0; i<strlen (ifilename); i++)
-                        if (ifilename[i] == ' ')
-                            ifilename[i] = '_';
+                    file = sanitize_filename (tnef->subject.data);
+		    if (!file)
+			    return;
+                    absfilename = g_strconcat (file, ".rtf", NULL);
+                    ifilename = g_build_filename (tmpdir, file, NULL);
+		    g_free (absfilename);
+		    g_free (file);

                    if ((fptr = fopen(ifilename, "wb"))==NULL) {
                        printf("ERROR: Error writing file to disk!");
@@ -347,13 +365,14 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
                }
                if (filename->size == 1) {
                    filename->size = 20;
-                    sprintf(tmpname, "file_%03i.dat", count);
+                    g_sprintf(tmpname, "file_%03i.dat", count);
                    filename->data = tmpname;
                }
-                sprintf(ifilename, "%s/%s", tmpdir, filename->data);
-                for (i=0; i<strlen (ifilename); i++)
-                    if (ifilename[i] == ' ')
-                        ifilename[i] = '_';
+                absfilename = sanitize_filename (filename->data);
+		if (!absfilename)
+		    return;
+		ifilename = g_build_filename (tmpdir, absfilename, NULL);
+                g_free (absfilename);

 		if ((fptr = fopen(ifilename, "wb"))==NULL) {
 		    printf("ERROR: Error writing file to disk!");
@@ -375,33 +394,43 @@ void processTnef (TNEFStruct *tnef, const gchar *tmpdir) {
        } /* if size>0 */
        p=p->next;
    } /* while p!= null */
+    g_free (ifilename);
 }

 void saveVCard (TNEFStruct *tnef, const gchar *tmpdir) {
-    gchar ifilename[512];
+    gchar *ifilename;
+    gchar *absfilename, *file=NULL;
    FILE *fptr;
    variableLength *vl;
    variableLength *pobox, *street, *city, *state, *zip, *country;
    dtr thedate;
-    gint boolean, i;
+    gint boolean;

    if ((vl = MAPIFindProperty (&(tnef->MapiProperties), PROP_TAG (PT_STRING8, PR_DISPLAY_NAME))) == MAPI_UNDEFINED) {
        if ((vl=MAPIFindProperty (&(tnef->MapiProperties), PROP_TAG (PT_STRING8, PR_COMPANY_NAME))) == MAPI_UNDEFINED) {
            if (tnef->subject.size > 0) {
-                sprintf(ifilename, "%s/%s.vcard", tmpdir, tnef->subject.data);
-            } else {
-                sprintf(ifilename, "%s/unknown.vcard", tmpdir);
-            }
-        } else {
-            sprintf(ifilename, "%s/%s.vcard", tmpdir, vl->data);
+    	       file = sanitize_filename (tnef->subject.data);
+		if (!file)
+		    return;
+		absfilename = g_strconcat (file, ".vcard", NULL);
+            } else
+                absfilename = g_strdup ("unknown.vcard");       
+     } else {
+            file = sanitize_filename (vl->data);
+	    if (!file)
+		return;
+	    absfilename = g_strconcat (file, ".vcard", NULL);
        }
    } else {
-        sprintf(ifilename, "%s/%s.vcard", tmpdir, vl->data);
+        file = sanitize_filename (vl->data);
+	if (!file)
+	    return;
+	absfilename = g_strconcat (file, ".vcard", NULL);
    }
-    for (i=0; i<strlen (ifilename); i++)
-        if (ifilename[i] == ' ')
-            ifilename[i] = '_';
-    printf("%s\n", ifilename);
+
+    ifilename = g_build_filename (tmpdir, absfilename, NULL);
+    g_free (file);
+    g_free (absfilename);

    if ((fptr = fopen(ifilename, "wb"))==NULL) {
            printf("Error writing file to disk!");
@@ -657,6 +686,7 @@ void saveVCard (TNEFStruct *tnef, const gchar *tmpdir) {
        fprintf(fptr, "END:VCARD\n");
        fclose (fptr);
    }
+    g_free (ifilename);
 }

 guchar getRruleCount (guchar a, guchar b) {
@@ -842,7 +872,7 @@ void printRrule (FILE *fptr, gchar *recur_data, gint size, TNEFStruct *tnef)
 }

 void saveVCalendar (TNEFStruct *tnef, const gchar *tmpdir) {
-    gchar ifilename[256];
+    gchar *ifilename;
    variableLength *filename;
    gchar *charptr, *charptr2;
    FILE *fptr;
@@ -851,7 +881,7 @@ void saveVCalendar (TNEFStruct *tnef, const gchar *tmpdir) {
    DWORD dword_val;
    dtr thedate;

-    sprintf(ifilename, "%s/calendar.ics", tmpdir);
+    ifilename = g_build_filename (tmpdir, "calendar.vcf", NULL);
    printf("%s\n", ifilename);

    if ((fptr = fopen(ifilename, "wb"))==NULL) {
@@ -1088,13 +1118,15 @@ void saveVCalendar (TNEFStruct *tnef, const gchar *tmpdir) {
        fprintf(fptr, "END:VCALENDAR\n");
        fclose (fptr);
    }
+    g_free (ifilename);
 }

 void saveVTask (TNEFStruct *tnef, const gchar *tmpdir) {
    variableLength *vl;
    variableLength *filename;
-    gint index,i;
-    gchar ifilename[256];
+    gint index;
+    gchar *ifilename;
+    gchar *absfilename, *file; 
    gchar *charptr, *charptr2;
    dtr thedate;
    FILE *fptr;
@@ -1111,10 +1143,14 @@ void saveVTask (TNEFStruct *tnef, const gchar *tmpdir) {
    while (vl->data[index] == ' ')
            vl->data[index--] = 0;

-    sprintf(ifilename, "%s/%s.ics", tmpdir, vl->data);
-    for (i=0; i<strlen (ifilename); i++)
-        if (ifilename[i] == ' ')
-            ifilename[i] = '_';
+    file = sanitize_filename (vl->data);
+    if (!file)
+	return;
+    absfilename = g_strconcat (file, ".vcf", NULL);
+    ifilename = g_build_filename (tmpdir, absfilename, NULL);
+    g_free (file);
+    g_free (absfilename);
+
    printf("%s\n", ifilename);

    if ((fptr = fopen(ifilename, "wb"))==NULL) {
@@ -1210,7 +1246,7 @@ void saveVTask (TNEFStruct *tnef, const gchar *tmpdir) {
        fprintf(fptr, "END:VCALENDAR\n");
        fclose (fptr);
    }
-
+    g_free (ifilename);
 }

 void fprintProperty (TNEFStruct *tnef, FILE *fptr, DWORD proptype, DWORD propid, const gchar text[]) {