[Arx-users] Arx-1.0pre13 SECURITY UPGRADE

[Walter Landry]

Greetings,

I have made a new release of ArX.  You can find it in the usual place.

  http://superbeast.ucsd.edu/~landry/ArX/ArX-1.0pre13.tar.gz

I have attached the release notes below.  Note that this is a security
update, so everyone is urged to upgrade.

I have completed rewriting "dopatch" in C++.  Along the way, I
discovered some security problems in dopatch.  In particular, by
carefully constructing a patch, you can write an arbitrary file
anywhere within the tree one level above the tree you are patching.
With two patches, you can add, delete, or patch any file that the user
can modify.  The problem arises because the shell version

  1) doesn't check to make sure that the paths that it gets are local
     to the project tree, and

  2) blindly follows symlinks when opening, adding, deleting, and
     patching files.

Dopatch has slightly different semantics now.  Dopatch no longer
copies new files from the patch, instead just renaming them.  This
makes patch directories unsuitable for reuse.

As a side note, dopatch seems about 2-3 times faster in C++ than in
shell.

Enjoy,
Walter


ArX-1.0pre13 2003-10-6

This is a security fix release.  The security problem affects all past
releases of ArX and larch.

The security issue arises from insecure path handling in dopatch.
Carefully constructed patches can write anywhere allowed by the user.

The C++ version in pre13 corrects those oversights, so everyone is
encouraged to upgrade.

In addition, dopatch has slightly different semantics.  It modifies
patch directories when applying them, making them unsuitable for
reuse.

Finally, I have added "naming-convention".  It allows you to view and
set the regular expressions used in the naming conventions.  In
conjunction with this, when setting the tagging method, ArX now writes
out all the regular expressions to the =tagging-method file.