Slackware 13.37slackware-13.37

Mon Apr 25 13:37:00 UTC 2011
Slackware 13.37 x86_64 stable is released!

Thanks to everyone who pitched in on this release: the Slackware team,
the folks producing upstream code, and linuxquestions.org for providing
a great forum for collaboration and testing.

The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a
dual-sided
32-bit/64-bit x86/x86_64 DVD.  Please consider supporting the Slackware
project by picking up a copy from store.slackware.com.  We're taking
pre-orders now, and offer a discount if you sign up for a subscription.

As always, thanks to the Slackware community for testing, suggestions,
and feedback.  :-)

Have fun!

1 files changed, 22 insertions, 0 deletions

diff --git a/source/xap/rdesktop/rdesktop.CVE-2011-1595.diff b/source/xap/rdesktop/rdesktop.CVE-2011-1595.diff
new file mode 100644
index 000000000..0db8c3bc2
--- /dev/null
+++ b/source/xap/rdesktop/rdesktop.CVE-2011-1595.diff
@@ -0,0 +1,22 @@
+--- ./disk.c.orig	2008-02-15 18:13:25.000000000 -0600
++++ ./disk.c	2011-04-20 20:27:55.978000772 -0500
+@@ -356,6 +356,19 @@
+ 		filename[strlen(filename) - 1] = 0;
+ 	sprintf(path, "%s%s", g_rdpdr_device[device_id].local_path, filename);
+ 
++        /* Protect against mailicous servers:
++           somelongpath/..     not allowed
++           somelongpath/../b   not allowed
++           somelongpath/..b    in principle ok, but currently not allowed
++           somelongpath/b..    ok
++           somelongpath/b..b   ok
++           somelongpath/b../c  ok
++         */
++        if (strstr(path, "/.."))
++        {
++                return RD_STATUS_ACCESS_DENIED;
++        }
++
+ 	switch (create_disposition)
+ 	{
+ 		case CREATE_ALWAYS: