Bug#921281: stretch-pu: package arc/5.21q-4+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
arc/5.21q-6 adressed in unstable an older directory traversal issue,
#774527 (CVE-2015-9275). Although the issue is marked as ignored in
the security-tracker, given the same base version I decided to prepare
as well a 5.21q-4+deb9u1 for stretch.
Attached is the debdiff with the same three patches addes as for
5.21q-6 (yes there is typo in the patch name, but I just used the very
same as for the unstable upload).
Regards,
Salvatore
diff -Nru arc-5.21q/debian/changelog arc-5.21q/debian/changelog
--- arc-5.21q/debian/changelog 2015-09-02 16:44:25.000000000 +0200
+++ arc-5.21q/debian/changelog 2019-02-03 22:39:01.000000000 +0100
@@ -1,3 +1,13 @@
+arc (5.21q-4+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix version 1 arc header reading
+ * Fix arcdie crash when called with more then 1 variable argument
+ * Fix directory traversal bugs (CVE-2015-9275)
+ Thanks to Hans de Goede <hdegoede@redhat.com> (Closes: #774527)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 03 Feb 2019 22:39:01 +0100
+
arc (5.21q-4) unstable; urgency=medium
* New maintainer. Thanks to Klaus Reimer for your work over this package.
diff -Nru arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch
--- arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch 1970-01-01 01:00:00.000000000 +0100
+++ arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch 2019-02-03 22:39:01.000000000 +0100
@@ -0,0 +1,21 @@
+Fix directory traversal bugs
+
+arc archives do not contain directory hierarchies, only filenames, so refuse
+to operate on archives which have the directory-seperator inside filenames.
+
+BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1179143
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+diff -up arc-5.21p/arcio.c~ arc-5.21p/arcio.c
+--- arc-5.21p/arcio.c~ 2015-01-16 13:04:16.000000000 +0100
++++ arc-5.21p/arcio.c 2015-01-16 15:45:31.389010626 +0100
+@@ -109,6 +109,9 @@ readhdr(hdr, f) /* read a header from
+ #if _MTS
+ (void) atoe(hdr->name, strlen(hdr->name));
+ #endif
++ if (strchr(hdr->name, CUTOFF) != NULL)
++ arcdie("%s contains illegal filename %s", arcname, hdr->name);
++
+ for (i = 0, hdr->size=0; i<4; hdr->size<<=8, hdr->size += dummy[16-i], i++);
+ hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
+ hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
diff -Nru arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch
--- arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch 1970-01-01 01:00:00.000000000 +0100
+++ arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch 2019-02-03 22:39:01.000000000 +0100
@@ -0,0 +1,34 @@
+Fix arcdie crash when called with more then 1 variable argument
+
+Add proper vararg handling to fix crash on 64 bit machines when arcdie gets
+called with more then 1 variable argument.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+diff -up arc-5.21p/arcmisc.c~ arc-5.21p/arcmisc.c
+--- arc-5.21p/arcmisc.c~ 2010-08-07 15:06:42.000000000 +0200
++++ arc-5.21p/arcmisc.c 2015-01-16 16:10:29.322603290 +0100
+@@ -4,6 +4,7 @@
+ */
+
+ #include <stdio.h>
++#include <stdarg.h>
+ #include <ctype.h>
+ #include "arc.h"
+
+@@ -223,11 +224,13 @@ upper(string)
+ }
+ /* VARARGS1 */
+ VOID
+-arcdie(s, arg1, arg2, arg3)
+- char *s;
++arcdie(const char *s, ...)
+ {
++ va_list args;
+ fprintf(stderr, "ARC: ");
+- fprintf(stderr, s, arg1, arg2, arg3);
++ va_start(args, s);
++ vfprintf(stderr, s, args);
++ va_end(args);
+ fprintf(stderr, "\n");
+ #if UNIX
+ perror("UNIX");
diff -Nru arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch
--- arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch 2019-02-03 22:39:01.000000000 +0100
@@ -0,0 +1,70 @@
+Fix version 1 arc header reading
+
+The code for v1 hdr reading was reading the packed header directly into an
+unpacked struct.
+
+Use the same read to dummy array, then manual unpack to header struct as
+used for v2 headers for v1 headers too.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+diff -ur arc-5.21p/arcio.c arc-5.21p.new/arcio.c
+--- arc-5.21p/arcio.c 2010-08-07 15:06:42.000000000 +0200
++++ arc-5.21p.new/arcio.c 2015-01-16 12:59:43.203289118 +0100
+@@ -37,6 +37,7 @@
+ #endif
+ char name[FNLEN]; /* filename buffer */
+ int try = 0;/* retry counter */
++ int hdrlen;
+ static int first = 1; /* true only on first read */
+
+ if (!f) /* if archive didn't open */
+@@ -92,23 +93,19 @@
+ printf("I think you need a newer version of ARC.\n");
+ exit(1);
+ }
++
+ /* amount to read depends on header type */
++ if (hdrver == 1) {
++ hdrlen = 23; /* old style is shorter */
++ } else {
++ hdrlen = 27;
++ }
+
+- if (hdrver == 1) { /* old style is shorter */
+- if (fread(hdr, sizeof(struct heads) - sizeof(long int), 1, f) != 1)
+- arcdie("%s was truncated", arcname);
+- hdrver = 2; /* convert header to new format */
+- hdr->length = hdr->size; /* size is same when not
+- * packed */
+- } else
+-#if MSDOS
+- if (fread(hdr, sizeof(struct heads), 1, f) != 1)
+- arcdie("%s was truncated", arcname);
+-#else
+- if (fread(dummy, 27, 1, f) != 1)
+- arcdie("%s was truncated", arcname);
++ if (fread(dummy, hdrlen, 1, f) != 1)
++ arcdie("%s was truncated", arcname);
+
+ for (i = 0; i < FNLEN; hdr->name[i] = dummy[i], i++);
++ hdr->name[FNLEN - 1] = 0; /* ensure 0 termination */
+ #if _MTS
+ (void) atoe(hdr->name, strlen(hdr->name));
+ #endif
+@@ -116,8 +113,14 @@
+ hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
+ hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
+ hdr->crc = (short) ((dummy[22] << 8) + dummy[21]);
+- for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++);
+-#endif
++
++ if (hdrver == 1) {
++ hdrver = 2; /* convert header to new format */
++ hdr->length = hdr->size; /* size is same when not
++ * packed */
++ } else {
++ for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++);
++ }
+
+ if (hdr->date > olddate
+ || (hdr->date == olddate && hdr->time > oldtime)) {
diff -Nru arc-5.21q/debian/patches/series arc-5.21q/debian/patches/series
--- arc-5.21q/debian/patches/series 2015-09-01 22:55:39.000000000 +0200
+++ arc-5.21q/debian/patches/series 2019-02-03 22:39:01.000000000 +0100
@@ -2,3 +2,6 @@
spelling
manpage-section-fix
fix-gcc-warnings
+arc-5.21p-hdrv1-read-fix.patch
+arc-5.21p-fix-arcdie.patch
+arc-5.21p-directory-traversel.patch
Reply to: