Bug#921281: stretch-pu: package arc/5.21q-4+deb9u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#921281: stretch-pu: package arc/5.21q-4+deb9u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 03 Feb 2019 22:49:41 +0100
Message-id: <[🔎] 154923058113.17595.18388718842560136393.reportbug@lorien.valinor.li>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 921281@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi

arc/5.21q-6 adressed in unstable an older directory traversal issue,
#774527 (CVE-2015-9275). Although the issue is marked as ignored in
the security-tracker, given the same base version I decided to prepare
as well a 5.21q-4+deb9u1 for stretch.

Attached is the debdiff with the same three patches addes as for
5.21q-6 (yes there is typo in the patch name, but I just used the very
same as for the unstable upload).

Regards,
Salvatore

diff -Nru arc-5.21q/debian/changelog arc-5.21q/debian/changelog
--- arc-5.21q/debian/changelog	2015-09-02 16:44:25.000000000 +0200
+++ arc-5.21q/debian/changelog	2019-02-03 22:39:01.000000000 +0100
@@ -1,3 +1,13 @@
+arc (5.21q-4+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix version 1 arc header reading
+  * Fix arcdie crash when called with more then 1 variable argument
+  * Fix directory traversal bugs (CVE-2015-9275)
+    Thanks to Hans de Goede <hdegoede@redhat.com> (Closes: #774527)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 03 Feb 2019 22:39:01 +0100
+
 arc (5.21q-4) unstable; urgency=medium
 
   * New maintainer. Thanks to Klaus Reimer for your work over this package.
diff -Nru arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch
--- arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch	1970-01-01 01:00:00.000000000 +0100
+++ arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch	2019-02-03 22:39:01.000000000 +0100
@@ -0,0 +1,21 @@
+Fix directory traversal bugs
+
+arc archives do not contain directory hierarchies, only filenames, so refuse
+to operate on archives which have the directory-seperator inside filenames.
+
+BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1179143
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+diff -up arc-5.21p/arcio.c~ arc-5.21p/arcio.c
+--- arc-5.21p/arcio.c~	2015-01-16 13:04:16.000000000 +0100
++++ arc-5.21p/arcio.c	2015-01-16 15:45:31.389010626 +0100
+@@ -109,6 +109,9 @@ readhdr(hdr, f)			/* read a header from
+ #if	_MTS
+ 	(void) atoe(hdr->name, strlen(hdr->name));
+ #endif
++	if (strchr(hdr->name, CUTOFF) != NULL)
++		arcdie("%s contains illegal filename %s", arcname, hdr->name);
++
+ 	for (i = 0, hdr->size=0; i<4; hdr->size<<=8, hdr->size += dummy[16-i], i++);
+ 	hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
+ 	hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
diff -Nru arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch
--- arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch	1970-01-01 01:00:00.000000000 +0100
+++ arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch	2019-02-03 22:39:01.000000000 +0100
@@ -0,0 +1,34 @@
+Fix arcdie crash when called with more then 1 variable argument
+
+Add proper vararg handling to fix crash on 64 bit machines when arcdie gets
+called with more then 1 variable argument.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+diff -up arc-5.21p/arcmisc.c~ arc-5.21p/arcmisc.c
+--- arc-5.21p/arcmisc.c~	2010-08-07 15:06:42.000000000 +0200
++++ arc-5.21p/arcmisc.c	2015-01-16 16:10:29.322603290 +0100
+@@ -4,6 +4,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <stdarg.h>
+ #include <ctype.h>
+ #include "arc.h"
+ 
+@@ -223,11 +224,13 @@ upper(string)
+ }
+ /* VARARGS1 */
+ VOID
+-arcdie(s, arg1, arg2, arg3)
+-	char           *s;
++arcdie(const char *s, ...)
+ {
++	va_list args;
+ 	fprintf(stderr, "ARC: ");
+-	fprintf(stderr, s, arg1, arg2, arg3);
++	va_start(args, s);
++	vfprintf(stderr, s, args);
++	va_end(args);
+ 	fprintf(stderr, "\n");
+ #if	UNIX
+ 	perror("UNIX");
diff -Nru arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch
--- arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch	2019-02-03 22:39:01.000000000 +0100
@@ -0,0 +1,70 @@
+Fix version 1 arc header reading
+
+The code for v1 hdr reading was reading the packed header directly into an
+unpacked struct.
+
+Use the same read to dummy array, then manual unpack to header struct as
+used for v2 headers for v1 headers too.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+diff -ur arc-5.21p/arcio.c arc-5.21p.new/arcio.c
+--- arc-5.21p/arcio.c	2010-08-07 15:06:42.000000000 +0200
++++ arc-5.21p.new/arcio.c	2015-01-16 12:59:43.203289118 +0100
+@@ -37,6 +37,7 @@
+ #endif
+ 	char            name[FNLEN];	/* filename buffer */
+ 	int             try = 0;/* retry counter */
++	int             hdrlen;
+ 	static int      first = 1;	/* true only on first read */
+ 
+ 	if (!f)			/* if archive didn't open */
+@@ -92,23 +93,19 @@
+ 		printf("I think you need a newer version of ARC.\n");
+ 		exit(1);
+ 	}
++
+ 	/* amount to read depends on header type */
++	if (hdrver == 1) {
++		hdrlen = 23; /* old style is shorter */
++	} else {
++		hdrlen = 27;
++	}
+ 
+-	if (hdrver == 1) {	/* old style is shorter */
+-		if (fread(hdr, sizeof(struct heads) - sizeof(long int), 1, f) != 1)
+-			arcdie("%s was truncated", arcname);
+-		hdrver = 2;	/* convert header to new format */
+-		hdr->length = hdr->size;	/* size is same when not
+-						 * packed */
+-	} else
+-#if	MSDOS
+-		if (fread(hdr, sizeof(struct heads), 1, f) != 1)
+-			arcdie("%s was truncated", arcname);
+-#else
+-		if (fread(dummy, 27, 1, f) != 1)
+-			arcdie("%s was truncated", arcname);
++	if (fread(dummy, hdrlen, 1, f) != 1)
++		arcdie("%s was truncated", arcname);
+ 
+ 	for (i = 0; i < FNLEN; hdr->name[i] = dummy[i], i++);
++	hdr->name[FNLEN - 1] = 0; /* ensure 0 termination */
+ #if	_MTS
+ 	(void) atoe(hdr->name, strlen(hdr->name));
+ #endif
+@@ -116,8 +113,14 @@
+ 	hdr->date = (short) ((dummy[18] << 8) + dummy[17]);
+ 	hdr->time = (short) ((dummy[20] << 8) + dummy[19]);
+ 	hdr->crc = (short) ((dummy[22] << 8) + dummy[21]);
+-	for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++);
+-#endif
++
++	if (hdrver == 1) {
++		hdrver = 2;	/* convert header to new format */
++		hdr->length = hdr->size;	/* size is same when not
++						 * packed */
++	} else {
++		for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++);
++	}
+ 
+ 	if (hdr->date > olddate
+ 	    || (hdr->date == olddate && hdr->time > oldtime)) {
diff -Nru arc-5.21q/debian/patches/series arc-5.21q/debian/patches/series
--- arc-5.21q/debian/patches/series	2015-09-01 22:55:39.000000000 +0200
+++ arc-5.21q/debian/patches/series	2019-02-03 22:39:01.000000000 +0100
@@ -2,3 +2,6 @@
 spelling
 manpage-section-fix
 fix-gcc-warnings
+arc-5.21p-hdrv1-read-fix.patch
+arc-5.21p-fix-arcdie.patch
+arc-5.21p-directory-traversel.patch

Reply to:

Follow-Ups:
- Bug#921281: arc 5.21q-4+deb9u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Processed: arc 5.21q-4+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: arc 5.21q-4+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#921281: marked as done (stretch-pu: package arc/5.21q-4+deb9u1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: reopening 907199, notfixed 907199 in 1.11.1+dfsg-6
Next by Date: Bug#921319: stretch-pu: package iptables-persistent/1.0.4+nmu2
Previous by thread: Processed: reopening 907199, notfixed 907199 in 1.11.1+dfsg-6
Next by thread: Bug#921281: arc 5.21q-4+deb9u1 flagged for acceptance
Index(es):
- Date
- Thread