Re: Wheezy update of apt-cacher?
On Sat, Mar 25, 2017 at 10:24:54PM +0100, Ola Lundqvist wrote:
> Dear maintainer(s),
>
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of apt-cacher:
> https://bugs.debian.org/858739 (no CVE yet)
>
> Would you like to take care of this yourself?
I am happy to have a go!
I have backported the fix from #858739 to 1.7.10.
The sources of 1.7.10+deb7u1 are available from
http://hindley.org.uk/~mark/debian
I would be grateful if you could review and upload to wheezy LTS if you are
happy.
Debdiff:
Changes at debian/1.7.10
Modified apt-cacher
diff --git a/apt-cacher b/apt-cacher
index 668b2d8..5bde2e7 100755
--- a/apt-cacher
+++ b/apt-cacher
@@ -2093,8 +2093,8 @@ sub get_request {
$request->protocol($3||'HTTP/1.0');
clean_uri($request->uri);
- if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../
- sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri));
+ if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines
+ sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri));
return 1; # next REQUEST
}
return $request if $mode && $mode eq 'cgi'; # Not going to get anything else
Modified debian/changelog
diff --git a/debian/changelog b/debian/changelog
index 43310cd..fdd92ad 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apt-cacher (1.7.10+deb7u1) wheezy-security; urgency=medium
+
+ * Prevent HTTP response splitting with encoded newlines in
+ request. Backport of fix for #858739.
+
+ -- Mark Hindley <mark@hindley.org.uk> Sun, 26 Mar 2017 18:25:21 +0100
+
apt-cacher (1.7.10) unstable; urgency=low
* Internally store http_proxy as URI object which can include
Many thanks,
Mark
Reply to: