upload ant
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi.
I've prepared security update for ant. Please review and upload.
Debdiff is attached. Maintainer has disabled tests in build. So I
manually run /testEntriesDontEscapeDestByDefault/,
/testEntriesCanEscapeDestIfRequested/ (specific to CVE-2018-10886)
tasks from [1] upstream testsuite. I will prepare the DLA once package
hit the archive.
Thanks
- --abhijith
[1] -
https://github.com/apache/ant/blob/master/src/tests/antunit/taskdefs/unz
ip-test.xml
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAltPJ9UACgkQhj1N8u2c
KO81XQ/+JgIF8gGfpqAZFB7/PW0IpwpaSb3B3+LjvJFX35O8CUzjrKf0RfMB6GuK
Dfx+aZA5LHapegUrZCPHnPn1BF1hGRSbUk/XtxQBFNdHqBbPPnZzHvRX/fVn7XCf
ZVO69RgonzJvl+VWfCpEIPQcbBBGP+F5U7IrnE6NgF2lQMZxAkgVk9DjEu8p7k+G
Hp8pdxu0yoPgzvi9YQ6PSOfBehgr2G3en7bdM2dOB74h4yT+sAznGJ9YZNmMluvC
OUn+uL1mt5umcCs+KiMYN1YBgrm6Pb7miLTsT5seXp4x0b6MVyC/+LkAkOqEgR9q
50IsKqVcKUXYJUjmJ9aIH+A/2zl3dFeRsP1u7yZQ/h2/W27lVYyje6SFM+swaU6r
Ir+gSftKGbOBZDBOp1kVTPiuuz0ejSmWfgjvsnITVWpPKPX86bF7T43DGTURUgLa
TR5EBCiwn80dwFIdKfmyorGWAa+qpGGX7ANqs1JodqPkxYIYegOIY1Gjxqy9oSA6
lIA+2fDNny0SoFcGTT8gF/6aGELV0v5lxjJX1CKJk6PIqwm/WjuQY99J06gYReBB
ef/YBpGJo/0e/+flpQ4I7lyR+SLG8WA5s2hG0FlAkmdqfOHWQBk1SDgdtDQ+WcIp
fOwTTTRZ9hqWuhldgIb4VDDOzJlqMpyYOipTTqo88LQ+ABnE4fY=
=5mNH
-----END PGP SIGNATURE-----
diff -Nru ant-1.9.4/debian/changelog ant-1.9.4/debian/changelog
--- ant-1.9.4/debian/changelog 2014-10-08 01:08:52.000000000 +0200
+++ ant-1.9.4/debian/changelog 2018-07-18 13:03:03.000000000 +0200
@@ -1,3 +1,13 @@
+ant (1.9.4-3+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2018-10886: unzip and untar targets allow the extraction of
+ files outside the target directory. A crafted zip or tar file
+ submitted to an Ant build could create or overwrite arbitrary files
+ with the privileges of the user running Ant
+
+ -- Abhijith PA <abhijith@disroot.org> Wed, 18 Jul 2018 16:33:03 +0530
+
ant (1.9.4-3) unstable; urgency=medium
* Removed the patch adding Xerces to the Ant classpath
diff -Nru ant-1.9.4/debian/patches/CVE-2018-10886.patch ant-1.9.4/debian/patches/CVE-2018-10886.patch
--- ant-1.9.4/debian/patches/CVE-2018-10886.patch 1970-01-01 01:00:00.000000000 +0100
+++ ant-1.9.4/debian/patches/CVE-2018-10886.patch 2018-07-18 13:03:03.000000000 +0200
@@ -0,0 +1,112 @@
+Description: CVE-2018-10886
+ unzip and untar targets allows the extraction of files outside the target
+ directory. A crafted zip or tar file submitted to an Ant build could create or
+ overwrite arbitrary files with the privileges of the user running Ant.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/apache/ant/commit/e56e54565804991c62ec76dad385d2bdda8972a7
+ https://github.com/apache/ant/commit/1a2b1e37e3616991588f21efa89c474dd6ff83ff
+ https://github.com/apache/ant/commit/f72406d53cfb3b3425cc9d000eea421a0e05d8fe
+ https://github.com/apache/ant/commit/857095da5153fd18504b46f276d84f1e76a66970
+Last-Update: 2018-07-18
+
+--- ant-1.9.4.orig/manual/Tasks/unzip.html
++++ ant-1.9.4/manual/Tasks/unzip.html
+@@ -116,7 +116,8 @@ archive.</p>
+ <td valign="top">failOnEmptyArchive</td>
+ <td valign="top">whether trying to extract an empty archive is an
+ error. <em>since Ant 1.8.0</em></td>
+- <td valign="top" align="center">No, defaults to false</td>
++ <td valign="top" align="center">No, defaults to true since 1.9.4-3+deb8u1
++ (used to defaukt to false prior to that)</td>
+ </tr>
+ <tr>
+ <td valign="top">stripAbsolutePathSpec</td>
+@@ -137,6 +138,15 @@ archive.</p>
+ zip task page</a></td>
+ <td align="center" valign="top">No, defaults to true</td>
+ </tr>
++ <tr>
++ <td valign="top">allowFilesToEscapeDest</td>
++ <td valign="top">Whether to allow the extracted file or directory
++ to be outside of the dest directory.
++ <em>since Ant 1.9.12</em></td>
++ <td valign="top" align="center">No, defaults to false unless
++ stripAbsolutePathSpec is true and the entry's name starts with a leading
++ path spec.</td>
++ </tr>
+ </table>
+ <h3>Examples</h3>
+ <pre>
+--- ant-1.9.4.orig/src/main/org/apache/tools/ant/taskdefs/Expand.java
++++ ant-1.9.4/src/main/org/apache/tools/ant/taskdefs/Expand.java
+@@ -67,8 +67,9 @@ public class Expand extends Task {
+ private Union resources = new Union();
+ private boolean resourcesSpecified = false;
+ private boolean failOnEmptyArchive = false;
+- private boolean stripAbsolutePathSpec = false;
++ private boolean stripAbsolutePathSpec = true;
+ private boolean scanForUnicodeExtraFields = true;
++ private Boolean allowFilesToEscapeDest = null;
+
+ public static final String NATIVE_ENCODING = "native-encoding";
+
+@@ -240,14 +241,17 @@ public class Expand extends Task {
+ boolean isDirectory, FileNameMapper mapper)
+ throws IOException {
+
+- if (stripAbsolutePathSpec && entryName.length() > 0
++ final boolean entryNameStartsWithPathSpec = entryName.length() > 0
+ && (entryName.charAt(0) == File.separatorChar
+ || entryName.charAt(0) == '/'
+- || entryName.charAt(0) == '\\')) {
++ || entryName.charAt(0) == '\\');
++ if (stripAbsolutePathSpec && entryNameStartsWithPathSpec) {
+ log("stripped absolute path spec from " + entryName,
+ Project.MSG_VERBOSE);
+ entryName = entryName.substring(1);
+ }
++ boolean allowedOutsideOfDest = Boolean.TRUE == getAllowFilesToEscapeDest()
++ || null == getAllowFilesToEscapeDest() && !stripAbsolutePathSpec && entryNameStartsWithPathSpec;
+
+ if (patternsets != null && patternsets.size() > 0) {
+ String name = entryName.replace('/', File.separatorChar)
+@@ -313,6 +317,12 @@ public class Expand extends Task {
+ mappedNames = new String[] {entryName};
+ }
+ File f = fileUtils.resolveFile(dir, mappedNames[0]);
++ if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) {
++ log("skipping " + entryName + " as its target " + f + " is outside of "
++ + dir + ".", Project.MSG_VERBOSE);
++ return;
++ }
++
+ try {
+ if (!overwrite && f.exists()
+ && f.lastModified() >= entryDate.getTime()) {
+@@ -508,4 +518,25 @@ public class Expand extends Task {
+ return scanForUnicodeExtraFields;
+ }
+
++ /**
++ * Whether to allow the extracted file or directory to be outside of the dest directory.
++ *
++ * @param b the flag
++ * @since Ant 1.9.4-3+deb8u1
++ */
++ public void setAllowFilesToEscapeDest(boolean b) {
++ allowFilesToEscapeDest = b;
++ }
++
++ /**
++ * Whether to allow the extracted file or directory to be outside of the dest directory.
++ *
++ * @return {@code null} if the flag hasn't been set explicitly,
++ * otherwise the value set by the user.
++ * @since Ant 1.9.4-3+deb8u1
++ */
++ public Boolean getAllowFilesToEscapeDest() {
++ return allowFilesToEscapeDest;
++ }
++
+ }
diff -Nru ant-1.9.4/debian/patches/series ant-1.9.4/debian/patches/series
--- ant-1.9.4/debian/patches/series 2014-10-07 23:35:43.000000000 +0200
+++ ant-1.9.4/debian/patches/series 2018-07-18 13:03:03.000000000 +0200
@@ -3,3 +3,4 @@
0006-fix-ANT_HOME-path.patch
0007-use-build.classpath.patch
0008-junit4-replace-assumeFalse.patch
+CVE-2018-10886.patch
Reply to: