[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

upload ant

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi.


I've prepared security update for ant. Please review and upload.
Debdiff is attached. Maintainer has disabled tests in build. So I
manually run /testEntriesDontEscapeDestByDefault/,
/testEntriesCanEscapeDestIfRequested/ (specific to CVE-2018-10886)
tasks from [1] upstream testsuite. I will prepare the DLA once package
hit the archive.


Thanks
- --abhijith

[1] -
https://github.com/apache/ant/blob/master/src/tests/antunit/taskdefs/unz
ip-test.xml
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAltPJ9UACgkQhj1N8u2c
KO81XQ/+JgIF8gGfpqAZFB7/PW0IpwpaSb3B3+LjvJFX35O8CUzjrKf0RfMB6GuK
Dfx+aZA5LHapegUrZCPHnPn1BF1hGRSbUk/XtxQBFNdHqBbPPnZzHvRX/fVn7XCf
ZVO69RgonzJvl+VWfCpEIPQcbBBGP+F5U7IrnE6NgF2lQMZxAkgVk9DjEu8p7k+G
Hp8pdxu0yoPgzvi9YQ6PSOfBehgr2G3en7bdM2dOB74h4yT+sAznGJ9YZNmMluvC
OUn+uL1mt5umcCs+KiMYN1YBgrm6Pb7miLTsT5seXp4x0b6MVyC/+LkAkOqEgR9q
50IsKqVcKUXYJUjmJ9aIH+A/2zl3dFeRsP1u7yZQ/h2/W27lVYyje6SFM+swaU6r
Ir+gSftKGbOBZDBOp1kVTPiuuz0ejSmWfgjvsnITVWpPKPX86bF7T43DGTURUgLa
TR5EBCiwn80dwFIdKfmyorGWAa+qpGGX7ANqs1JodqPkxYIYegOIY1Gjxqy9oSA6
lIA+2fDNny0SoFcGTT8gF/6aGELV0v5lxjJX1CKJk6PIqwm/WjuQY99J06gYReBB
ef/YBpGJo/0e/+flpQ4I7lyR+SLG8WA5s2hG0FlAkmdqfOHWQBk1SDgdtDQ+WcIp
fOwTTTRZ9hqWuhldgIb4VDDOzJlqMpyYOipTTqo88LQ+ABnE4fY=
=5mNH
-----END PGP SIGNATURE-----

diff -Nru ant-1.9.4/debian/changelog ant-1.9.4/debian/changelog
--- ant-1.9.4/debian/changelog	2014-10-08 01:08:52.000000000 +0200
+++ ant-1.9.4/debian/changelog	2018-07-18 13:03:03.000000000 +0200
@@ -1,3 +1,13 @@
+ant (1.9.4-3+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Debian LTS Team.
+  * Fix CVE-2018-10886: unzip and untar targets allow the extraction of 
+    files outside the target directory. A crafted zip or tar file 
+    submitted to an Ant build could create or overwrite arbitrary files 
+    with the privileges of the user running Ant
+
+ -- Abhijith PA <abhijith@disroot.org>  Wed, 18 Jul 2018 16:33:03 +0530
+
 ant (1.9.4-3) unstable; urgency=medium
 
   * Removed the patch adding Xerces to the Ant classpath
diff -Nru ant-1.9.4/debian/patches/CVE-2018-10886.patch ant-1.9.4/debian/patches/CVE-2018-10886.patch
--- ant-1.9.4/debian/patches/CVE-2018-10886.patch	1970-01-01 01:00:00.000000000 +0100
+++ ant-1.9.4/debian/patches/CVE-2018-10886.patch	2018-07-18 13:03:03.000000000 +0200
@@ -0,0 +1,112 @@
+Description: CVE-2018-10886
+ unzip and untar targets allows the extraction of files outside the target 
+ directory. A crafted zip or tar file submitted to an Ant build could create or 
+ overwrite arbitrary files with the privileges of the user running Ant.
+ 
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/apache/ant/commit/e56e54565804991c62ec76dad385d2bdda8972a7
+        https://github.com/apache/ant/commit/1a2b1e37e3616991588f21efa89c474dd6ff83ff
+        https://github.com/apache/ant/commit/f72406d53cfb3b3425cc9d000eea421a0e05d8fe
+        https://github.com/apache/ant/commit/857095da5153fd18504b46f276d84f1e76a66970
+Last-Update: 2018-07-18
+
+--- ant-1.9.4.orig/manual/Tasks/unzip.html
++++ ant-1.9.4/manual/Tasks/unzip.html
+@@ -116,7 +116,8 @@ archive.</p>
+     <td valign="top">failOnEmptyArchive</td>
+     <td valign="top">whether trying to extract an empty archive is an
+       error. <em>since Ant 1.8.0</em></td>
+-    <td valign="top" align="center">No, defaults to false</td>
++    <td valign="top" align="center">No, defaults to true since 1.9.4-3+deb8u1
++      (used to defaukt to false prior to that)</td>
+   </tr>
+   <tr>
+     <td valign="top">stripAbsolutePathSpec</td>
+@@ -137,6 +138,15 @@ archive.</p>
+       zip task page</a></td>
+     <td align="center" valign="top">No, defaults to true</td>
+   </tr>
++  <tr>
++    <td valign="top">allowFilesToEscapeDest</td>
++    <td valign="top">Whether to allow the extracted file or directory
++      to be outside of the dest directory.
++      <em>since Ant 1.9.12</em></td>
++    <td valign="top" align="center">No, defaults to false unless
++    stripAbsolutePathSpec is true and the entry's name starts with a leading
++    path spec.</td>
++  </tr>
+ </table>
+ <h3>Examples</h3>
+ <pre>
+--- ant-1.9.4.orig/src/main/org/apache/tools/ant/taskdefs/Expand.java
++++ ant-1.9.4/src/main/org/apache/tools/ant/taskdefs/Expand.java
+@@ -67,8 +67,9 @@ public class Expand extends Task {
+     private Union resources = new Union();
+     private boolean resourcesSpecified = false;
+     private boolean failOnEmptyArchive = false;
+-    private boolean stripAbsolutePathSpec = false;
++    private boolean stripAbsolutePathSpec = true;
+     private boolean scanForUnicodeExtraFields = true;
++    private Boolean allowFilesToEscapeDest = null;
+ 
+     public static final String NATIVE_ENCODING = "native-encoding";
+ 
+@@ -240,14 +241,17 @@ public class Expand extends Task {
+                                boolean isDirectory, FileNameMapper mapper)
+                                throws IOException {
+ 
+-        if (stripAbsolutePathSpec && entryName.length() > 0
++        final boolean entryNameStartsWithPathSpec = entryName.length() > 0
+             && (entryName.charAt(0) == File.separatorChar
+                 || entryName.charAt(0) == '/'
+-                || entryName.charAt(0) == '\\')) {
++                || entryName.charAt(0) == '\\');
++        if (stripAbsolutePathSpec && entryNameStartsWithPathSpec) {
+             log("stripped absolute path spec from " + entryName,
+                 Project.MSG_VERBOSE);
+             entryName = entryName.substring(1);
+         }
++        boolean allowedOutsideOfDest = Boolean.TRUE == getAllowFilesToEscapeDest()
++            || null == getAllowFilesToEscapeDest() && !stripAbsolutePathSpec && entryNameStartsWithPathSpec;
+ 
+         if (patternsets != null && patternsets.size() > 0) {
+             String name = entryName.replace('/', File.separatorChar)
+@@ -313,6 +317,12 @@ public class Expand extends Task {
+             mappedNames = new String[] {entryName};
+         }
+         File f = fileUtils.resolveFile(dir, mappedNames[0]);
++        if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) {
++            log("skipping " + entryName + " as its target " + f + " is outside of "
++                + dir + ".", Project.MSG_VERBOSE);
++                return;
++        }
++
+         try {
+             if (!overwrite && f.exists()
+                 && f.lastModified() >= entryDate.getTime()) {
+@@ -508,4 +518,25 @@ public class Expand extends Task {
+         return scanForUnicodeExtraFields;
+     }
+ 
++    /**
++     * Whether to allow the extracted file or directory to be outside of the dest directory.
++     *
++     * @param b the flag
++     * @since Ant 1.9.4-3+deb8u1
++     */
++    public void setAllowFilesToEscapeDest(boolean b) {
++        allowFilesToEscapeDest = b;
++    }
++
++    /**
++     * Whether to allow the extracted file or directory to be outside of the dest directory.
++     *
++     * @return {@code null} if the flag hasn't been set explicitly,
++     * otherwise the value set by the user.
++     * @since Ant 1.9.4-3+deb8u1
++     */
++    public Boolean getAllowFilesToEscapeDest() {
++        return allowFilesToEscapeDest;
++    }
++
+ }
diff -Nru ant-1.9.4/debian/patches/series ant-1.9.4/debian/patches/series
--- ant-1.9.4/debian/patches/series	2014-10-07 23:35:43.000000000 +0200
+++ ant-1.9.4/debian/patches/series	2018-07-18 13:03:03.000000000 +0200
@@ -3,3 +3,4 @@
 0006-fix-ANT_HOME-path.patch
 0007-use-build.classpath.patch
 0008-junit4-replace-assumeFalse.patch
+CVE-2018-10886.patch
Reply to: