Re: upload ant
Hello Roberto C. Sánchez
On Wednesday 18 July 2018 11:17 PM, Roberto C. Sánchez wrote:
> On Wed, Jul 18, 2018 at 09:06:43PM +0530, Abhijith PA wrote:
>>
>> Made all the corrections. Thanks for the review.
>>
>>
>> --abhijith
>>
>
> Thanks! It is now uploaded.
>
> Regards,
>
> -Roberto
>
Can you upload ant again to fix TEMP-0904191-9063D5. Debdiff is
attached. I will take care of DLA.
Thanks in advance.
--abhijith
diff -Nru ant-1.9.4/debian/changelog ant-1.9.4/debian/changelog
--- ant-1.9.4/debian/changelog 2018-07-18 13:03:03.000000000 +0200
+++ ant-1.9.4/debian/changelog 2018-08-02 17:01:29.000000000 +0200
@@ -1,3 +1,12 @@
+ant (1.9.4-3+deb8u2) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix TEMP-0904191-9063D5: Incomplete fix for CVE-2018-10886
+ * Add NEWS.Debian file to document possibly breaking changes
+ (Closes: #904191)
+
+ -- Abhijith PA <abhijith@disroot.org> Thu, 02 Aug 2018 20:31:29 +0530
+
ant (1.9.4-3+deb8u1) jessie-security; urgency=high
* Non-maintainer upload by the Debian LTS Team
diff -Nru ant-1.9.4/debian/NEWS ant-1.9.4/debian/NEWS
--- ant-1.9.4/debian/NEWS 1970-01-01 01:00:00.000000000 +0100
+++ ant-1.9.4/debian/NEWS 2018-08-02 17:01:29.000000000 +0200
@@ -0,0 +1,16 @@
+ant (1.9.4-3+deb8u2) jessie-security; urgency=high
+
+ Changes that could break older environments
+ -------------------------------------------
+ <unzip>, <unjar> and <untar> will no longer extract entries whose
+ names would make the created files be placed outside of the
+ destination directory anymore by default. A new attribute
+ allowFilesToEscapeDest can be used to override the behavior.
+ Another special case is when stripAbsolutePathSpec is false (which
+ no longer is the default) and the entry's name starts with a
+ (back)slash and allowFilesToEscapeDest hasn't been specified
+ explicitly, in this case the file may be created outside of the
+ dest directory as well.
+ In addition stripAbsolutePathSpec is now true by default.
+
+ -- Abhijith PA <abhijith@disroot.org> Thu, 02 Aug 2018 20:31:29 +0530
\ No newline at end of file
diff -Nru ant-1.9.4/debian/patches/series ant-1.9.4/debian/patches/series
--- ant-1.9.4/debian/patches/series 2018-07-18 13:03:03.000000000 +0200
+++ ant-1.9.4/debian/patches/series 2018-08-02 17:01:29.000000000 +0200
@@ -4,3 +4,4 @@
0007-use-build.classpath.patch
0008-junit4-replace-assumeFalse.patch
CVE-2018-10886.patch
+TEMP-0904191-9063D5.patch
diff -Nru ant-1.9.4/debian/patches/TEMP-0904191-9063D5.patch ant-1.9.4/debian/patches/TEMP-0904191-9063D5.patch
--- ant-1.9.4/debian/patches/TEMP-0904191-9063D5.patch 1970-01-01 01:00:00.000000000 +0100
+++ ant-1.9.4/debian/patches/TEMP-0904191-9063D5.patch 2018-08-02 17:01:29.000000000 +0200
@@ -0,0 +1,66 @@
+Description: TEMP-0904191-9063D5
+ Incomplete fix to CVE-2018-10886. Add another isLeadingPath method to
+ resolves symlinks. Also consider symlinks when expanding archives
+ and checking entries.
+
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/apache/ant/commit/5a8c37b271677587046bfd0fea18c1675d5a6300
+ https://github.com/apache/ant/commit/6a41d62cb9ab4e640b72cb4de42a6c211dea645d
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=62502
+Bug-Debian: https://bugs.debian.org/904191
+Last-Update: 2018-08-02
+
+--- ant-1.9.4.orig/src/main/org/apache/tools/ant/taskdefs/Expand.java
++++ ant-1.9.4/src/main/org/apache/tools/ant/taskdefs/Expand.java
+@@ -317,9 +317,9 @@ public class Expand extends Task {
+ mappedNames = new String[] {entryName};
+ }
+ File f = fileUtils.resolveFile(dir, mappedNames[0]);
+- if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) {
+- log("skipping " + entryName + " as its target " + f + " is outside of "
+- + dir + ".", Project.MSG_VERBOSE);
++ if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f, true)) {
++ log("skipping " + entryName + " as its target " + f.getCanonicalPath()
++ + " is outside of " + dir.getCanonicalPath() + ".", Project.MSG_VERBOSE);
+ return;
+ }
+
+--- ant-1.9.4.orig/src/main/org/apache/tools/ant/util/FileUtils.java
++++ ant-1.9.4/src/main/org/apache/tools/ant/util/FileUtils.java
+@@ -1191,6 +1191,36 @@ public class FileUtils {
+ }
+
+ /**
++ * Learn whether one path "leads" another.
++ *
++ * @param leading The leading path, must not be null, must be absolute.
++ * @param path The path to check, must not be null, must be absolute.
++ * @param resolveSymlinks whether symbolic links shall be resolved
++ * prior to comparing the paths.
++ * @return true if path starts with leading; false otherwise.
++ * @since Ant 1.9.4-3+deb8u2
++ * @throws IOException if resolveSymlinks is true and invoking
++ * getCanonicaPath on either argument throws an exception
++ */
++ public boolean isLeadingPath(File leading, File path, boolean resolveSymlinks)
++ throws IOException {
++ if (!resolveSymlinks) {
++ return isLeadingPath(leading, path);
++ }
++ String l = leading.getCanonicalPath();
++ String p = path.getCanonicalPath();
++ if (l.equals(p)) {
++ return true;
++ }
++ // ensure that l ends with a /
++ // so we never think /foo was a parent directory of /foobar
++ if (!l.endsWith(File.separator)) {
++ l += File.separator;
++ }
++ return p.startsWith(l);
++ }
++
++ /**
+ * Constructs a <code>file:</code> URI that represents the
+ * external form of the given pathname.
+ *
Reply to: