Bug#776149: unblock: pigz/2.3.1-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package apt-cacher-ng
there is little security problem in the current pigz version in Testing
which gets only exposed when you use very specific options but it's
easily exploitable in specific scenarios so it better should be fixed in
Jessie. See CVE-2015-1191 and #774978 for details. The patches are
extracted from upstream SCM with a minor modification.
debdiff:
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-2.3.1-1-] {+2.3.1-2+}
pigz_2.3.1-1_to_2.3.1-2.diff:
diff --git a/debian/changelog b/debian/changelog
index 0a7f362..92685bf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pigz (2.3.1-2) unstable; urgency=high
+
+ * Patch(es) from upstream's SCM to solve handling of target file names with
+ the -N option (CVE-2015-1191, closes: #774978)
+
+ -- Eduard Bloch <blade@debian.org> Sun, 18 Jan 2015 23:58:51 +0100
+
pigz (2.3.1-1) unstable; urgency=medium
* New upstream version 2.3.1
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..6d51cba
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,4 @@
+[DEFAULT]
+debian-branch = debian/sid
+upstream-branch = upstream/sid
+
diff --git a/debian/patches/0001-Simplify-justname.patch b/debian/patches/0001-Simplify-justname.patch
new file mode 100644
index 0000000..125ac9f
--- /dev/null
+++ b/debian/patches/0001-Simplify-justname.patch
@@ -0,0 +1,33 @@
+From 34199bdccd2784638a6442b1724edb5f72b4ac02 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Sun, 11 Jan 2015 18:46:03 -0800
+Subject: [PATCH 1/2] Simplify justname().
+
+This uses strrchr() instead of a manual search, and avoids an
+illegal pointer calculation for purists (one less than the start
+of the buffer).
+---
+ pigz.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/pigz.c b/pigz.c
+index cc8aaae..1b1d89a 100644
+--- a/pigz.c
++++ b/pigz.c
+@@ -3231,11 +3231,8 @@ local char *justname(char *path)
+ {
+ char *p;
+
+- p = path + strlen(path);
+- while (--p >= path)
+- if (*p == '/')
+- break;
+- return p + 1;
++ p = strrchr(path, '/');
++ return p == NULL ? path : p + 1;
+ }
+
+ /* Copy file attributes, from -> to, as best we can. This is best effort, so
+--
+2.1.4
+
diff --git a/debian/patches/0002-When-decompressing-with-N-or-NT-strip-any-path-from-.patch b/debian/patches/0002-When-decompressing-with-N-or-NT-strip-any-path-from-.patch
new file mode 100644
index 0000000..84a3277
--- /dev/null
+++ b/debian/patches/0002-When-decompressing-with-N-or-NT-strip-any-path-from-.patch
@@ -0,0 +1,77 @@
+From b70cdfcdce9a27d72cbd739d704f2d1b51bd54c3 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Sun, 11 Jan 2015 20:21:24 -0800
+Subject: [PATCH 2/2] When decompressing with -N or -NT, strip any path from
+ header name.
+
+This uses the path of the compressed file combined with the name
+from the header as the name of the decompressed output file. Any
+path information in the header name is stripped. This avoids a
+possible vulnerability where absolute or descending paths are put
+in the gzip header.
+
+Conflicts:
+ pigz.c
+
+(EB: trivial merge at "/* replace .tgz with .tar when decoding */")
+---
+ pigz.c | 37 +++++++++++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/pigz.c b/pigz.c
+index 1b1d89a..68bdf7a 100644
+--- a/pigz.c
++++ b/pigz.c
+@@ -3499,26 +3499,35 @@ local void process(char *path)
+ " (use -f to force)");
+ }
+ else {
+- char *to, *repl;
+-
+- /* use header name for output when decompressing with -N */
+- to = g.inf;
+- if (g.decode && (g.headis & 1) != 0 && g.hname != NULL) {
+- to = g.hname;
+- len = strlen(g.hname);
++ char *to = g.inf, *sufx = "";
++ size_t pre = 0;
++
++ /* select parts of the output file name */
++ if (g.decode) {
++ /* for -dN or -dNT, use the path from the input file and the name
++ from the header, stripping any path in the header name */
++ if ((g.headis & 1) != 0 && g.hname != NULL) {
++ pre = justname(g.inf) - g.inf;
++ to = justname(g.hname);
++ len = strlen(to);
++ }
++ /* for -d or -dNn, replace abbreviated suffixes */
++ else if (strcmp(to + len, ".tgz") == 0)
++ sufx = ".tar";
+ }
+-
+- /* replace .tgx with .tar when decoding */
+- repl = g.decode && strcmp(to + len, ".tgz") ? "" : ".tar";
++ else
++ /* add appropriate suffix when compressing */
++ sufx = g.sufx;
+
+ /* create output file and open to write */
+- g.outf = MALLOC(len + (g.decode ? strlen(repl) : strlen(g.sufx)) + 1);
++ g.outf = MALLOC(pre + len + strlen(sufx) + 1);
+ if (g.outf == NULL)
+ bail("not enough memory", "");
+- memcpy(g.outf, to, len);
+- strcpy(g.outf + len, g.decode ? repl : g.sufx);
++ memcpy(g.outf, g.inf, pre);
++ memcpy(g.outf + pre, to, len);
++ strcpy(g.outf + pre + len, sufx);
+ g.outd = open(g.outf, O_CREAT | O_TRUNC | O_WRONLY |
+- (g.force ? 0 : O_EXCL), 0600);
++ (g.force ? 0 : O_EXCL), 0600);
+
+ /* if exists and not -f, give user a chance to overwrite */
+ if (g.outd < 0 && errno == EEXIST && isatty(0) && g.verbosity) {
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 2ed71ed..2d73e56 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
no_path_max
+0001-Simplify-justname.patch
+0002-When-decompressing-with-N-or-NT-strip-any-path-from-.patch
--
<cite> TCW: Gesoffen. Gekotzt. Ger00ted.
Reply to: