[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#780297: marked as done (unblock: cpio/2.11+dfsg-4.1)

Your message dated Wed, 11 Mar 2015 21:56:03 +0100
with message-id <5500ABE3.5000804@thykier.net>
and subject line Re: Bug#780297: unblock: cpio/2.11+dfsg-4.1
has caused the Debian Bug report #780297,
regarding unblock: cpio/2.11+dfsg-4.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780297: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780297
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package cpio. It fixes CVE-2015-1197.

unblock cpio/2.11+dfsg-4.1

debdiff:

diff -Nru cpio-2.11+dfsg/debian/changelog cpio-2.11+dfsg/debian/changelog
--- cpio-2.11+dfsg/debian/changelog	2014-12-22 12:42:30.000000000 +0100
+++ cpio-2.11+dfsg/debian/changelog	2015-03-05 11:47:10.000000000 +0100
@@ -1,3 +1,12 @@
+cpio (2.11+dfsg-4.1) unstable; urgency=medium
+
+  * Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197.
+    Upstream is dormant or no longer existing. To restore the old
+    behaviour use --extract-over-symlinks (Closes: #774669)
+    This issue has been discovered by Alexander Cherepanov.
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Thu, 05 Mar 2015 11:44:25 +0100
+
 cpio (2.11+dfsg-4) unstable; urgency=high
 
   [ Michael Gilbert <mgilbert@debian.org> ]
diff -Nru cpio-2.11+dfsg/debian/patches/CVE-2015-1197.patch cpio-2.11+dfsg/debian/patches/CVE-2015-1197.patch
--- cpio-2.11+dfsg/debian/patches/CVE-2015-1197.patch	1970-01-01 01:00:00.000000000 +0100
+++ cpio-2.11+dfsg/debian/patches/CVE-2015-1197.patch	2015-03-05 11:50:52.000000000 +0100
@@ -0,0 +1,150 @@
+Description: CVE-2015-1197
+ Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197.
+ Upstream is dormant or no longer existing. To restore the old
+ behaviour use --extract-over-symlinks (Closes: #774669)
+ This issue has been discovered by Alexander Cherepanov.
+Author: Vitezslav Cizek <vcizek@suse.cz>
+Bug-Debian: https://bugs.debian.org/774669
+
+--- cpio-2.11+dfsg.orig/doc/cpio.1
++++ cpio-2.11+dfsg/doc/cpio.1
+@@ -22,6 +22,7 @@ cpio \- copy files to and from archives
+ [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
+ [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
+ [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command]
++[\-\-extract\-over\-symlinks]
+ [\-\-help] [\-\-version] [pattern...] [< archive]
+ 
+ .B cpio
+--- cpio-2.11+dfsg.orig/src/copyin.c
++++ cpio-2.11+dfsg/src/copyin.c
+@@ -700,6 +700,51 @@ copyin_link (struct cpio_file_stat *file
+   free (link_name);
+ }
+ 
++
++static int
++path_contains_symlink(char *path)
++{
++  struct stat st;
++  char *slash;
++  char *nextslash;
++
++  /* we got NULL pointer or empty string */
++  if (!path || !*path) {
++    return false;
++  }
++
++  slash = path;
++
++  while ((nextslash = strchr(slash + 1, '/')) != NULL) {
++    slash = nextslash;
++    *slash = '\0';
++
++    if (lstat(path, &st) != 0) {
++      if (errno == ELOOP) {
++        /* ELOOP - too many symlinks */
++        *slash = '/';
++        return true;
++      } else if (errno == ENOMEM) {
++        /* No memory for lstat - terminate */
++        xalloc_die();
++      } else {
++        /* cannot lstat path - give up */
++        *slash = '/';
++        return false;
++      }
++    }
++
++    if (S_ISLNK(st.st_mode)) {
++      *slash = '/';
++      return true;
++    }
++
++    *slash = '/';
++  }
++
++  return false;
++}
++
+ static void
+ copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+@@ -1471,6 +1516,23 @@ process_copy_in ()
+ 	{
+ 	  /* Copy the input file into the directory structure.  */
+ 
++          /* Can we write files over symlinks? */
++          if (!extract_over_symlinks)
++            {
++              if (path_contains_symlink(file_hdr.c_name))
++                {
++                  /* skip the file */
++                  /*
++                  fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name);
++                  tape_toss_input (in_file_des, file_hdr.c_filesize);
++                  tape_skip_padding (in_file_des, file_hdr.c_filesize);
++                  continue;
++                  */
++                  /* terminate */
++	          error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name);
++                }
++            }
++
+ 	  /* Do we need to rename the file? */
+ 	  if (rename_flag || rename_batch_file)
+ 	    {
+--- cpio-2.11+dfsg.orig/src/extern.h
++++ cpio-2.11+dfsg/src/extern.h
+@@ -95,6 +95,7 @@ extern char input_is_special;
+ extern char output_is_special;
+ extern char input_is_seekable;
+ extern char output_is_seekable;
++extern bool extract_over_symlinks;
+ extern int (*xstat) ();
+ extern void (*copy_function) ();
+ 
+--- cpio-2.11+dfsg.orig/src/global.c
++++ cpio-2.11+dfsg/src/global.c
+@@ -187,6 +187,9 @@ bool to_stdout_option = false;
+ /* The name this program was run with.  */
+ char *program_name;
+ 
++/* Extract files over symbolic links */
++bool extract_over_symlinks;
++
+ /* A pointer to either lstat or stat, depending on whether
+    dereferencing of symlinks is done for input files.  */
+ int (*xstat) ();
+--- cpio-2.11+dfsg.orig/src/main.c
++++ cpio-2.11+dfsg/src/main.c
+@@ -57,7 +57,8 @@ enum cpio_options {
+   FORCE_LOCAL_OPTION,            
+   DEBUG_OPTION,                  
+   BLOCK_SIZE_OPTION,             
+-  TO_STDOUT_OPTION
++  TO_STDOUT_OPTION,
++  EXTRACT_OVER_SYMLINKS
+ };
+ 
+ const char *program_authors[] =
+@@ -222,6 +223,8 @@ static struct argp_option options[] = {
+    N_("Create leading directories where needed"), GRID+1 },
+   {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0,
+    N_("Do not change the ownership of the files"), GRID+1 },
++  {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0,
++   N_("Force writing over symbolic links"), GRID+1 },
+   {"unconditional", 'u', NULL, 0,
+    N_("Replace all files unconditionally"), GRID+1 },
+   {"sparse", SPARSE_OPTION, NULL, 0,
+@@ -412,6 +415,10 @@ crc newc odc bin ustar tar (all-caps als
+       no_chown_flag = true;
+       break;
+ 
++    case EXTRACT_OVER_SYMLINKS:		        /* --extract-over-symlinks */
++      extract_over_symlinks = true;
++      break;
++
+     case 'o':		/* Copy-out mode.  */
+       if (copy_function != 0)
+ 	error (PAXEXIT_FAILURE, 0, _("Mode already defined"));
diff -Nru cpio-2.11+dfsg/debian/patches/series cpio-2.11+dfsg/debian/patches/series
--- cpio-2.11+dfsg/debian/patches/series	2014-12-22 12:28:38.000000000 +0100
+++ cpio-2.11+dfsg/debian/patches/series	2015-03-05 11:49:50.000000000 +0100
@@ -16,3 +16,4 @@
 58df4f1b.patch
 fd262d11.patch
 f6a8a2cb.patch
+CVE-2015-1197.patch


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
On 2015-03-11 20:11, Moritz Muehlenhoff wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package cpio. It fixes CVE-2015-1197.
> 
> unblock cpio/2.11+dfsg-4.1
> 
> debdiff:
> 
> [...]
> 
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: