Bug#886482: stretch-pu: package global/6.5.6-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#886482: stretch-pu: package global/6.5.6-2
From: Punit Agrawal <punitagrawal@gmail.com>
Date: Sat, 06 Jan 2018 15:42:54 +0000
Message-id: <[🔎] 151525337499.12095.9793536640789996655.reportbug@tinker>
Reply-to: Punit Agrawal <punitagrawal@gmail.com>, 886482@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Recently CVE-2017-17531 was reported against gozilla binary contained
in GNU Global. The issue wasn't deemed to warrant a DSA by the Debian
Security team but I was wondering if this is something that is pu
material for the next stretch update.

The update contains a fix which has been backported from the upstream
release 6.6.1.

Thanks for your consideration.

Punit

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, i386

Kernel: Linux 4.14.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru global-6.5.6/debian/changelog global-6.5.6/debian/changelog
--- global-6.5.6/debian/changelog	2017-01-07 14:22:40.000000000 +0000
+++ global-6.5.6/debian/changelog	2018-01-03 21:41:34.000000000 +0000
@@ -1,3 +1,9 @@
+global (6.5.6-2+deb9u1) stretch; urgency=medium
+
+  * Backport fix for CVE-2017-17531 from 6.6.1 (Closes: #884912)
+
+ -- Punit Agrawal <punit@debian.org>  Wed, 03 Jan 2018 21:41:34 +0000
+
 global (6.5.6-2) unstable; urgency=medium
 
   * Include gtags.conf manpage in the package
diff -Nru global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch
--- global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch	1970-01-01 01:00:00.000000000 +0100
+++ global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch	2018-01-03 21:41:34.000000000 +0000
@@ -0,0 +1,68 @@
+From: Punit Agrawal <punit@debian.org>
+Date: Wed, 3 Jan 2018 21:35:38 +0000
+Subject: gozilla: Validate strings before launching browser
+
+gozilla does not validate strings before launching the program
+specified by the BROWSER environment variable, which might allow
+remote attackers to conduct argument-injection attacks via a crafted
+URL. This issue is reported as CVE-2017-17531.
+
+Backport a fix for this issue from upstream 6.6.1.
+---
+ gozilla/gozilla.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/gozilla/gozilla.c b/gozilla/gozilla.c
+index 22d2a95..9d53271 100644
+--- a/gozilla/gozilla.c
++++ b/gozilla/gozilla.c
+@@ -611,7 +611,8 @@ make_url_file(const char *url)
+ void
+ show_page_by_url(const char *browser, const char *url)
+ {
+-	char com[1024];
++	STRBUF  *sb = strbuf_open(0);
++	STRBUF  *arg = strbuf_open(0);
+ 
+ 	/*
+ 	 * Browsers which have openURL() command.
+@@ -624,22 +625,33 @@ show_page_by_url(const char *browser, const char *url)
+ 	    locatestring(browser, "netscape", MATCH_AT_LAST) ||
+ 	    locatestring(browser, "netscape-remote", MATCH_AT_LAST))
+ 	{
+-		snprintf(com, sizeof(com), "%s -remote \"openURL(%s)\"", browser, url);
+-		system(com);
++		strbuf_puts(sb, quote_shell(browser));
++		strbuf_putc(sb, ' ');
++		strbuf_puts(sb, "-remote");
++		strbuf_putc(sb, ' ');
++		strbuf_sprintf(arg, "openURL(%s)", url);
++		strbuf_puts(sb, quote_shell(strbuf_value(arg)));
++		system(strbuf_value(sb));
+ 	}
+ 	/*
+ 	 * Load default browser of OSX.
+ 	 */
+ 	else if (!strcmp(browser, "osx-default")) {
+-		snprintf(com, sizeof(com), "open \"%s\"", make_url_file(url));
+-		system(com);
++		strbuf_puts(sb, "open");
++		strbuf_putc(sb, ' ');
++		strbuf_puts(sb, quote_shell(make_url_file(url)));
++		system(strbuf_value(sb));
+ 	}
+ 	/*
+ 	 * Generic browser.
+ 	 */
+ 	else {
+-		snprintf(com, sizeof(com), "%s \"%s\"", browser, url);
+-		system(com);
++		strbuf_puts(sb, quote_shell(browser));
++		strbuf_putc(sb, ' ');
++		strbuf_puts(sb, quote_shell(url));
++		system(strbuf_value(sb));
+ 	}
++	strbuf_close(sb);
++	strbuf_close(arg);
+ }
+ #endif
diff -Nru global-6.5.6/debian/patches/series global-6.5.6/debian/patches/series
--- global-6.5.6/debian/patches/series	2017-01-07 14:22:40.000000000 +0000
+++ global-6.5.6/debian/patches/series	2018-01-03 21:41:34.000000000 +0000
@@ -1 +1,2 @@
 0001-gtags-Fix-lintian-warning-with-gtags-manpage.patch
+0002-gozilla-Validate-strings-before-launching-browser.patch

Reply to:

Prev by Date: Bug#886356: transition: ilmbase
Next by Date: Re: Bug#870056: nmu: robustirc-bridge_1.7-1
Previous by thread: Processed: block 886182 with 886416
Next by thread: Re: Bug#870056: nmu: robustirc-bridge_1.7-1
Index(es):
- Date
- Thread