Bug#892070: stretch-pu: package obs-build/20160921-1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I would like to push security fix into stable for `obs-build`.
The patch fixes CVE-2017-14804 as described in #887306.
Please consider the following patch attached.
Regards
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru obs-build-20170201/debian/changelog obs-build-20170201/debian/changelog
--- obs-build-20170201/debian/changelog 2017-08-04 23:24:36.000000000 +0200
+++ obs-build-20170201/debian/changelog 2018-03-04 23:05:06.000000000 +0100
@@ -1,3 +1,11 @@
+obs-build (20170201-3+deb9u1) stretch; urgency=medium
+
+ * CVE-2017-14804 (Closes: #887306)
+ - Improve extractbuild to avoid write to files in the host system.
+ - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new
+
+ -- Héctor Orón Martínez <zumbi@debian.org> Sun, 04 Mar 2018 23:05:06 +0100
+
obs-build (20170201-3) unstable; urgency=medium
[ Sjoerd Simons ]
diff -Nru obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
--- obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch 1970-01-01 01:00:00.000000000 +0100
+++ obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch 2018-03-04 23:01:56.000000000 +0100
@@ -0,0 +1,34 @@
+From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001
+Message-Id: <fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-tux@gmx.de>
+From: Marcus Huewe <suse-tux@gmx.de>
+Date: Sun, 26 Nov 2017 20:25:48 +0100
+Subject: [PATCH] Improve sanity checks in extractbuild
+
+A \0 in a symlink target can be used to write to a file in the host
+system. For the same reason, we do not allow to process a file more
+than once. A \0 in a filename makes no sense, hence forbid it.
+---
+ extractbuild | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: obs-build-20160921/extractbuild
+===================================================================
+--- obs-build-20160921.orig/extractbuild
++++ obs-build-20160921/extractbuild
+@@ -74,6 +74,8 @@ while (<S>) {
+ my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /);
+ die("invalid input '$_'\n") unless defined($file);
+ $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++ die("bad file '$file' (contains \\0)\n") if $file =~ /\0/;
++ die("already processed: $file\n") if $done{$file};
+ die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s;
+ if ($file =~ /^(.*)\//s) {
+ die("file without directory: $file\n") unless $done{$1} && $done{$1} eq 'd';
+@@ -88,6 +90,7 @@ while (<S>) {
+ my $target = $filesize;
+ die("symlink without target\n") unless defined $target;
+ $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++ die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/;
+ die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s;
+ if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+ my ($head, $tail) = ($1, $2);
diff -Nru obs-build-20170201/debian/patches/series obs-build-20170201/debian/patches/series
--- obs-build-20170201/debian/patches/series 2017-08-04 23:24:36.000000000 +0200
+++ obs-build-20170201/debian/patches/series 2018-03-04 23:03:58.000000000 +0100
@@ -15,3 +15,4 @@
HACK-Make-glibc-build.patch
debootstrap-generate-apt-caches.patch
+Improve-sanity-checks-in-extractbuild.patch
Reply to: