Bug#892070: stretch-pu: package obs-build/20160921-1

To: 892070@bugs.debian.org
Subject: Bug#892070: stretch-pu: package obs-build/20160921-1
From: Hector Oron <zumbi@debian.org>
Date: Sun, 4 Mar 2018 23:23:56 +0100
Message-id: <[🔎] CAODfWeE+HRaN=6BpdGhbi4M3YsFhv43VO9DLayaq+hZHz4M_0w@mail.gmail.com>
Reply-to: Hector Oron <zumbi@debian.org>, 892070@bugs.debian.org
In-reply-to: <[🔎] 152020161669.15325.9679355134787732746.reportbug@polynomio.collabora.co.uk>
References: <[🔎] 152020161669.15325.9679355134787732746.reportbug@polynomio.collabora.co.uk> <[🔎] 152020161669.15325.9679355134787732746.reportbug@polynomio.collabora.co.uk>

Hello,

  I just realized I have attached debdiff for wrong version, attached
debdiff for version against stable.

Regards

2018-03-04 23:13 GMT+01:00 Héctor Orón Martínez <zumbi@debian.org>:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Hello,
>
>   I would like to push security fix into stable for `obs-build`.
>   The patch fixes CVE-2017-14804 as described in #887306.
>   Please consider the following patch attached.
>
> Regards
>
> -- System Information:
> Debian Release: buster/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: armhf
>
> Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled



-- 
 Héctor Orón  -.. . -... .. .- -.   -.. . ...- . .-.. --- .--. . .-.

<free spam>

-- Would you like to make a donation towards the upcoming Debian conference?
   Brochure: https://media.debconf.org/dc18/fundraising/debconf18_sponsorship_brochure_en.pdf

   ** https://debconf18.debconf.org/sponsors/become-a-sponsor/ **

</free spam>

diff -Nru obs-build-20160921/debian/changelog obs-build-20160921/debian/changelog
--- obs-build-20160921/debian/changelog	2016-09-23 15:49:42.000000000 +0200
+++ obs-build-20160921/debian/changelog	2018-03-04 23:18:00.000000000 +0100
@@ -1,3 +1,11 @@
+obs-build (20160921-1+deb9u1) stretch; urgency=medium
+
+  * CVE-2017-14804 (Closes: #887306)
+    - Improve extractbuild to avoid write to files in the host system.
+    - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new
+
+ -- Héctor Orón Martínez <zumbi@debian.org>  Sun, 04 Mar 2018 23:18:00 +0100
+
 obs-build (20160921-1) unstable; urgency=medium
 
   [ Andrew Lee (李健秋) ]
diff -Nru obs-build-20160921/debian/patches/Improve-sanity-checks-in-extractbuild.patch obs-build-20160921/debian/patches/Improve-sanity-checks-in-extractbuild.patch
--- obs-build-20160921/debian/patches/Improve-sanity-checks-in-extractbuild.patch	1970-01-01 01:00:00.000000000 +0100
+++ obs-build-20160921/debian/patches/Improve-sanity-checks-in-extractbuild.patch	2018-03-04 23:16:40.000000000 +0100
@@ -0,0 +1,34 @@
+From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001
+Message-Id: <fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-tux@gmx.de>
+From: Marcus Huewe <suse-tux@gmx.de>
+Date: Sun, 26 Nov 2017 20:25:48 +0100
+Subject: [PATCH] Improve sanity checks in extractbuild
+
+A \0 in a symlink target can be used to write to a file in the host
+system. For the same reason, we do not allow to process a file more
+than once. A \0 in a filename makes no sense, hence forbid it.
+---
+ extractbuild | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: obs-build-20160921/extractbuild
+===================================================================
+--- obs-build-20160921.orig/extractbuild
++++ obs-build-20160921/extractbuild
+@@ -74,6 +74,8 @@ while (<S>) {
+   my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /);
+   die("invalid input '$_'\n") unless defined($file);
+   $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++  die("bad file '$file' (contains \\0)\n") if $file =~ /\0/;
++  die("already processed: $file\n") if $done{$file};
+   die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s;
+   if ($file =~ /^(.*)\//s) {
+     die("file without directory: $file\n") unless $done{$1} && $done{$1} eq 'd';
+@@ -88,6 +90,7 @@ while (<S>) {
+     my $target = $filesize;
+     die("symlink without target\n") unless defined $target;
+     $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++    die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/;
+     die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s;
+     if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+       my ($head, $tail) = ($1, $2);
diff -Nru obs-build-20160921/debian/patches/series obs-build-20160921/debian/patches/series
--- obs-build-20160921/debian/patches/series	2016-09-23 07:04:44.000000000 +0200
+++ obs-build-20160921/debian/patches/series	2018-03-04 23:17:33.000000000 +0100
@@ -1,2 +1,4 @@
 0001-Use-obs-build-in-locations-and-executable-names-inst.patch
 0010_find-perm_slash.diff
+
+Improve-sanity-checks-in-extractbuild.patch

Reply to:

References:
- Bug#892070: stretch-pu: package obs-build/20160921-1
  - From: Héctor Orón Martínez <zumbi@debian.org>

Prev by Date: Bug#892070: stretch-pu: package obs-build/20160921-1
Next by Date: NEW changes in stable-new
Previous by thread: Bug#892070: stretch-pu: package obs-build/20160921-1
Next by thread: Bug#892073: transition: poppler
Index(es):
- Date
- Thread