Bug#892070: stretch-pu: package obs-build/20160921-1
Hello,
I just realized I have attached debdiff for wrong version, attached
debdiff for version against stable.
Regards
2018-03-04 23:13 GMT+01:00 Héctor Orón Martínez <zumbi@debian.org>:
> Package: release.debian.org
> Severity: normal
> Tags: stretch
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Hello,
>
> I would like to push security fix into stable for `obs-build`.
> The patch fixes CVE-2017-14804 as described in #887306.
> Please consider the following patch attached.
>
> Regards
>
> -- System Information:
> Debian Release: buster/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: armhf
>
> Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
--
Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
<free spam>
-- Would you like to make a donation towards the upcoming Debian conference?
Brochure: https://media.debconf.org/dc18/fundraising/debconf18_sponsorship_brochure_en.pdf
** https://debconf18.debconf.org/sponsors/become-a-sponsor/ **
</free spam>
diff -Nru obs-build-20160921/debian/changelog obs-build-20160921/debian/changelog
--- obs-build-20160921/debian/changelog 2016-09-23 15:49:42.000000000 +0200
+++ obs-build-20160921/debian/changelog 2018-03-04 23:18:00.000000000 +0100
@@ -1,3 +1,11 @@
+obs-build (20160921-1+deb9u1) stretch; urgency=medium
+
+ * CVE-2017-14804 (Closes: #887306)
+ - Improve extractbuild to avoid write to files in the host system.
+ - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new
+
+ -- Héctor Orón Martínez <zumbi@debian.org> Sun, 04 Mar 2018 23:18:00 +0100
+
obs-build (20160921-1) unstable; urgency=medium
[ Andrew Lee (李健秋) ]
diff -Nru obs-build-20160921/debian/patches/Improve-sanity-checks-in-extractbuild.patch obs-build-20160921/debian/patches/Improve-sanity-checks-in-extractbuild.patch
--- obs-build-20160921/debian/patches/Improve-sanity-checks-in-extractbuild.patch 1970-01-01 01:00:00.000000000 +0100
+++ obs-build-20160921/debian/patches/Improve-sanity-checks-in-extractbuild.patch 2018-03-04 23:16:40.000000000 +0100
@@ -0,0 +1,34 @@
+From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001
+Message-Id: <fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-tux@gmx.de>
+From: Marcus Huewe <suse-tux@gmx.de>
+Date: Sun, 26 Nov 2017 20:25:48 +0100
+Subject: [PATCH] Improve sanity checks in extractbuild
+
+A \0 in a symlink target can be used to write to a file in the host
+system. For the same reason, we do not allow to process a file more
+than once. A \0 in a filename makes no sense, hence forbid it.
+---
+ extractbuild | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: obs-build-20160921/extractbuild
+===================================================================
+--- obs-build-20160921.orig/extractbuild
++++ obs-build-20160921/extractbuild
+@@ -74,6 +74,8 @@ while (<S>) {
+ my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /);
+ die("invalid input '$_'\n") unless defined($file);
+ $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++ die("bad file '$file' (contains \\0)\n") if $file =~ /\0/;
++ die("already processed: $file\n") if $done{$file};
+ die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s;
+ if ($file =~ /^(.*)\//s) {
+ die("file without directory: $file\n") unless $done{$1} && $done{$1} eq 'd';
+@@ -88,6 +90,7 @@ while (<S>) {
+ my $target = $filesize;
+ die("symlink without target\n") unless defined $target;
+ $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++ die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/;
+ die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s;
+ if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+ my ($head, $tail) = ($1, $2);
diff -Nru obs-build-20160921/debian/patches/series obs-build-20160921/debian/patches/series
--- obs-build-20160921/debian/patches/series 2016-09-23 07:04:44.000000000 +0200
+++ obs-build-20160921/debian/patches/series 2018-03-04 23:17:33.000000000 +0100
@@ -1,2 +1,4 @@
0001-Use-obs-build-in-locations-and-executable-names-inst.patch
0010_find-perm_slash.diff
+
+Improve-sanity-checks-in-extractbuild.patch
Reply to: