[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#892070: marked as done (stretch-pu: package obs-build/20160921-1)

Your message dated Sun, 31 Mar 2019 15:07:14 +0100
with message-id <1554041234.2650.39.camel@adam-barratt.org.uk>
and subject line Re: Bug#892070: stretch-pu: package obs-build/20160921-1
has caused the Debian Bug report #892070,
regarding stretch-pu: package obs-build/20160921-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
892070: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892070
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

  I would like to push security fix into stable for `obs-build`.
  The patch fixes CVE-2017-14804 as described in #887306.
  Please consider the following patch attached.

Regards

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru obs-build-20170201/debian/changelog obs-build-20170201/debian/changelog
--- obs-build-20170201/debian/changelog	2017-08-04 23:24:36.000000000 +0200
+++ obs-build-20170201/debian/changelog	2018-03-04 23:05:06.000000000 +0100
@@ -1,3 +1,11 @@
+obs-build (20170201-3+deb9u1) stretch; urgency=medium
+
+  * CVE-2017-14804 (Closes: #887306)
+    - Improve extractbuild to avoid write to files in the host system.
+    - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new
+
+ -- Héctor Orón Martínez <zumbi@debian.org>  Sun, 04 Mar 2018 23:05:06 +0100
+
 obs-build (20170201-3) unstable; urgency=medium
 
   [ Sjoerd Simons ]
diff -Nru obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
--- obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch	1970-01-01 01:00:00.000000000 +0100
+++ obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch	2018-03-04 23:01:56.000000000 +0100
@@ -0,0 +1,34 @@
+From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001
+Message-Id: <fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-tux@gmx.de>
+From: Marcus Huewe <suse-tux@gmx.de>
+Date: Sun, 26 Nov 2017 20:25:48 +0100
+Subject: [PATCH] Improve sanity checks in extractbuild
+
+A \0 in a symlink target can be used to write to a file in the host
+system. For the same reason, we do not allow to process a file more
+than once. A \0 in a filename makes no sense, hence forbid it.
+---
+ extractbuild | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: obs-build-20160921/extractbuild
+===================================================================
+--- obs-build-20160921.orig/extractbuild
++++ obs-build-20160921/extractbuild
+@@ -74,6 +74,8 @@ while (<S>) {
+   my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /);
+   die("invalid input '$_'\n") unless defined($file);
+   $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++  die("bad file '$file' (contains \\0)\n") if $file =~ /\0/;
++  die("already processed: $file\n") if $done{$file};
+   die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s;
+   if ($file =~ /^(.*)\//s) {
+     die("file without directory: $file\n") unless $done{$1} && $done{$1} eq 'd';
+@@ -88,6 +90,7 @@ while (<S>) {
+     my $target = $filesize;
+     die("symlink without target\n") unless defined $target;
+     $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++    die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/;
+     die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s;
+     if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+       my ($head, $tail) = ($1, $2);
diff -Nru obs-build-20170201/debian/patches/series obs-build-20170201/debian/patches/series
--- obs-build-20170201/debian/patches/series	2017-08-04 23:24:36.000000000 +0200
+++ obs-build-20170201/debian/patches/series	2018-03-04 23:03:58.000000000 +0100
@@ -15,3 +15,4 @@
 HACK-Make-glibc-build.patch
 debootstrap-generate-apt-caches.patch
 
+Improve-sanity-checks-in-extractbuild.patch

--- End Message ---
--- Begin Message --- 
On Sat, 2019-03-09 at 16:31 +0000, Adam D. Barratt wrote:
> On Fri, 2018-11-09 at 06:59 +0100, Salvatore Bonaccorso wrote:
> > Hi Hector,
> > 
> > On Tue, Jul 03, 2018 at 08:59:39PM +0100, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > > 
> > > On Sun, 2018-03-04 at 23:23 +0100, Hector Oron wrote:
> > > [...]
> > > > 2018-03-04 23:13 GMT+01:00 Héctor Orón Martínez <zumbi@debian.o
> > > > rg
> > > > > :
> > > 
> > > [...]
> > > > >   I would like to push security fix into stable for `obs-
> > > > > build`.
> > > > >   The patch fixes CVE-2017-14804 as described in #887306.
> > > > >  
> > > 
> > > Please go ahead; sorry for the delay.
> > 
> > Thats unfortunately to late for 9.6, but given the gonfirmation
> > could
> > you upload the fixed package so it can make it into 9.7?
> 
> Ping?
> 
> If nothing happens within the next couple of weeks then I plan on
> closing this request.

Doing so with this mail.

Regards,

Adam

--- End Message ---
Reply to: