--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package obs-build/20160921-1
- From: Héctor Orón Martínez <zumbi@debian.org>
- Date: Sun, 04 Mar 2018 23:13:36 +0100
- Message-id: <152020161669.15325.9679355134787732746.reportbug@polynomio.collabora.co.uk>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I would like to push security fix into stable for `obs-build`.
The patch fixes CVE-2017-14804 as described in #887306.
Please consider the following patch attached.
Regards
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru obs-build-20170201/debian/changelog obs-build-20170201/debian/changelog
--- obs-build-20170201/debian/changelog 2017-08-04 23:24:36.000000000 +0200
+++ obs-build-20170201/debian/changelog 2018-03-04 23:05:06.000000000 +0100
@@ -1,3 +1,11 @@
+obs-build (20170201-3+deb9u1) stretch; urgency=medium
+
+ * CVE-2017-14804 (Closes: #887306)
+ - Improve extractbuild to avoid write to files in the host system.
+ - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new
+
+ -- Héctor Orón Martínez <zumbi@debian.org> Sun, 04 Mar 2018 23:05:06 +0100
+
obs-build (20170201-3) unstable; urgency=medium
[ Sjoerd Simons ]
diff -Nru obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
--- obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch 1970-01-01 01:00:00.000000000 +0100
+++ obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch 2018-03-04 23:01:56.000000000 +0100
@@ -0,0 +1,34 @@
+From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001
+Message-Id: <fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-tux@gmx.de>
+From: Marcus Huewe <suse-tux@gmx.de>
+Date: Sun, 26 Nov 2017 20:25:48 +0100
+Subject: [PATCH] Improve sanity checks in extractbuild
+
+A \0 in a symlink target can be used to write to a file in the host
+system. For the same reason, we do not allow to process a file more
+than once. A \0 in a filename makes no sense, hence forbid it.
+---
+ extractbuild | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: obs-build-20160921/extractbuild
+===================================================================
+--- obs-build-20160921.orig/extractbuild
++++ obs-build-20160921/extractbuild
+@@ -74,6 +74,8 @@ while (<S>) {
+ my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /);
+ die("invalid input '$_'\n") unless defined($file);
+ $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++ die("bad file '$file' (contains \\0)\n") if $file =~ /\0/;
++ die("already processed: $file\n") if $done{$file};
+ die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s;
+ if ($file =~ /^(.*)\//s) {
+ die("file without directory: $file\n") unless $done{$1} && $done{$1} eq 'd';
+@@ -88,6 +90,7 @@ while (<S>) {
+ my $target = $filesize;
+ die("symlink without target\n") unless defined $target;
+ $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++ die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/;
+ die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s;
+ if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+ my ($head, $tail) = ($1, $2);
diff -Nru obs-build-20170201/debian/patches/series obs-build-20170201/debian/patches/series
--- obs-build-20170201/debian/patches/series 2017-08-04 23:24:36.000000000 +0200
+++ obs-build-20170201/debian/patches/series 2018-03-04 23:03:58.000000000 +0100
@@ -15,3 +15,4 @@
HACK-Make-glibc-build.patch
debootstrap-generate-apt-caches.patch
+Improve-sanity-checks-in-extractbuild.patch
--- End Message ---
--- Begin Message ---
- To: 892070-done@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, Hector Oron <zumbi@debian.org>
- Subject: Re: Bug#892070: stretch-pu: package obs-build/20160921-1
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sun, 31 Mar 2019 15:07:14 +0100
- Message-id: <1554041234.2650.39.camel@adam-barratt.org.uk>
- In-reply-to: <[🔎] 1552149101.11727.41.camel@adam-barratt.org.uk>
- References: <152020161669.15325.9679355134787732746.reportbug@polynomio.collabora.co.uk> <152020161669.15325.9679355134787732746.reportbug@polynomio.collabora.co.uk> <CAODfWeE+HRaN=6BpdGhbi4M3YsFhv43VO9DLayaq+hZHz4M_0w@mail.gmail.com> <152020161669.15325.9679355134787732746.reportbug@polynomio.collabora.co.uk> <1530647979.3658.46.camel@adam-barratt.org.uk> <152020161669.15325.9679355134787732746.reportbug@polynomio.collabora.co.uk> <20181109055918.GA15489@eldamar.local> <152020161669.15325.9679355134787732746.reportbug@polynomio.collabora.co.uk> <[🔎] 1552149101.11727.41.camel@adam-barratt.org.uk>
On Sat, 2019-03-09 at 16:31 +0000, Adam D. Barratt wrote:
> On Fri, 2018-11-09 at 06:59 +0100, Salvatore Bonaccorso wrote:
> > Hi Hector,
> >
> > On Tue, Jul 03, 2018 at 08:59:39PM +0100, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > >
> > > On Sun, 2018-03-04 at 23:23 +0100, Hector Oron wrote:
> > > [...]
> > > > 2018-03-04 23:13 GMT+01:00 Héctor Orón Martínez <zumbi@debian.o
> > > > rg
> > > > > :
> > >
> > > [...]
> > > > > I would like to push security fix into stable for `obs-
> > > > > build`.
> > > > > The patch fixes CVE-2017-14804 as described in #887306.
> > > > >
> > >
> > > Please go ahead; sorry for the delay.
> >
> > Thats unfortunately to late for 9.6, but given the gonfirmation
> > could
> > you upload the fixed package so it can make it into 9.7?
>
> Ping?
>
> If nothing happens within the next couple of weeks then I plan on
> closing this request.
Doing so with this mail.
Regards,
Adam
--- End Message ---