Bug#939967: stretch-pu: package flightcrew/0.7.2+dfsg-9+deb9u1
Hi,
please find enclosed the diff that fixes CVE-2019-13241 and CVE-2019-
13032 for stretch release of flightcrew.
Best,
François
diff --git a/debian/changelog b/debian/changelog
index f602446..88e5e40 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+flightcrew (0.7.2+dfsg-9+deb9u1) stretch; urgency=medium
+
+ * Fix CVE-2019-13241 for stretch release.
+ * Fix CVE-2019-13032 for stretch release.
+
+ -- Francois Mazen <francois@mzf.fr> Tue, 10 Sep 2019 15:34:26 +0200
+
flightcrew (0.7.2+dfsg-9) unstable; urgency=medium
* d/copyright: claim copyright for the 2017.
diff --git a/debian/patches/fix-CVE-2019-13032.diff b/debian/patches/fix-CVE-2019-13032.diff
new file mode 100644
index 0000000..0fe7699
--- /dev/null
+++ b/debian/patches/fix-CVE-2019-13032.diff
@@ -0,0 +1,44 @@
+Description: fix CVE-2019-13032
+Author: Francois Mazen <francois@mzf.fr>
+
+Index: flightcrew/src/FlightCrew/Framework/ValidateEpub.cpp
+===================================================================
+--- flightcrew.orig/src/FlightCrew/Framework/ValidateEpub.cpp
++++ flightcrew/src/FlightCrew/Framework/ValidateEpub.cpp
+@@ -118,10 +118,15 @@ fs::path GetRelativePathToNcx( const xc:
+ std::string href = fromX( item->getAttribute( toX( "href" ) ) );
+ std::string media_type = fromX( item->getAttribute( toX( "media-type" ) ) );
+
+- if ( xc::XMLUri::isValidURI( true, toX( href ) ) &&
+- media_type == NCX_MIME )
++ // prevent segfault here that would result as toX() will return null when
++ // passed and empty string
++ if (!href.empty())
+ {
+- return Util::Utf8PathToBoostPath( Util::UrlDecode( href ) );
++ if ( xc::XMLUri::isValidURI( true, toX( href ) ) &&
++ media_type == NCX_MIME )
++ {
++ return Util::Utf8PathToBoostPath( Util::UrlDecode( href ) );
++ }
+ }
+ }
+
+@@ -141,10 +146,13 @@ std::vector< fs::path > GetRelativePaths
+ std::string href = fromX( item->getAttribute( toX( "href" ) ) );
+ std::string media_type = fromX( item->getAttribute( toX( "media-type" ) ) );
+
+- if ( xc::XMLUri::isValidURI( true, toX( href ) ) &&
+- ( media_type == XHTML_MIME || media_type == OEB_DOC_MIME ) )
+- {
+- paths.push_back( Util::Utf8PathToBoostPath( Util::UrlDecode( href ) ) );
++ if (!href.empty())
++ {
++ if ( xc::XMLUri::isValidURI( true, toX( href ) ) &&
++ ( media_type == XHTML_MIME || media_type == OEB_DOC_MIME ) )
++ {
++ paths.push_back( Util::Utf8PathToBoostPath( Util::UrlDecode( href ) ) );
++ }
+ }
+ }
+
diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff
new file mode 100644
index 0000000..98019d0
--- /dev/null
+++ b/debian/patches/fix-CVE-2019-13241.diff
@@ -0,0 +1,59 @@
+Description: fix CVE-2019-13241
+Author: Francois Mazen <francois@mzf.fr>
+
+
+--- a/src/zipios/src/zipextraction.cpp
++++ b/src/zipios/src/zipextraction.cpp
+@@ -63,6 +63,44 @@
+ fs::create_directory( filepath );
+ }
+
++void CheckPathTraversalVulnerability(const fs::path& root_folder, const fs::path& file_path)
++{
++
++ fs::path canonical_path = fs::weakly_canonical(file_path);
++ fs::path canonical_root_path = fs::weakly_canonical(root_folder);
++
++ fs::path::iterator root_iterator = canonical_root_path.begin();
++ fs::path::iterator path_iterator = canonical_path.begin();
++ bool isDifferenceFound = false;
++ while(!isDifferenceFound &&
++ root_iterator != canonical_root_path.end() &&
++ path_iterator != canonical_path.end())
++ {
++ if((*root_iterator) != (*path_iterator))
++ {
++ isDifferenceFound = true;
++ }
++ else
++ {
++ ++root_iterator;
++ ++path_iterator;
++ }
++ }
++
++ if(!isDifferenceFound &&
++ root_iterator != canonical_root_path.end() &&
++ path_iterator == canonical_path.end())
++ {
++ // We reached the end of the path without iterating the whole root.
++ isDifferenceFound = true;
++ }
++
++ if(isDifferenceFound)
++ {
++ throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ;
++ }
++}
++
+
+ void ExtractZipToFolder( const fs::path &path_to_zip, const fs::path &path_to_folder )
+ {
+@@ -75,6 +113,7 @@
+
+ fs::path new_file_path = path_to_folder / (*it)->getName();
+
++ CheckPathTraversalVulnerability(path_to_folder, new_file_path);
+ CreateFilepath( new_file_path );
+ WriteEntryToFile( *stream, new_file_path );
+ }
diff --git a/debian/patches/series b/debian/patches/series
index dd411b2..3a46586 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,5 @@ disable_filesystem3_overload
modify_cmake_for_debian
reproducible-build
use_random_unique_tmp_path
+fix-CVE-2019-13032.diff
+fix-CVE-2019-13241.diff
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
new file mode 100644
index 0000000..39697e6
--- /dev/null
+++ b/debian/source/include-binaries
@@ -0,0 +1,2 @@
+debian/tests/CVE-2019-13032_null_ptr.zip
+debian/tests/CVE-2019-13241_zip-slip.zip
diff --git a/debian/tests/CVE-2019-13032 b/debian/tests/CVE-2019-13032
new file mode 100644
index 0000000..27f2cc2
--- /dev/null
+++ b/debian/tests/CVE-2019-13032
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Check the CVE-2019-13032 vulnerability.
+# See https://security-tracker.debian.org/tracker/CVE-2019-13032
+# Author: Francois Mazen <francois@mzf.fr>
+
+flightcrew-cli --input-file CVE-2019-13032_null_ptr.zip 2>&1
+
+if [ $? -eq 139 ]; then
+ echo "Segfault!"
+ exit 1
+fi
+
+exit 0
+
diff --git a/debian/tests/CVE-2019-13032_null_ptr.zip b/debian/tests/CVE-2019-13032_null_ptr.zip
new file mode 100644
index 0000000000000000000000000000000000000000..086dd8c4fdfb3ac098df646c33949e81110cbf75
GIT binary patch
literal 3701
zcmZ`+2UHVX8Vwx+0YVi~M0)RpUZn<v0HN2=i}WBZNSBT@1qJCHQITGiDnbwtkd8r+
zCcSqS-G9%&>+a4w-@KVQ@4oZR{l1xVFH8dm7YG0l0st=Nqgw8W3LYu|0PriW9|2sQ
zT<wtl9(D*1j|WaR2&9v{8^4{0k2QCIlLzcCB;ju)Ep3cR$u(l{I%uxrzA{{aS6xem
z-^SeyiEwhW^WyV!eW0JH0PGMTS3b&SLK`?E+4GzfhH8mrK4fT#W_*rdqi$_gP+D`N
z*?KSLb9O5%U?`*IZRCJ6D0V`9`NVl1B?&im%v9cp5DqBTq0UZ?bh2g6Knca;u%^CD
zR-1{*#Q*+4HsfRf^Ij*uKy5Q9SEN~AE)u4U79&1e@GoI*lCp4Ots)SGEm!ruQKJ#)
z!Q5W59#u@wDCckDK@4@5En{5-78<u;{d%=)3J3`SYq?`udmTb@$yfk@2Mz#04!8wS
zhUqKvdmwCF5Ds>H?jH8~a3TPXxF^W`SNQl51F&#cu9yBkCFl*fWeJeCZRr`c8BEBN
zx`LBT(+Je`%f!YRj4Cd<A$QLXZ@2WPY(jLwiX<pG;hc@boq?OXK)um9pBigcR!pJc
zRKo3x!(BKk@5x0TNb!<_nOv!PV%P?nH;*!=Db~M{k)vXf{=;FjQ{J~RN}rT70bFrQ
z9BN+@JP32d<6Bke932+8>UwcVkn-lMA_bJi6XKHAavJF`G^wFZiqGS$WKk7s`H7Z@
zHM1}kD_>uAkA5Qup~k*z&XQr$hPCM*=<vKnG%6WD-+Bimu*w^Lph^X~5xw33t^UE)
z>N2zPrXX411fVDB16Q}5m@q=q4?F6m>zk*MDPJ5Em1n-|I#ca8oC+$*0JkvPE}w6Z
zHulIZ>>gl*)=b=!_jvb$z!4)jT}b9)%89JF-4qILG=`nnXqnIpdwnD0Ro-;QO^^3o
z%IyA1*c`mENZ^nTIBZy#WrkB)Pj)^)?=m@$@=Y+E^#y;4@VeZCx#o4j8O_<A+*#LL
z7Y$0132NCvbrhp7qW;_qb=rC7Kf6}w-ZTTvb!o}2>qUCqwZBX2hIq*5=ZJKD(3(=^
z7A`<8@7vblwQT)`l(#pja&4w~?Exm57aWfUcYGU%sHchKLg|`bZe?Gr@9i8Q3{zz?
zv{u=QDg^RzUnr)RPZsaH>>VCM$BjR*nxOOVr|ZT{u*HKq$w>$EAf|P(3mLa>-DBqn
zts8u!reF8eAt!$&a<#6&Se|g6LTQz`egX@qtA>#LkalQfEQO%#{me4xBawY1Vy&IU
z+g=r!me03Rw$#_uX4I%u`I?fCJz4}dd8Qb-z(}sSV!0Orbjh7;?oV|$#AwcJUhx_m
zT(GX=M@AM-s$ie&?_>=f*<9{77dDCE-71p3Bq&?m+ZmlCqvx;pRYy+_EK9BnfzcgV
zlX((aV<H+4o7P{x!w~!@gP&{R92M8UirdTp0QJ8ZbhNWa`uie~zdrikM4Gs|PpeQ|
zZdz8A074U>g&T}3-3X%^JRq%_mi$`&xOR7}SxkhX8H2BrF~{jQcl(FxJLV~rN+GVE
zmiEg**|#N+=l!`SQ#p|3@5rj@w*q>UXv)L~Ab0HF%bmYFK3b33W>O>J2`_qnDWDPm
zX$uuxKkeTvmdypZ9BB64I(IM=Cg#6^3RBvicvPgCdXuvwunH1*NFbI^h>}7Y<quc@
z?GGD|1%$s(9w&dT?v#FHz%^I>-t^wFaRr*^D=M>3rum++b@q<Li1Y~Ybr)W=)!X&Q
z-G9-(W?JQXSz~xP63}N^*_g)7AoE#jLAh~i87ICH4vxdtig_x?WM6+GJWYlAwoFjw
z2Gq9~e8mT;=${rF_cpj_T66F9k7s*Fq3JEtGpo4x!#T7%&TMrw1P35tr9gE%EL6M4
zv-p6l4m89BqGuE1NoYqoP8m<ne7bLA&LGQDhF`1n!@%}&=+o>7dlf<E8br=KfNHb8
z6=FqezSPJ?GSO(o2Ic`AQ6WAAQp~e+b~Qa57Wq8Bn9EUqwKO%}7`-w-aKMCJAKDp8
zw2}9-?F*Ah5~ZOYajVAtG&DXLFd6;Q9DFQIg0hYy;)Jn1kzvUvC+S+$<?eZ|2`Y`O
z)a@L70ebt*x)p3rmJ_tNR!P=j8mR9;K0P~Z>_{D9b1(7AXerUqHgktP8`_rAL41C0
zRiI)O8;!!@{YmwOw4bpNFA#W`If5r$x4gH_es?SpiG>t$^`jvg?P$;9b*&STaBw8e
zwqKzrF*3KE;|tRC2A5<}MQdLU#!M80(}RPUsLv0Q9WqngKWJCb**oBql^Ue>@daP*
z@5GXz%hNt&^(V#iK>OCgKl)j>2QCAzwpSOX>mI2K7Lf#&;0b|(&8u6v;*#Zu3b^QP
zWyq(K96T|d-{$dZXl=dVOC)B<bm%8w=w!$%+>sk0)4E>IJX2+f8gs%WY@WFZ;Uzx$
z)T&Chltw4bq9w{<6Rg~&cDHs@UXXFGUZ<;Er1!f<n$9Pp>FF;ba2ruC*fa(l1cGUX
zL@&EA86=4%7jUU3s!)n0MK9jc9#olpm&JUcxS|{OSR(q>n87*)Bh20(ONW{cP3!%*
zuglyNPu;Zm35LS$PDFbzoqUmQsUB0BdaC@;tGi?h$%`<q`o?zaAx}BDYh|;-E+qr?
z@vK#NO$5Wv9lNgC-1{OPY&McKjLGnu4dISU@Xm@CZMuVuAfP~R^0QSo!CcxYZ;m~N
zvnq-k%2F#YMMmHpgWm1LJ%(#eGcTh91|)WEFOoj`wwGHy>a{=Onfw?z6&=s}JYa4i
zJ%Vdr#*~y|4)G(~pNc!JxoNHWBX-nBQ*9e=tXybdw%FSj4US}u=0R}d^o{ACKevLO
z`g$^MBsQo7Usyg5)8G?oqn2Dwb_56Xn6y1r(ojuWIsve1fY=DcC7uJoSV4Maw=5O=
z>!7ivxEz3xvxi|8t)cX_K5^|vurSO?ge!P3CNq5gE^R}V6X`{4H}g*~V`n7j-1`OE
z0osfTt@&L4zU~!0hrep!gFQs}Pg{sq?$v;F)U#H#lQiMB;!T`j$#P7oZRs;+;(!o0
z@;K2bpr|6R+-i!3Q3JGIj}A*$mu7B`pvf$<-XkGQZkwLq$@<A=ja~m9=le%K-XPz;
zqmoLuy|%2W(eV0*9<XonQ7OT1nC|W5etC+75|66Ra&pVxL*6O~GQ?`2im7S_-e+j6
zfEm}(+V~n)iO?~X2lNUWnV(&*7t~}MAoHQ}G}HhgKe|M?4&Vqk57H7{G<0)tf)zWF
zlU#J{tuKkO$+nnZ-0o@d$+&ep`GpbOfH}9GfKkU;Fn)nl484{CG4q~(Gs!Bg@bV$H
z6i+o1XhD)7Gb%52f^p%r&y=U*a+WBmw0Xs%<=N5&oz?e)o(X({&A_|yrB0(rEqwCI
z%CSSPPX}xjcpIZ~4X;cB)J_{nc4bL**>Yx<9;gI5cgdU53x~IiIiZkvOt@KvV`H6#
zS<7k-sL%*fRut<=sb9`(b4C1;+cH`w(|*de7-eXkBZk;VvpReSL39sR%k%;m?9%l#
zcWy47>P+GAEywq+4H=oI+yRXCGvODT&k{DTei6(sRip?gsbolZlF<Cn<2TI$B1R?z
zBg$Z>ua}$_lxK^&;K5##AM-_E`>w*L!kS-iuRdD6VpcD56k*N8`#h$Di|;2BC28LD
zI0Q4r)1c+wQ|LnJ>`brR^35sFejAEe^5OJs&fnF#=yWKMIb`-x?-u^HG-0bC(j^KB
zPGW#7hh|29EVEdt0A7msejfrt=(AYr&f;7n8!IOXoxkv;*zxSENp+TYcY7HMH?u?n
zNlw+PsBeaQk;JT7kwP>QX)eoG0@rC-5rSbHVX6}R$Hf?b-MiH<xfntV1AX*Ajjzt<
z#yrNGugx~o$P@{ceBQ|yxE?|8hZbE77}a(e5>=ndZrMQB4pTzHPZ?|#sKl{WaE%l~
z@YIIg#sF3sn!=&7Bd~piDjc=)#7tD_a2VyRlxA{Nx`%N8d?pe1TL8}E;@9hG+EQn@
zCH&%tEkBMu>%4LTZh*#pvmxIyC_d+pw1R4THy)TsK;1q7Y-Y{ZAw8S;*j0;W(R1PP
ze&8SJkKm$wr0lJV5?9^Eg+6EI-?vSL&&4NXw=b(sEV%gLe86fsF}}AY8vKG~?h-d}
z^qXJKb+$7Ro_DToz>b7UG;H<`#~;y6igY1WQlK)5*gq{RzNT&M&kkp537eVf(?lf}
zB!xluij?*JWuUc<v9?l9Q>L#aP0!a_UW5|e7+G|uXw$56V7`h(>*L(t7cL`4lUn+H
z1+R<vNZX|fKapd6^V-{o0!C?=;A6#ssj;t$W*N2UQ<&`#XXx-bHi_Eumuj2I?U3Er
z+PJdFIDZlu{5k1FV5%b})cq>wZtl^>eD~G0^vA-c0{nkRbS-iI?f92J`WyAX-O%3<
z$?MDi?Tvoz!GQDsY{!k?TU<+3Kw&8L_4MB+1n-|F<PQV#XJ&sY-oG>3#{N_P{)zol
f>-~)t!u<>Tr}Beo;NkyThIc)*uhS+6{kr=HHFbN2
literal 0
HcmV?d00001
diff --git a/debian/tests/CVE-2019-13241 b/debian/tests/CVE-2019-13241
new file mode 100644
index 0000000..baac7e0
--- /dev/null
+++ b/debian/tests/CVE-2019-13241
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Check the CVE-2019-13241 vulnerability.
+# See https://security-tracker.debian.org/tracker/CVE-2019-13241
+# Author: Francois Mazen <francois@mzf.fr>
+
+EVIL_FILE=/tmp/evil.txt
+
+if [ -f "$EVIL_FILE" ]; then
+ echo "$EVIL_FILE exists, removing it."
+ rm -f $EVIL_FILE
+else
+ echo "$EVIL_FILE does not exist"
+fi
+
+echo "Opening the evil zip file."
+flightcrew-cli --input-file CVE-2019-13241_zip-slip.zip 2>&1
+
+if [ -f "$EVIL_FILE" ]; then
+ echo "$EVIL_FILE exists! The program is vulnerable."
+ exit 1
+else
+ echo "$EVIL_FILE does not exist, no vulnerability."
+ exit 0
+fi
+
+
+
diff --git a/debian/tests/CVE-2019-13241_zip-slip.zip b/debian/tests/CVE-2019-13241_zip-slip.zip
new file mode 100644
index 0000000000000000000000000000000000000000..38b3f499de0163e62ca15ce18350a9d9a477a51b
GIT binary patch
literal 545
zcmWIWW@h1H0D=Au{XYEp{-1?`Y!K#PkYPyA&ri`SsVE5z;bdU8U359h4v0%DxEUB(
zzA-W|u!sQFm1JZVD*#cV0!Xz&eqJh90MJm76a&LlprHwl)s`S02)6*So}T`Ippx7I
z{nWC|9FT|Lj?Pm62|-=W$Rx*%D=;L0E@xl>dYWNLBZ!3v8dgZqpan~SHzSh>Gwx6T
jnE?Vz8bg8PfCLE8QsgiR@MdKLxrhk}K_2A>d6oeH^pk5C
literal 0
HcmV?d00001
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..aaab1c0
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: CVE-2019-13032 CVE-2019-13241
+Depends: flightcrew
Reply to: