Your message dated Sat, 08 Feb 2020 14:23:35 +0000 with message-id <a894a0233c2d264936953d7a69507573c4a5742a.camel@adam-barratt.org.uk> and subject line Closing bugs included in 9.12 has caused the Debian Bug report #939967, regarding stretch-pu: package flightcrew/0.7.2+dfsg-9+deb9u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 939967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939967 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit <submit@bugs.debian.org>
- Subject: stretch-pu: package flightcrew/0.7.2+dfsg-9+deb9u1
- From: François Mazen <francois@mzf.fr>
- Date: Tue, 10 Sep 2019 16:34:53 +0200
- Message-id: <5d0a0ee90070c9c50cbb5ecb51d9dae70a5efbde.camel@mzf.fr>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: pu Tags: stretch Severity: normal Hello, I would like to update the flightcrew package in Stretch release. The goal is to fix the CVE-2019-13241. Please find attached the debdiff. Best Regards, François -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dashFrom 24d531e5efce69f77b85d8c16aef2a099e9f143c Mon Sep 17 00:00:00 2001 From: Francois Mazen <francois@mzf.fr> Date: Tue, 10 Sep 2019 16:28:31 +0200 Subject: [PATCH] Fix CVE-2019-13241. --- debian/changelog | 6 ++++++ debian/patches/fix-CVE-2019-13241.diff | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + debian/source/include-binaries | 1 + debian/tests/CVE-2019-13241 | 28 ++++++++++++++++++++++++++++ debian/tests/CVE-2019-13241_zip-slip.zip | Bin 0 -> 545 bytes debian/tests/control | 2 ++ 7 files changed, 97 insertions(+) create mode 100644 debian/patches/fix-CVE-2019-13241.diff create mode 100644 debian/source/include-binaries create mode 100644 debian/tests/CVE-2019-13241 create mode 100644 debian/tests/CVE-2019-13241_zip-slip.zip create mode 100644 debian/tests/control diff --git a/debian/changelog b/debian/changelog index f602446..511639c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +flightcrew (0.7.2+dfsg-9+deb9u1) stretch; urgency=medium + + * Fix CVE-2019-13241 for stretch release. + + -- Francois Mazen <francois@mzf.fr> Tue, 10 Sep 2019 15:34:26 +0200 + flightcrew (0.7.2+dfsg-9) unstable; urgency=medium * d/copyright: claim copyright for the 2017. diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff new file mode 100644 index 0000000..98019d0 --- /dev/null +++ b/debian/patches/fix-CVE-2019-13241.diff @@ -0,0 +1,59 @@ +Description: fix CVE-2019-13241 +Author: Francois Mazen <francois@mzf.fr> + + +--- a/src/zipios/src/zipextraction.cpp ++++ b/src/zipios/src/zipextraction.cpp +@@ -63,6 +63,44 @@ + fs::create_directory( filepath ); + } + ++void CheckPathTraversalVulnerability(const fs::path& root_folder, const fs::path& file_path) ++{ ++ ++ fs::path canonical_path = fs::weakly_canonical(file_path); ++ fs::path canonical_root_path = fs::weakly_canonical(root_folder); ++ ++ fs::path::iterator root_iterator = canonical_root_path.begin(); ++ fs::path::iterator path_iterator = canonical_path.begin(); ++ bool isDifferenceFound = false; ++ while(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator != canonical_path.end()) ++ { ++ if((*root_iterator) != (*path_iterator)) ++ { ++ isDifferenceFound = true; ++ } ++ else ++ { ++ ++root_iterator; ++ ++path_iterator; ++ } ++ } ++ ++ if(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator == canonical_path.end()) ++ { ++ // We reached the end of the path without iterating the whole root. ++ isDifferenceFound = true; ++ } ++ ++ if(isDifferenceFound) ++ { ++ throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ; ++ } ++} ++ + + void ExtractZipToFolder( const fs::path &path_to_zip, const fs::path &path_to_folder ) + { +@@ -75,6 +113,7 @@ + + fs::path new_file_path = path_to_folder / (*it)->getName(); + ++ CheckPathTraversalVulnerability(path_to_folder, new_file_path); + CreateFilepath( new_file_path ); + WriteEntryToFile( *stream, new_file_path ); + } diff --git a/debian/patches/series b/debian/patches/series index dd411b2..f8c0cdb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ disable_filesystem3_overload modify_cmake_for_debian reproducible-build use_random_unique_tmp_path +fix-CVE-2019-13241.diff diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 0000000..5b216eb --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +debian/tests/CVE-2019-13241_zip-slip.zip diff --git a/debian/tests/CVE-2019-13241 b/debian/tests/CVE-2019-13241 new file mode 100644 index 0000000..baac7e0 --- /dev/null +++ b/debian/tests/CVE-2019-13241 @@ -0,0 +1,28 @@ +#!/bin/sh + +# Check the CVE-2019-13241 vulnerability. +# See https://security-tracker.debian.org/tracker/CVE-2019-13241 +# Author: Francois Mazen <francois@mzf.fr> + +EVIL_FILE=/tmp/evil.txt + +if [ -f "$EVIL_FILE" ]; then + echo "$EVIL_FILE exists, removing it." + rm -f $EVIL_FILE +else + echo "$EVIL_FILE does not exist" +fi + +echo "Opening the evil zip file." +flightcrew-cli --input-file CVE-2019-13241_zip-slip.zip 2>&1 + +if [ -f "$EVIL_FILE" ]; then + echo "$EVIL_FILE exists! The program is vulnerable." + exit 1 +else + echo "$EVIL_FILE does not exist, no vulnerability." + exit 0 +fi + + + diff --git a/debian/tests/CVE-2019-13241_zip-slip.zip b/debian/tests/CVE-2019-13241_zip-slip.zip new file mode 100644 index 0000000000000000000000000000000000000000..38b3f499de0163e62ca15ce18350a9d9a477a51b GIT binary patch literal 545 zc$^FHW@h1H0D=Au{XYEp{-1?`Y!K#PkYPyA&ri`SsVE5z;bdU8U359h4v0%DxEUB( zzA-W|u!sQFm1JZVD*#cV0!Xz&eqJh90MJkou%T0dh9)>xTY`8X+ycaUdin!`N^%SI zQ_C`QKpuiSI!^&41a&ndlN>Xyz>olo13k^Kq!GkI1Pv=BXwZTMWSR&w?ofb%C5@qj WBuoOlS=m4?Vgf>tN4Y_sWdH#5lWQ0N literal 0 Hc$@<O00001 diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..d4371d1 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,2 @@ +Tests: CVE-2019-13241 +Depends: flightcrew -- libgit2 0.27.7Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 887324-done@bugs.debian.org, 902487-done@bugs.debian.org, 933263-done@bugs.debian.org, 935728-done@bugs.debian.org, 935970-done@bugs.debian.org, 939364-done@bugs.debian.org, 939897-done@bugs.debian.org, 939907-done@bugs.debian.org, 939967-done@bugs.debian.org, 940246-done@bugs.debian.org, 940477-done@bugs.debian.org, 940714-done@bugs.debian.org, 940715-done@bugs.debian.org, 941126-done@bugs.debian.org, 941169-done@bugs.debian.org, 941350-done@bugs.debian.org, 941452-done@bugs.debian.org, 942024-done@bugs.debian.org, 942110-done@bugs.debian.org, 942839-done@bugs.debian.org, 942840-done@bugs.debian.org, 942841-done@bugs.debian.org, 943352-done@bugs.debian.org, 943564-done@bugs.debian.org, 943606-done@bugs.debian.org, 944186-done@bugs.debian.org, 944233-done@bugs.debian.org, 944282-done@bugs.debian.org, 944794-done@bugs.debian.org, 944866-done@bugs.debian.org, 945821-done@bugs.debian.org, 945944-done@bugs.debian.org, 946159-done@bugs.debian.org, 946185-done@bugs.debian.org, 946558-done@bugs.debian.org, 946560-done@bugs.debian.org, 946570-done@bugs.debian.org, 946654-done@bugs.debian.org, 946704-done@bugs.debian.org, 946824-done@bugs.debian.org, 946907-done@bugs.debian.org, 947204-done@bugs.debian.org, 947255-done@bugs.debian.org, 947747-done@bugs.debian.org, 947834-done@bugs.debian.org, 948219-done@bugs.debian.org, 948391-done@bugs.debian.org, 948401-done@bugs.debian.org, 948465-done@bugs.debian.org, 948649-done@bugs.debian.org, 948704-done@bugs.debian.org, 948715-done@bugs.debian.org, 948730-done@bugs.debian.org, 948737-done@bugs.debian.org, 948898-done@bugs.debian.org, 949838-done@bugs.debian.org, 949853-done@bugs.debian.org, 949900-done@bugs.debian.org, 949905-done@bugs.debian.org, 949907-done@bugs.debian.org, 949909-done@bugs.debian.org, 950156-done@bugs.debian.org, 950256-done@bugs.debian.org, 950281-done@bugs.debian.org, 950309-done@bugs.debian.org
- Subject: Closing bugs included in 9.12
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 08 Feb 2020 14:23:35 +0000
- Message-id: <a894a0233c2d264936953d7a69507573c4a5742a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 9.12 Hi, Each of the uploads referred to by these bugs was included in today's oldstable point release. Regards, Adam
--- End Message ---