[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#939967: marked as done (stretch-pu: package flightcrew/0.7.2+dfsg-9+deb9u1)

Your message dated Sat, 08 Feb 2020 14:23:35 +0000
with message-id <a894a0233c2d264936953d7a69507573c4a5742a.camel@adam-barratt.org.uk>
and subject line Closing bugs included in 9.12
has caused the Debian Bug report #939967,
regarding stretch-pu: package flightcrew/0.7.2+dfsg-9+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
939967: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939967
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hello,

I would like to update the flightcrew package in Stretch release.

The goal is to fix the CVE-2019-13241.

Please find attached the debdiff.

Best Regards,
François

-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash

From 24d531e5efce69f77b85d8c16aef2a099e9f143c Mon Sep 17 00:00:00 2001
From: Francois Mazen <francois@mzf.fr>
Date: Tue, 10 Sep 2019 16:28:31 +0200
Subject: [PATCH] Fix CVE-2019-13241.

---
 debian/changelog                         |  6 ++++++
 debian/patches/fix-CVE-2019-13241.diff   | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 debian/patches/series                    |  1 +
 debian/source/include-binaries           |  1 +
 debian/tests/CVE-2019-13241              | 28 ++++++++++++++++++++++++++++
 debian/tests/CVE-2019-13241_zip-slip.zip | Bin 0 -> 545 bytes
 debian/tests/control                     |  2 ++
 7 files changed, 97 insertions(+)
 create mode 100644 debian/patches/fix-CVE-2019-13241.diff
 create mode 100644 debian/source/include-binaries
 create mode 100644 debian/tests/CVE-2019-13241
 create mode 100644 debian/tests/CVE-2019-13241_zip-slip.zip
 create mode 100644 debian/tests/control

diff --git a/debian/changelog b/debian/changelog
index f602446..511639c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+flightcrew (0.7.2+dfsg-9+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2019-13241 for stretch release.
+
+ -- Francois Mazen <francois@mzf.fr>  Tue, 10 Sep 2019 15:34:26 +0200
+
 flightcrew (0.7.2+dfsg-9) unstable; urgency=medium
 
   * d/copyright: claim copyright for the 2017.
diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff
new file mode 100644
index 0000000..98019d0
--- /dev/null
+++ b/debian/patches/fix-CVE-2019-13241.diff
@@ -0,0 +1,59 @@
+Description: fix CVE-2019-13241
+Author: Francois Mazen <francois@mzf.fr>
+
+
+--- a/src/zipios/src/zipextraction.cpp
++++ b/src/zipios/src/zipextraction.cpp
+@@ -63,6 +63,44 @@
+         fs::create_directory( filepath );
+ }
+ 
++void CheckPathTraversalVulnerability(const fs::path& root_folder,  const fs::path& file_path)
++{
++
++    fs::path canonical_path = fs::weakly_canonical(file_path);
++    fs::path canonical_root_path = fs::weakly_canonical(root_folder);
++
++    fs::path::iterator root_iterator = canonical_root_path.begin();
++    fs::path::iterator path_iterator = canonical_path.begin();
++    bool isDifferenceFound = false;
++    while(!isDifferenceFound &&
++          root_iterator != canonical_root_path.end() &&
++          path_iterator != canonical_path.end())
++    {
++        if((*root_iterator) != (*path_iterator))
++        {
++            isDifferenceFound = true;
++        }
++        else
++        {
++            ++root_iterator;
++            ++path_iterator;
++        }
++    }
++
++    if(!isDifferenceFound &&
++       root_iterator != canonical_root_path.end() &&
++       path_iterator == canonical_path.end())
++    {
++        // We reached the end of the path without iterating the whole root.
++        isDifferenceFound = true;
++    }
++
++    if(isDifferenceFound)
++    {
++        throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ;
++    }
++}
++
+ 
+ void ExtractZipToFolder( const fs::path &path_to_zip, const fs::path &path_to_folder )
+ {
+@@ -75,6 +113,7 @@
+ 
+         fs::path new_file_path = path_to_folder / (*it)->getName();
+ 
++        CheckPathTraversalVulnerability(path_to_folder, new_file_path);
+         CreateFilepath( new_file_path );
+         WriteEntryToFile( *stream, new_file_path );
+     }
diff --git a/debian/patches/series b/debian/patches/series
index dd411b2..f8c0cdb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ disable_filesystem3_overload
 modify_cmake_for_debian
 reproducible-build
 use_random_unique_tmp_path
+fix-CVE-2019-13241.diff
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
new file mode 100644
index 0000000..5b216eb
--- /dev/null
+++ b/debian/source/include-binaries
@@ -0,0 +1 @@
+debian/tests/CVE-2019-13241_zip-slip.zip
diff --git a/debian/tests/CVE-2019-13241 b/debian/tests/CVE-2019-13241
new file mode 100644
index 0000000..baac7e0
--- /dev/null
+++ b/debian/tests/CVE-2019-13241
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Check the CVE-2019-13241 vulnerability.
+# See https://security-tracker.debian.org/tracker/CVE-2019-13241
+# Author: Francois Mazen <francois@mzf.fr>
+
+EVIL_FILE=/tmp/evil.txt
+
+if [ -f "$EVIL_FILE" ]; then
+    echo "$EVIL_FILE exists, removing it."
+    rm -f $EVIL_FILE
+else 
+    echo "$EVIL_FILE does not exist"
+fi
+
+echo "Opening the evil zip file."
+flightcrew-cli --input-file CVE-2019-13241_zip-slip.zip 2>&1
+
+if [ -f "$EVIL_FILE" ]; then
+    echo "$EVIL_FILE exists! The program is vulnerable."
+    exit 1
+else 
+    echo "$EVIL_FILE does not exist, no vulnerability."
+    exit 0
+fi
+
+
+
diff --git a/debian/tests/CVE-2019-13241_zip-slip.zip b/debian/tests/CVE-2019-13241_zip-slip.zip
new file mode 100644
index 0000000000000000000000000000000000000000..38b3f499de0163e62ca15ce18350a9d9a477a51b
GIT binary patch
literal 545
zc$^FHW@h1H0D=Au{XYEp{-1?`Y!K#PkYPyA&ri`SsVE5z;bdU8U359h4v0%DxEUB(
zzA-W|u!sQFm1JZVD*#cV0!Xz&eqJh90MJkou%T0dh9)>xTY`8X+ycaUdin!`N^%SI
zQ_C`QKpuiSI!^&41a&ndlN>Xyz>olo13k^Kq!GkI1Pv=BXwZTMWSR&w?ofb%C5@qj
WBuoOlS=m4?Vgf>tN4Y_sWdH#5lWQ0N

literal 0
Hc$@<O00001

diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..d4371d1
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: CVE-2019-13241
+Depends: flightcrew
--
libgit2 0.27.7

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.12

Hi,

Each of the uploads referred to by these bugs was included in today's
oldstable point release.

Regards,

Adam

--- End Message ---
Reply to: