[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#947102: marked as done (buster-pu: filezilla/3.39.0-2+deb10u1 [RC] -- Full-featured graphical FTP/FTPS/SFTP client)

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #947102,
regarding buster-pu: filezilla/3.39.0-2+deb10u1 [RC] -- Full-featured graphical FTP/FTPS/SFTP client
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
947102: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947102
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: important
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Attached is a debdiff that resolves CVE in package 'filezilla' on
buster.

filezilla (3.39.0-2+deb10u1) buster-security; urgency=high

  * Team Upload
  * Added: 02_untrusted_search_path.patch - CVE-2019-5429. (Closes:
#928282)

 -- Phil Wyett <philip.wyett@kathenas.org>  Wed, 18 Dec 2019 20:25:54
0000

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928282
https://security-tracker.debian.org/tracker/CVE-2019-5429

Regards

Phil

-- 

*** Playing the game for the games sake. ***

Twitter: @kathenasorg

IRC: kathenas





diff -Nru filezilla-3.39.0/debian/changelog filezilla-3.39.0/debian/changelog
--- filezilla-3.39.0/debian/changelog	2019-01-25 10:37:54.000000000 +0000
+++ filezilla-3.39.0/debian/changelog	2019-12-18 20:25:54.000000000 +0000
@@ -1,3 +1,10 @@
+filezilla (3.39.0-2+deb10u1) buster-security; urgency=high
+
+  * Team Upload
+  * Added: 02_untrusted_search_path.patch - CVE-2019-5429. (Closes: #928282)
+
+ -- Phil Wyett <philip.wyett@kathenas.org>  Wed, 18 Dec 2019 20:25:54 +0000
+
 filezilla (3.39.0-2) unstable; urgency=medium
 
   * Fixed debian/watch
diff -Nru filezilla-3.39.0/debian/patches/02_untrusted_search_path.patch filezilla-3.39.0/debian/patches/02_untrusted_search_path.patch
--- filezilla-3.39.0/debian/patches/02_untrusted_search_path.patch	1970-01-01 01:00:00.000000000 +0100
+++ filezilla-3.39.0/debian/patches/02_untrusted_search_path.patch	2019-12-18 20:25:54.000000000 +0000
@@ -0,0 +1,402 @@
+Description: Untrusted search path - CVE-2019-5429.
+Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2019-5429
+Upstream commits:
+https://svn.filezilla-project.org/filezilla?view=revision&revision=9097
+https://svn.filezilla-project.org/filezilla?view=revision&revision=9098
+===================================================================
+--- filezilla-3.39.0.orig/src/interface/FileZilla.cpp	2019/02/19 10:40:09	9096
++++ filezilla-3.39.0/src/interface/FileZilla.cpp	2019/02/21 15:21:03	9097
+@@ -48,6 +48,50 @@
+   #error Please build wxWidgets with support for positional arguments.
+ #endif
+ 
++namespace {
++std::wstring GetOwnExecutableDir()
++{
++#ifdef FZ_WINDOWS
++	// Add executable path
++	std::wstring path;
++	path.resize(4095);
++	DWORD res;
++	while (true) {
++		res = GetModuleFileNameW(0, &path[0], path.size() - 1);
++		if (!res) {
++			// Failure
++			return std::wstring();
++		}
++
++		if (res >= path.size() - 1) {
++			path.resize(path.size() * 2);
++			continue;
++		}
++		else {
++			path.resize(res);
++		}
++		break;
++	}
++	size_t pos = path.rfind('\\');
++	if (pos != std::wstring::npos) {
++		return path.substr(0, pos);
++	}
++#elif defined(FZ_MAC)
++	std::wstring executable = wxStandardPaths::Get().GetExecutablePath().ToStdWString();
++	size_t pos = executable.rind('/');
++	if (pos != std::wstring::npos) {
++		return path.substr(0, pos);
++	}
++#elif defined(ENABLE_BINRELOC)
++	const char* p = SELFPATH;
++	if (p && *p == '/') {
++		return fz::to_wstring(std::string(p));
++	}
++#endif
++	return std::wstring();
++}
++}
++
+ CFileZillaApp::CFileZillaApp()
+ {
+ 	m_profile_start = fz::monotonic_clock::now();
+@@ -329,7 +373,7 @@
+ 	return fz::local_filesys::get_file_type(fz::to_native(file), true) == fz::local_filesys::file;
+ }
+ 
+-CLocalPath CFileZillaApp::GetDataDir(std::wstring fileToFind) const
++CLocalPath CFileZillaApp::GetDataDir(std::wstring fileToFind, std::wstring const& prefixSub, bool searchSelfDir) const
+ {
+ 	/*
+ 	 * Finding the resources in all cases is a difficult task,
+@@ -344,102 +388,78 @@
+ 
+ #ifdef __WXMAC__
+ 	CLocalPath path(wxStandardPaths::Get().GetDataDir().ToStdWstring());
+-	if (FileExists(path.GetPath() + fileToFind)) {
++	if (searchSelfDir && FileExists(path.GetPath() + fileToFind)) {
+ 		return path;
+ 	}
+ 
+ 	return CLocalPath();
+ #else
+ 
+-	wxPathList pathList;
+-	// FIXME: --datadir cmdline
+-
+ 	// First try the user specified data dir.
+-	pathList.AddEnvList(_T("FZ_DATADIR"));
+-
+-	// Next try the current path and the current executable path.
+-	// Without this, running development versions would be difficult.
+-	pathList.Add(wxGetCwd());
+-
+-#ifdef ENABLE_BINRELOC
+-	const char* path = SELFPATH;
+-	if (path && *path) {
+-		wxString datadir(SELFPATH , *wxConvCurrent);
+-		wxFileName fn(datadir);
+-		datadir = fn.GetPath();
+-		if (!datadir.empty())
+-			pathList.Add(datadir);
+-
+-	}
+-	path = DATADIR;
+-	if (path && *path) {
+-		wxString datadir(DATADIR, *wxConvCurrent);
+-		if (!datadir.empty())
+-			pathList.Add(datadir);
+-	}
+-#elif defined __WXMSW__
+-	wxChar path[1024];
+-	int res = GetModuleFileName(0, path, 1000);
+-	if (res > 0 && res < 1000) {
+-		wxFileName fn(path);
+-		pathList.Add(fn.GetPath(wxPATH_GET_VOLUME | wxPATH_GET_SEPARATOR));
++	if (searchSelfDir) {
++		wxString tmp;
++		wxGetEnv(L"FZ_DATADIR", &tmp);
++		CLocalPath path(tmp.ToStdWstring());
++		if (!path.empty() && FileExists(path.GetPath() + fileToFind)) {
++			return path;
++		}
+ 	}
+-#endif //ENABLE_BINRELOC and __WXMSW__ blocks
+ 
+-	// Now scan through the path
+-	pathList.AddEnvList(_T("PATH"));
+-
+-#ifndef __WXMSW__
+-	// Try some common paths
+-	pathList.Add(_T("/usr/share/filezilla"));
+-	pathList.Add(_T("/usr/local/share/filezilla"));
+-#endif
+-
+-	// For each path, check for the resources
+-	wxPathList::const_iterator node;
+-	for (node = pathList.begin(); node != pathList.end(); ++node) {
+-		auto const cur = CLocalPath(node->ToStdWstring()).GetPath();
+-		if (FileExists(cur + fileToFind)) {
+-			return CLocalPath(cur);
+-		}
+-		if (FileExists(cur + _T("share/filezilla/") + fileToFind)) {
+-			return CLocalPath(cur + _T("/share/filezilla"));
++	std::wstring selfDir = GetOwnExecutableDir();
++	if (!selfDir.empty()) {
++		if (searchSelfDir && FileExists(selfDir + L"/" + fileToFind)) {
++			return CLocalPath(selfDir);
+ 		}
+-		if (FileExists(cur + _T("filezilla/") + fileToFind)) {
+-			return CLocalPath(cur + _T("filezilla"));
+-		}
+-	}
+ 
+-	for (node = pathList.begin(); node != pathList.end(); ++node) {
+-		auto const cur = CLocalPath(node->ToStdWstring()).GetPath();
+-		if (FileExists(cur + _T("../") + fileToFind)) {
+-			return CLocalPath(cur + _T("/.."));
++		if (!prefixSub.empty() && selfDir.size() > 4 && fz::ends_with(selfDir, std::wstring(L"/bin"))) {
++			std::wstring path = selfDir.substr(0, selfDir.size() - 3) + prefixSub + L"/";
++			if (FileExists(path + fileToFind)) {
++				return CLocalPath(path);
++			}
+ 		}
+-		if (FileExists(cur + _T("../share/filezilla/") + fileToFind)) {
+-			return CLocalPath(cur + _T("../share/filezilla"));
++
++		// Development paths
++		if (searchSelfDir && selfDir.size() > 6 && fz::ends_with(selfDir, std::wstring(L"/.libs"))) {
++			std::wstring path = selfDir.substr(0, selfDir.size() - 5);
++			if (FileExists(path + L"Makefile")) {
++				if (FileExists(path + fileToFind)) {
++					return CLocalPath(path);
++				}
++			}
+ 		}
+ 	}
+ 
+-	for (node = pathList.begin(); node != pathList.end(); ++node) {
+-		auto const cur = CLocalPath(node->ToStdWstring()).GetPath();
+-		if (FileExists(cur + _T("../../") + fileToFind)) {
+-			return CLocalPath(cur + _T("../.."));
++	// Now scan through the path
++	if (!prefixSub.empty()) {
++		wxPathList pathList;
++		pathList.AddEnvList(L"PATH");
++
++		// For each path, check for the resources
++		wxPathList::const_iterator node;
++		for (node = pathList.begin(); node != pathList.end(); ++node) {
++			auto const cur = node->ToStdWstring();
++			if (cur.size() > 4 && fz::ends_with(cur, std::wstring(L"/bin"))) {
++				std::wstring path = cur.substr(0, cur.size() - 3) + prefixSub + L"/";
++				if (FileExists(path + fileToFind)) {
++					return CLocalPath(path);
++				}
++			}
+ 		}
+ 	}
+ 
+ 	return CLocalPath();
+-#endif //__WXMAC__
++#endif
+ }
+ 
+ bool CFileZillaApp::LoadResourceFiles()
+ {
+ 	AddStartupProfileRecord("CFileZillaApp::LoadResourceFiles");
+-	m_resourceDir = GetDataDir(_T("resources/defaultfilters.xml"));
++	m_resourceDir = GetDataDir(L"resources/defaultfilters.xml", L"share/filezilla");
+ 
+ 	wxImage::AddHandler(new wxPNGHandler());
+ 
+ 	if (m_resourceDir.empty()) {
+-		wxString msg = _("Could not find the resource files for FileZilla, closing FileZilla.\nYou can set the data directory of FileZilla using the '--datadir <custompath>' commandline option or by setting the FZ_DATADIR environment variable.");
++		wxString msg = _("Could not find the resource files for FileZilla, closing FileZilla.\nYou can specify the data directory of FileZilla by setting the FZ_DATADIR environment variable.");
+ 		wxMessageBoxEx(msg, _("FileZilla Error"), wxOK | wxICON_ERROR);
+ 		return false;
+ 	}
+@@ -468,7 +488,7 @@
+ 
+ #endif
+ 	if (m_defaultsDir.empty()) {
+-		m_defaultsDir = GetDataDir(_T("fzdefaults.xml"));
++		m_defaultsDir = GetDataDir(L"fzdefaults.xml", L"share/filezilla");
+ 	}
+ 
+ 	return !m_defaultsDir.empty();
+@@ -477,24 +497,18 @@
+ bool CFileZillaApp::LoadLocales()
+ {
+ 	AddStartupProfileRecord("CFileZillaApp::LoadLocales");
+-#ifndef __WXMAC__
+-	m_localesDir = GetDataDir(_T("../locale/de/filezilla.mo"));
+-	if (m_localesDir.empty()) {
+-		m_localesDir = GetDataDir(_T("../locale/de/LC_MESSAGES/filezilla.mo"));
+-	}
++	m_localesDir = GetDataDir(L"locales/de/filezilla.mo", std::wstring());
+ 	if (!m_localesDir.empty()) {
+-		m_localesDir.ChangePath( _T("../locale") );
++		m_localesDir.AddSegment(_T("locales"));
+ 	}
++#ifndef __WXMAC__
+ 	else {
+-		m_localesDir = GetDataDir(_T("locales/de/filezilla.mo"));
+-		if (!m_localesDir.empty()) {
+-			m_localesDir.AddSegment(_T("locales"));
++		m_localesDir = GetDataDir(L"de/filezilla.mo", L"share/locale", false);
++		if (m_localesDir.empty()) {
++			m_localesDir = GetDataDir(L"de/LC_MESSAGES/filezilla.mo", L"share/locale", false);
+ 		}
+ 	}
+-#else
+-	m_localesDir.SetPath(wxStandardPaths::Get().GetDataDir().ToStdWstring() + _T("/locales"));
+ #endif
+-
+ 	if (!m_localesDir.empty()) {
+ 		wxLocale::AddCatalogLookupPathPrefix(m_localesDir.GetPath());
+ 	}
+@@ -584,34 +598,33 @@
+ void CFileZillaApp::CheckExistsFzsftp()
+ {
+ 	AddStartupProfileRecord("FileZillaApp::CheckExistsFzsftp");
+-	CheckExistsTool(L"fzsftp", {L"/src/putty", L"/putty"}, L"FZ_FZSFTP", OPTION_FZSFTP_EXECUTABLE, _("SFTP support"));
++	CheckExistsTool(L"fzsftp", L"/../putty", L"FZ_FZSFTP", OPTION_FZSFTP_EXECUTABLE, _("SFTP support"));
+ }
+ 
+ #if ENABLE_STORJ
+ void CFileZillaApp::CheckExistsFzstorj()
+ {
+ 	AddStartupProfileRecord("FileZillaApp::CheckExistsFzstorj");
+-	CheckExistsTool(L"fzstorj", {L"/src/storj", L"/storj"}, L"FZ_FZSTORJ", OPTION_FZSTORJ_EXECUTABLE, _("Storj support"));
++	CheckExistsTool(L"fzstorj", L"/../putty", L"FZ_FZSTORJ", OPTION_FZSTORJ_EXECUTABLE, _("Storj support"));
+ }
+ #endif
+ 
+-void CFileZillaApp::CheckExistsTool(std::wstring const& tool, std::vector<std::wstring> const& searchPaths, std::wstring const& env, int setting, wxString const& description)
++void CFileZillaApp::CheckExistsTool(std::wstring const& tool, std::wstring const& buildRelPath, std::wstring const& env, int setting, wxString const& description)
+ {
+ 	// Get the correct path to the specified tool
+ 
++	bool found = false;
++	wxString executable;
++
+ #ifdef __WXMAC__
+-	wxString executable = wxStandardPaths::Get().GetExecutablePath();
+-	int pos = executable.Find('/', true);
+-	if (pos != -1) {
+-		executable = executable.Left(pos);
+-	}
+-	executable += _T("/") + tool;
+-	if (!wxFileName::FileExists(executable.ToStdWstring())) {
+-		wxMessageBoxEx(wxString::Format(_("%s could not be found. Without this component of FileZilla, %s will not work.\n\nPlease download FileZilla again. If this problem persists, please submit a bug report."), executable, description),
+-			_("File not found"), wxICON_ERROR);
+-		executable.clear();
++	// On Mac we only look inside the bundle
++	std::wstring path = GetOwnExecutableDir();
++	if (!path.empty()) {
++		executable = path + '/' + tool;
++		if (wxFileName::FileExists(executable.ToStdWstring())) {
++			found = true;
++		}
+ 	}
+-
+ #else
+ 
+ 	wxString program = tool;
+@@ -619,10 +632,7 @@
+ 	program += _T(".exe");
+ #endif
+ 
+-	bool found = false;
+-
+ 	// First check the given environment variable
+-	wxString executable;
+ 	if (wxGetEnv(env, &executable)) {
+ 		if (wxFileName::FileExists(executable.ToStdWstring())) {
+ 			found = true;
+@@ -632,34 +642,24 @@
+ 	if (!found) {
+ 		wxPathList pathList;
+ 
+-		// Add current working directory
+-		const wxString &cwd = wxGetCwd();
+-		pathList.Add(cwd);
+-#ifdef __WXMSW__
+-
+-		// Add executable path
+-		wxChar modulePath[1000];
+-		DWORD len = GetModuleFileName(0, modulePath, 999);
+-		if (len) {
+-			modulePath[len] = 0;
+-			wxString path(modulePath);
+-			int pos = path.Find('\\', true);
+-			if (pos != -1) {
+-				path = path.Left(pos);
+-				pathList.Add(path);
++		std::wstring path = GetOwnExecutableDir();
++		if (!path.empty()) {
++			pathList.Add(path);
++
++			// Check if running from build dir
++			if (path.size() > 6 && fz::ends_with(path, std::wstring(L"/.libs"))) {
++				if (wxFileName::FileExists(path.substr(0, path.size() - 6) + L"/Makefile")) {
++					pathList.Add(path + L"/.." + buildRelPath);
++				}
++			}
++			else if (wxFileName::FileExists(path + L"/Makefile")) {
++				pathList.Add(path + buildRelPath);
+ 			}
+-		}
+-#endif
+-
+-		// Add a few paths relative to the current working directory
+-		pathList.Add(cwd + _T("/bin"));
+-		for (auto const& path : searchPaths) {
+-			pathList.Add(cwd + path);
+-		}
+ 
+-		executable = pathList.FindAbsoluteValidPath(program);
+-		if (!executable.empty()) {
+-			found = true;
++			executable = pathList.FindAbsoluteValidPath(program);
++			if (!executable.empty()) {
++				found = true;
++			}
+ 		}
+ 	}
+ 
+@@ -690,6 +690,7 @@
+ 			found = true;
+ 		}
+ 	}
++#endif
+ 
+ 	if (!found) {
+ 		// Quote path if it contains spaces
+@@ -701,8 +702,6 @@
+ 			_("File not found"), wxICON_ERROR | wxOK);
+ 		executable.clear();
+ 	}
+-#endif
+-
+ 	COptions::Get()->SetOption(setting, executable.ToStdWstring());
+ }
+ 
+--- filezilla-3.39.0.orig/src/interface/filezillaapp.h	2019/02/19 10:40:09	9096
++++ filezilla-3.39.0/src/interface/filezillaapp.h	2019/02/21 14:47:03	9097
+@@ -45,7 +45,7 @@
+ 	void AddStartupProfileRecord(std::string const& msg);
+ 
+ protected:
+-	void CheckExistsTool(std::wstring const& tool, std::vector<std::wstring> const& searchPaths, std::wstring const& env, int setting, wxString const& description);
++	void CheckExistsTool(std::wstring const& tool, std::wstring const& buildRelPath, std::wstring const& env, int setting, wxString const& description);
+ 
+ 	bool InitDefaultsDir();
+ 	bool LoadResourceFiles();
+@@ -62,7 +62,7 @@
+ 	virtual void OnFatalException();
+ #endif
+ 
+-	CLocalPath GetDataDir(std::wstring fileToFind) const;
++	CLocalPath GetDataDir(std::wstring fileToFind, std::wstring const& prefixSub, bool searchSelfDir = true) const;
+ 
+ 	bool FileExists(std::wstring const& file) const;
+ 
diff -Nru filezilla-3.39.0/debian/patches/series filezilla-3.39.0/debian/patches/series
--- filezilla-3.39.0/debian/patches/series	2019-01-25 10:37:54.000000000 +0000
+++ filezilla-3.39.0/debian/patches/series	2019-12-18 20:23:05.000000000 +0000
@@ -1 +1,2 @@
 01_remove-xdg-check.patch
+02_untrusted_search_path.patch

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: