Package: dpkg-dev
Version: 1.3.0
Seveity: important
Tags: security
Hi!
The Dpkg::Source::Patch module does not properly parse and validate
patches, and lets doctored patches through that:
* use an «Index:» pseudo-header with a pathname that does a directory
traversal, and
* have either
- no «--- » and «+++ » header lines, or
- have only a «+++ » with an empty pathname.
For example:
,--- exploit.patch ---
Index: index/symlink/index-file
@@ -0,0 +1,1 @@
+Escaped
`---
or
,--- exploit.patch ---
Index: index/symlink/index-file
+++
@@ -0,0 +1,1 @@
+Escaped
`---
where «symlink» is a symbolic link in the source root directory allowing
the directory traversal.
The semantics on when to use which pathname here [G] are slightly
different than what GNU patch does on POSIX mode [P], because we
explicitly disable POSIX mode on invocation.
[G] Please refer to GNU patch 2.7.1 src/pch.c intuit_diff_type().
[P] <http://pubs.opengroup.org/onlinepubs/9699919799/utilities/patch.html>
This should mainly affect unpacking source packages from untrusted
origins, so should not affect packages coming from the Debian archive
for example.
The version is the one when dpkg-source was introduced. The one
introducing the currently used patch parsing code was 1.13.9.
This is filed publicly now to ease the process of getting a CVE id,
patches for this and the other security issue have been created and
are pending for upload, once the id has been assigned.
Thanks,
Guillem
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
