On Sat, Mar 25, 2017 at 10:24:54PM +0100, Ola Lundqvist wrote: > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of apt-cacher: > https://bugs.debian.org/858739 (no CVE yet) > > Would you like to take care of this yourself?
I am happy to have a go! I have backported the fix from #858739 to 1.7.10. The sources of 1.7.10+deb7u1 are available from http://hindley.org.uk/~mark/debian I would be grateful if you could review and upload to wheezy LTS if you are happy. Debdiff: Changes at debian/1.7.10 Modified apt-cacher diff --git a/apt-cacher b/apt-cacher index 668b2d8..5bde2e7 100755 --- a/apt-cacher +++ b/apt-cacher @@ -2093,8 +2093,8 @@ sub get_request { $request->protocol($3||'HTTP/1.0'); clean_uri($request->uri); - if($request->uri =~ m#(?:^|/)\.{2}/#) { # Reject ../ or /../ - sendrsp(HTTP::Response->new(403, 'Forbidden: Invalid URI ' . $request->uri)); + if($request->uri =~ m#(?:^|/)\.{2}/|%0[ad]#i) { # Reject ../, /../ or encoded new lines + sendrsp(HTTP::Response->new(403, 'Forbidden: Insecure URI ' . $request->uri)); return 1; # next REQUEST } return $request if $mode && $mode eq 'cgi'; # Not going to get anything else Modified debian/changelog diff --git a/debian/changelog b/debian/changelog index 43310cd..fdd92ad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +apt-cacher (1.7.10+deb7u1) wheezy-security; urgency=medium + + * Prevent HTTP response splitting with encoded newlines in + request. Backport of fix for #858739. + + -- Mark Hindley <[email protected]> Sun, 26 Mar 2017 18:25:21 +0100 + apt-cacher (1.7.10) unstable; urgency=low * Internally store http_proxy as URI object which can include Many thanks, Mark
