-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello.
I've prepared security for jekyll. Debdiff is attached, please review and upload. A test specific to this issue is also ported. I will release the DLA once it is uploaded. - --abhijith -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlu1gxkACgkQhj1N8u2c KO/dag//epxefVKvQetZPrRbje1pNKbHTU/yvUM5PnuC3IBaqGYi/tkHse+MxGSK yLBSYY93GnVvOis20h8fp2GlJ4RkXz1xMezI8oiReCju6tQGbivkc4l6V6NOEnvA 5PHyTuWC1e9sdKKZBwXpQXGQrEaOfWqVA9qyCf+4pfAC02oucyWFF/T96pTVQRA2 Lz6GbEicTeRXoNmUNLj1uWfL5UH9sV2NLu/Necda+QddksGi+Shjmag12QScIe9o cUmH56cRU8R7EmOQoV6ReiQNnJzBR+eJfwoi1SFcxjriUN3WcffVEp9BtoVA9Odl ye3im4bY2n3HmBvpkezoQjE/9/lcDxiHZriuoX93DzuAruzFrS2OK75pnJ4nPcRt nNAJ2QnW/L5BGKrGy7wNct3pyoVWFEemfcGYY+s7oTKs+lldYr5z/HlOIvVGFuJU 1HioYDPhFGl7D9vfNxmX8TJ3lerLNTCEK8WJwmPHLluUnu/wcwvphSAXAsjS17WO ueK4iMChXfubkokcLHAuIXPOu4n7DTjaLVZjUpDtoCFOPfDNczI+awuo0Z3vhD/0 b1D25x95ptOMCqN8+HGV+BHYUV8y+0TgIXsGT+SRxo1N0z5RyvmzDQSlSECzR8uk mkYUtWAVmNHV6JHL/OKMMutQ6vLQv2X0Cq1JaUtVbjtcAgJ5DBo= =ckUi -----END PGP SIGNATURE-----
diff -Nru jekyll-2.2.0+dfsg/debian/changelog jekyll-2.2.0+dfsg/debian/changelog --- jekyll-2.2.0+dfsg/debian/changelog 2014-11-09 16:34:50.000000000 +0100 +++ jekyll-2.2.0+dfsg/debian/changelog 2018-10-02 16:21:08.000000000 +0200 @@ -1,3 +1,14 @@ +jekyll (2.2.0+dfsg-2+deb8u1) jessie-security; urgency=medium + + * Non-maintainer upload by the Debian LTS Security Team. + * Fix CVE-2018-17567: arbitrary file reads with the use of 'include:' + setting in the config file. (Closes: #909933) + * New files added to port symlink test: + + test/fixtures/test-theme/ + + test/source/symlink-test/symlinked-file + + -- Abhijith PA <[email protected]> Tue, 02 Oct 2018 19:51:08 +0530 + jekyll (2.2.0+dfsg-2) unstable; urgency=medium * Team upload. diff -Nru jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_1.patch jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_1.patch --- jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_1.patch 1970-01-01 01:00:00.000000000 +0100 +++ jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_1.patch 2018-10-02 16:21:08.000000000 +0200 @@ -0,0 +1,99 @@ +Author: Abhijith PA <[email protected]> +Date: Wed Oct 3 21:32:28 2018 +0530 + +...files added for the symlink test. + +diff --git a/test/fixtures/test-theme/_includes/include.html b/test/fixtures/test-theme/_includes/include.html +new file mode 100644 +index 0000000..9860839 +--- /dev/null ++++ b/test/fixtures/test-theme/_includes/include.html +@@ -0,0 +1 @@ ++<span class="sample">include.html from test-theme</span> +diff --git a/test/fixtures/test-theme/_layouts/default.html b/test/fixtures/test-theme/_layouts/default.html +new file mode 100644 +index 0000000..902c61c +--- /dev/null ++++ b/test/fixtures/test-theme/_layouts/default.html +@@ -0,0 +1 @@ ++default.html from test-theme: {{ content }} +diff --git a/test/fixtures/test-theme/_sass/test-theme-black.scss b/test/fixtures/test-theme/_sass/test-theme-black.scss +new file mode 100644 +index 0000000..a1e07da +--- /dev/null ++++ b/test/fixtures/test-theme/_sass/test-theme-black.scss +@@ -0,0 +1,3 @@ ++.sample { ++ color: black; ++} +diff --git a/test/fixtures/test-theme/_sass/test-theme-red.scss b/test/fixtures/test-theme/_sass/test-theme-red.scss +new file mode 100644 +index 0000000..0307e17 +--- /dev/null ++++ b/test/fixtures/test-theme/_sass/test-theme-red.scss +@@ -0,0 +1,3 @@ ++.sample { ++ color: red; ++} +diff --git a/test/fixtures/test-theme/_symlink b/test/fixtures/test-theme/_symlink +new file mode 120000 +index 0000000..d2d6aac +--- /dev/null ++++ b/test/fixtures/test-theme/_symlink +@@ -0,0 +1 @@ ++_layouts +\ No newline at end of file +diff --git a/test/fixtures/test-theme/assets/application.coffee b/test/fixtures/test-theme/assets/application.coffee +new file mode 100644 +index 0000000..02f3351 +--- /dev/null ++++ b/test/fixtures/test-theme/assets/application.coffee +@@ -0,0 +1,3 @@ ++--- ++--- ++alert "From your theme." +diff --git a/test/fixtures/test-theme/assets/base.js b/test/fixtures/test-theme/assets/base.js +new file mode 100644 +index 0000000..00c238e +--- /dev/null ++++ b/test/fixtures/test-theme/assets/base.js +@@ -0,0 +1 @@ ++alert("From your theme."); +diff --git a/test/fixtures/test-theme/assets/img/another-logo.png b/test/fixtures/test-theme/assets/img/another-logo.png +new file mode 120000 +index 0000000..bd36e71 +--- /dev/null ++++ b/test/fixtures/test-theme/assets/img/another-logo.png +@@ -0,0 +1 @@ ++logo.png +\ No newline at end of file +diff --git a/test/fixtures/test-theme/assets/img/logo.png b/test/fixtures/test-theme/assets/img/logo.png +new file mode 100644 +index 0000000..95f0a3b +Binary files /dev/null and b/test/fixtures/test-theme/assets/img/logo.png differ +diff --git a/test/fixtures/test-theme/assets/style.scss b/test/fixtures/test-theme/assets/style.scss +new file mode 100644 +index 0000000..47c4a2f +--- /dev/null ++++ b/test/fixtures/test-theme/assets/style.scss +@@ -0,0 +1,3 @@ ++--- ++--- ++@import "test-theme-{{ site.theme-color | default: "red" }}"; +diff --git a/test/fixtures/test-theme/test-theme.gemspec b/test/fixtures/test-theme/test-theme.gemspec +new file mode 100644 +index 0000000..970e1b8 +--- /dev/null ++++ b/test/fixtures/test-theme/test-theme.gemspec +@@ -0,0 +1,11 @@ ++# frozen_string_literal: true ++ ++Gem::Specification.new do |s| ++ s.name = "test-theme" ++ s.version = "0.1.0" ++ s.licenses = ["MIT"] ++ s.summary = "This is a theme used to test Jekyll" ++ s.authors = ["Jekyll"] ++ s.files = ["lib/example.rb"] ++ s.homepage = "https://github.com/jekyll/jekyll"; ++end diff -Nru jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_2.patch jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_2.patch --- jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_2.patch 1970-01-01 01:00:00.000000000 +0100 +++ jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_2.patch 2018-10-02 16:21:08.000000000 +0200 @@ -0,0 +1,149 @@ +Description: CVE-2018-17567 + Arbitrary file reads with the cunning use of the include: setting in the config + file. By simply including a symlink in the include array allowed the symlinked + file to be read into the build when they shouldn’t actually be read in any + circumstance + + This patch also include symlink test ported from 3.6 to 2.2.0 + + +Author: Abhijith PA <[email protected]> +Bug-Debian: https://bugs.debian.org/909933 +Origin: https://github.com/jekyll/jekyll/commit/31300cb1f434e1e59bc98285d16dfcc574b4ed3e +Last-Update: 2018-10-03 + +Index: jekyll-2.2.0+dfsg/lib/jekyll/entry_filter.rb +=================================================================== +--- jekyll-2.2.0+dfsg.orig/lib/jekyll/entry_filter.rb ++++ jekyll-2.2.0+dfsg/lib/jekyll/entry_filter.rb +@@ -29,6 +29,13 @@ module Jekyll + unless included?(e) + special?(e) || backup?(e) || excluded?(e) || symlink?(e) + end ++ ++ # Reject this entry if it is a symlink. ++ next true if symlink?(e) ++ # Do not reject this entry if it is included. ++ next false if included?(e) ++ # Reject this entry if it is special, a backup file, or excluded. ++ special?(e) || backup?(e) || excluded?(e) + end + end + +Index: jekyll-2.2.0+dfsg/test/helper.rb +=================================================================== +--- jekyll-2.2.0+dfsg.orig/test/helper.rb ++++ jekyll-2.2.0+dfsg/test/helper.rb +@@ -36,6 +36,14 @@ class Test::Unit::TestCase + test_dir('source', *subdirs) + end + ++ def theme_dir(*subdirs) ++ test_dir("fixtures", "test-theme", *subdirs) ++ end ++ ++ def fixture_site(overrides = {}) ++ Jekyll::Site.new(site_configuration(overrides)) ++ end ++ + def clear_dest + FileUtils.rm_rf(dest_dir) + end +Index: jekyll-2.2.0+dfsg/test/source/symlink-test/symlinked-file-outside-source +=================================================================== +--- /dev/null ++++ jekyll-2.2.0+dfsg/test/source/symlink-test/symlinked-file-outside-source +@@ -0,0 +1 @@ ++/etc/passwd +Index: jekyll-2.2.0+dfsg/test/test_entry_filter.rb +=================================================================== +--- jekyll-2.2.0+dfsg.orig/test/test_entry_filter.rb ++++ jekyll-2.2.0+dfsg/test/test_entry_filter.rb +@@ -6,7 +6,7 @@ class TestEntryFilter < Test::Unit::Test + stub(Jekyll).configuration do + Jekyll::Configuration::DEFAULTS.merge({'source' => source_dir, 'destination' => dest_dir}) + end +- @site = Site.new(Jekyll.configuration) ++ @site = fixture_site + end + + should "filter entries" do +@@ -69,7 +69,7 @@ class TestEntryFilter < Test::Unit::Test + stub(Jekyll).configuration do + Jekyll::Configuration::DEFAULTS.merge({'source' => source_dir, 'destination' => dest_dir, 'safe' => true}) + end +- site = Site.new(Jekyll.configuration) ++ site = fixture_site + + site.read_directories("symlink-test") + assert_equal [], site.pages +@@ -80,11 +80,21 @@ class TestEntryFilter < Test::Unit::Test + stub(Jekyll).configuration do + Jekyll::Configuration::DEFAULTS.merge({'source' => source_dir, 'destination' => dest_dir, 'safe' => false}) + end +- site = Site.new(Jekyll.configuration) + ++ @site.reader.read_directories("symlink-test") ++ refute_equal [], @site.pages ++ refute_equal [], @site.static_files ++ end ++ ++ should "include only safe symlinks in safe mode even when included" do ++ # no support for symlinks on Windows ++ site = fixture_site("safe" => true, "include" => ["symlinked-file-outside-source"]) + site.read_directories("symlink-test") +- assert_not_equal [], site.pages +- assert_not_equal [], site.static_files ++ ++ # rubocop:disable Performance/FixedSize ++ assert_equal %w(main.scss symlinked-file).length, site.pages.length ++ refute_includes site.static_files.map(&:name), "symlinked-file-outside-source" ++ # rubocop:enable Performance/FixedSize + end + end + +Index: jekyll-2.2.0+dfsg/test/test_layout_reader.rb +=================================================================== +--- jekyll-2.2.0+dfsg.orig/test/test_layout_reader.rb ++++ jekyll-2.2.0+dfsg/test/test_layout_reader.rb +@@ -30,5 +30,40 @@ class TestLayoutReader < Test::Unit::Tes + assert_equal LayoutReader.new(@site).layout_directory, source_dir("blah/_layouts") + end + end ++ ++context "when a layout is a symlink" do ++ setup do ++ FileUtils.ln_sf("/etc/passwd", source_dir("_layouts", "symlink.html")) ++ @site = fixture_site( ++ "safe" => true, ++ "include" => ["symlink.html"] ++ ) ++ end ++ teardown do ++ FileUtils.rm(source_dir("_layouts", "symlink.html")) ++ end ++ should "only read the layouts which are in the site" do ++ layouts = LayoutReader.new(@site).read ++ refute layouts.key?("symlink"), "Should not read the symlinked layout" ++ end ++ end ++ context "with a theme" do ++ setup do ++ FileUtils.ln_sf("/etc/passwd", theme_dir("_layouts", "theme-symlink.html")) ++ @site = fixture_site( ++ "include" => ["theme-symlink.html"], ++ "theme" => "test-theme", ++ "safe" => true ++ ) ++ end ++ teardown do ++ FileUtils.rm(theme_dir("_layouts", "theme-symlink.html")) ++ end ++ should "not read a symlink'd theme" do ++ layouts = LayoutReader.new(@site).read ++ refute layouts.key?("theme-symlink"), \ ++ "Should not read symlinked layout from theme" ++ end ++ end + end + end diff -Nru jekyll-2.2.0+dfsg/debian/patches/series jekyll-2.2.0+dfsg/debian/patches/series --- jekyll-2.2.0+dfsg/debian/patches/series 2014-11-09 16:17:02.000000000 +0100 +++ jekyll-2.2.0+dfsg/debian/patches/series 2018-10-02 16:21:08.000000000 +0200 @@ -6,3 +6,6 @@ 0007-Add-newline-in-test_coffee_script.patch 0008-Update-test-for-newer-RDiscount.patch activesupport4 +CVE-2018-17567_and_test_ported_1.patch +CVE-2018-17567_and_test_ported_2.patch +
