Your message dated Sun, 31 Mar 2019 15:07:14 +0100
with message-id <[email protected]>
and subject line Re: Bug#892070: stretch-pu: package obs-build/20160921-1
has caused the Debian Bug report #892070,
regarding stretch-pu: package obs-build/20160921-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
892070: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892070
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu
Hello,
I would like to push security fix into stable for `obs-build`.
The patch fixes CVE-2017-14804 as described in #887306.
Please consider the following patch attached.
Regards
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru obs-build-20170201/debian/changelog
obs-build-20170201/debian/changelog
--- obs-build-20170201/debian/changelog 2017-08-04 23:24:36.000000000 +0200
+++ obs-build-20170201/debian/changelog 2018-03-04 23:05:06.000000000 +0100
@@ -1,3 +1,11 @@
+obs-build (20170201-3+deb9u1) stretch; urgency=medium
+
+ * CVE-2017-14804 (Closes: #887306)
+ - Improve extractbuild to avoid write to files in the host system.
+ - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new
+
+ -- Héctor Orón Martínez <[email protected]> Sun, 04 Mar 2018 23:05:06 +0100
+
obs-build (20170201-3) unstable; urgency=medium
[ Sjoerd Simons ]
diff -Nru
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
---
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
1970-01-01 01:00:00.000000000 +0100
+++
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
2018-03-04 23:01:56.000000000 +0100
@@ -0,0 +1,34 @@
+From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001
+Message-Id:
<fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-...@gmx.de>
+From: Marcus Huewe <[email protected]>
+Date: Sun, 26 Nov 2017 20:25:48 +0100
+Subject: [PATCH] Improve sanity checks in extractbuild
+
+A \0 in a symlink target can be used to write to a file in the host
+system. For the same reason, we do not allow to process a file more
+than once. A \0 in a filename makes no sense, hence forbid it.
+---
+ extractbuild | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: obs-build-20160921/extractbuild
+===================================================================
+--- obs-build-20160921.orig/extractbuild
++++ obs-build-20160921/extractbuild
+@@ -74,6 +74,8 @@ while (<S>) {
+ my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /);
+ die("invalid input '$_'\n") unless defined($file);
+ $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++ die("bad file '$file' (contains \\0)\n") if $file =~ /\0/;
++ die("already processed: $file\n") if $done{$file};
+ die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s;
+ if ($file =~ /^(.*)\//s) {
+ die("file without directory: $file\n") unless $done{$1} && $done{$1} eq
'd';
+@@ -88,6 +90,7 @@ while (<S>) {
+ my $target = $filesize;
+ die("symlink without target\n") unless defined $target;
+ $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++ die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/;
+ die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s;
+ if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+ my ($head, $tail) = ($1, $2);
diff -Nru obs-build-20170201/debian/patches/series
obs-build-20170201/debian/patches/series
--- obs-build-20170201/debian/patches/series 2017-08-04 23:24:36.000000000
+0200
+++ obs-build-20170201/debian/patches/series 2018-03-04 23:03:58.000000000
+0100
@@ -15,3 +15,4 @@
HACK-Make-glibc-build.patch
debootstrap-generate-apt-caches.patch
+Improve-sanity-checks-in-extractbuild.patch
--- End Message ---
--- Begin Message ---
On Sat, 2019-03-09 at 16:31 +0000, Adam D. Barratt wrote:
> On Fri, 2018-11-09 at 06:59 +0100, Salvatore Bonaccorso wrote:
> > Hi Hector,
> >
> > On Tue, Jul 03, 2018 at 08:59:39PM +0100, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > >
> > > On Sun, 2018-03-04 at 23:23 +0100, Hector Oron wrote:
> > > [...]
> > > > 2018-03-04 23:13 GMT+01:00 Héctor Orón Martínez <[email protected]
> > > > rg
> > > > > :
> > >
> > > [...]
> > > > > I would like to push security fix into stable for `obs-
> > > > > build`.
> > > > > The patch fixes CVE-2017-14804 as described in #887306.
> > > > >
> > >
> > > Please go ahead; sorry for the delay.
> >
> > Thats unfortunately to late for 9.6, but given the gonfirmation
> > could
> > you upload the fixed package so it can make it into 9.7?
>
> Ping?
>
> If nothing happens within the next couple of weeks then I plan on
> closing this request.
Doing so with this mail.
Regards,
Adam
--- End Message ---
