Bug#892070: marked as done (stretch-pu: package obs-build/20160921-1)

Debian Bug Tracking System Sat, 27 Apr 2019 03:19:42 -0700

Your message dated Sat, 27 Apr 2019 11:14:32 +0100
with message-id <[email protected]>
and subject line Closing bugs for updates included in 9.9
has caused the Debian Bug report #892070,
regarding stretch-pu: package obs-build/20160921-1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
892070: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892070
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu

Hello,

  I would like to push security fix into stable for `obs-build`.
  The patch fixes CVE-2017-14804 as described in #887306.
  Please consider the following patch attached.

Regards

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru obs-build-20170201/debian/changelog 
obs-build-20170201/debian/changelog
--- obs-build-20170201/debian/changelog 2017-08-04 23:24:36.000000000 +0200
+++ obs-build-20170201/debian/changelog 2018-03-04 23:05:06.000000000 +0100
@@ -1,3 +1,11 @@
+obs-build (20170201-3+deb9u1) stretch; urgency=medium
+
+  * CVE-2017-14804 (Closes: #887306)
+    - Improve extractbuild to avoid write to files in the host system.
+    - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new
+
+ -- Héctor Orón Martínez <[email protected]>  Sun, 04 Mar 2018 23:05:06 +0100
+
 obs-build (20170201-3) unstable; urgency=medium
 
   [ Sjoerd Simons ]
diff -Nru 
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch 
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch
--- 
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch   
    1970-01-01 01:00:00.000000000 +0100
+++ 
obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch   
    2018-03-04 23:01:56.000000000 +0100
@@ -0,0 +1,34 @@
+From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001
+Message-Id: 
<fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-...@gmx.de>
+From: Marcus Huewe <[email protected]>
+Date: Sun, 26 Nov 2017 20:25:48 +0100
+Subject: [PATCH] Improve sanity checks in extractbuild
+
+A \0 in a symlink target can be used to write to a file in the host
+system. For the same reason, we do not allow to process a file more
+than once. A \0 in a filename makes no sense, hence forbid it.
+---
+ extractbuild | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: obs-build-20160921/extractbuild
+===================================================================
+--- obs-build-20160921.orig/extractbuild
++++ obs-build-20160921/extractbuild
+@@ -74,6 +74,8 @@ while (<S>) {
+   my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /);
+   die("invalid input '$_'\n") unless defined($file);
+   $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++  die("bad file '$file' (contains \\0)\n") if $file =~ /\0/;
++  die("already processed: $file\n") if $done{$file};
+   die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s;
+   if ($file =~ /^(.*)\//s) {
+     die("file without directory: $file\n") unless $done{$1} && $done{$1} eq 
'd';
+@@ -88,6 +90,7 @@ while (<S>) {
+     my $target = $filesize;
+     die("symlink without target\n") unless defined $target;
+     $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge;
++    die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/;
+     die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s;
+     if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) {
+       my ($head, $tail) = ($1, $2);
diff -Nru obs-build-20170201/debian/patches/series 
obs-build-20170201/debian/patches/series
--- obs-build-20170201/debian/patches/series    2017-08-04 23:24:36.000000000 
+0200
+++ obs-build-20170201/debian/patches/series    2018-03-04 23:03:58.000000000 
+0100
@@ -15,3 +15,4 @@
 HACK-Make-glibc-build.patch
 debootstrap-generate-apt-caches.patch
 
+Improve-sanity-checks-in-extractbuild.patch

--- End Message ---

--- Begin Message ---

Version: 9.9

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---

Bug#892070: marked as done (stretch-pu: package obs-build/20160921-1)

Reply via email to