Subject: buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1 Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: buster Severity: normal
Hello, I would like to update the flightcrew package in Buster release. The goal is to fix the CVE-2019-13241. Please find attached the debdiff. Best Regards, François -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash
From 1ee41f78678f520402823b1524e02cba5c5d0d88 Mon Sep 17 00:00:00 2001
From: Francois Mazen <franc...@mzf.fr>
Date: Tue, 10 Sep 2019 09:27:47 +0200
Subject: [PATCH] Fix CVE-2019-13241
---
debian/changelog | 6 ++++++
debian/patches/fix-CVE-2019-13241.diff | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
debian/source/include-binaries | 1 +
debian/tests/CVE-2019-13241 | 28 ++++++++++++++++++++++++++++
debian/tests/CVE-2019-13241_zip-slip.zip | Bin 0 -> 545 bytes
debian/tests/control | 2 ++
7 files changed, 96 insertions(+)
create mode 100644 debian/patches/fix-CVE-2019-13241.diff
create mode 100644 debian/source/include-binaries
create mode 100644 debian/tests/CVE-2019-13241
create mode 100644 debian/tests/CVE-2019-13241_zip-slip.zip
create mode 100644 debian/tests/control
diff --git a/debian/changelog b/debian/changelog
index b6a222f..dd9a681 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+flightcrew (0.7.2+dfsg-13+deb10u1) buster; urgency=high
+
+ * Fix CVE-2019-13241 for buster.
+
+ -- Francois Mazen <franc...@mzf.fr> Sun, 08 Sep 2019 21:55:23 +0200
+
flightcrew (0.7.2+dfsg-13) unstable; urgency=medium
[ Ondřej Nový ]
diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff
new file mode 100644
index 0000000..5357d6a
--- /dev/null
+++ b/debian/patches/fix-CVE-2019-13241.diff
@@ -0,0 +1,58 @@
+Description: fix CVE-2019-13241
+Author: Francois Mazen <franc...@mzf.fr>
+
+
+--- a/src/zipios/src/zipextraction.cpp
++++ b/src/zipios/src/zipextraction.cpp
+@@ -63,6 +63,43 @@
+ fs::create_directory( filepath );
+ }
+
++void CheckPathTraversalVulnerability(const fs::path& root_folder, const fs::path& file_path)
++{
++
++ fs::path canonical_path = fs::weakly_canonical(file_path);
++ fs::path canonical_root_path = fs::weakly_canonical(root_folder);
++
++ fs::path::iterator root_iterator = canonical_root_path.begin();
++ fs::path::iterator path_iterator = canonical_path.begin();
++ bool isDifferenceFound = false;
++ while(!isDifferenceFound &&
++ root_iterator != canonical_root_path.end() &&
++ path_iterator != canonical_path.end())
++ {
++ if((*root_iterator) != (*path_iterator))
++ {
++ isDifferenceFound = true;
++ }
++ else
++ {
++ ++root_iterator;
++ ++path_iterator;
++ }
++ }
++
++ if(!isDifferenceFound &&
++ root_iterator != canonical_root_path.end() &&
++ path_iterator == canonical_path.end())
++ {
++ // We reached the end of the path without iterating the whole root.
++ isDifferenceFound = true;
++ }
++
++ if(isDifferenceFound)
++ {
++ throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ;
++ }
++}
+
+ void ExtractZipToFolder( const fs::path &path_to_zip, const fs::path &path_to_folder )
+ {
+@@ -75,6 +112,7 @@
+
+ fs::path new_file_path = path_to_folder / (*it)->getName();
+
++ CheckPathTraversalVulnerability(path_to_folder, new_file_path);
+ CreateFilepath( new_file_path );
+ WriteEntryToFile( *stream, new_file_path );
+ }
diff --git a/debian/patches/series b/debian/patches/series
index dd411b2..f8c0cdb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ disable_filesystem3_overload
modify_cmake_for_debian
reproducible-build
use_random_unique_tmp_path
+fix-CVE-2019-13241.diff
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
new file mode 100644
index 0000000..5b216eb
--- /dev/null
+++ b/debian/source/include-binaries
@@ -0,0 +1 @@
+debian/tests/CVE-2019-13241_zip-slip.zip
diff --git a/debian/tests/CVE-2019-13241 b/debian/tests/CVE-2019-13241
new file mode 100644
index 0000000..baac7e0
--- /dev/null
+++ b/debian/tests/CVE-2019-13241
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Check the CVE-2019-13241 vulnerability.
+# See https://security-tracker.debian.org/tracker/CVE-2019-13241
+# Author: Francois Mazen <franc...@mzf.fr>
+
+EVIL_FILE=/tmp/evil.txt
+
+if [ -f "$EVIL_FILE" ]; then
+ echo "$EVIL_FILE exists, removing it."
+ rm -f $EVIL_FILE
+else
+ echo "$EVIL_FILE does not exist"
+fi
+
+echo "Opening the evil zip file."
+flightcrew-cli --input-file CVE-2019-13241_zip-slip.zip 2>&1
+
+if [ -f "$EVIL_FILE" ]; then
+ echo "$EVIL_FILE exists! The program is vulnerable."
+ exit 1
+else
+ echo "$EVIL_FILE does not exist, no vulnerability."
+ exit 0
+fi
+
+
+
diff --git a/debian/tests/CVE-2019-13241_zip-slip.zip b/debian/tests/CVE-2019-13241_zip-slip.zip
new file mode 100644
index 0000000000000000000000000000000000000000..38b3f499de0163e62ca15ce18350a9d9a477a51b
GIT binary patch
literal 545
zc$^FHW@h1H0D=Au{XYEp{-1?`Y!K#PkYPyA&ri`SsVE5z;bdU8U359h4v0%DxEUB(
zzA-W|u!sQFm1JZVD*#cV0!Xz&eqJh90MJkou%T0dh9)>xTY`8X+ycaUdin!`N^%SI
zQ_C`QKpuiSI!^&41a&ndlN>Xyz>olo13k^Kq!GkI1Pv=BXwZTMWSR&w?ofb%C5@qj
WBuoOlS=m4?Vgf>tN4Y_sWdH#5lWQ0N
literal 0
Hc$@<O00001
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..d4371d1
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: CVE-2019-13241
+Depends: flightcrew
--
libgit2 0.27.7
signature.asc
Description: This is a digitally signed message part
