Bug#939978: marked as done (buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1)

Tue, 10 Sep 2019 11:24:40 -0700 

Your message dated Tue, 10 Sep 2019 19:11:20 +0100
with message-id 
<8878ff801666ef402d18c771343db4d2fd56d901.ca...@adam-barratt.org.uk>
and subject line Re: Bug#939978: buster-pu: package 
flightcrew/0.7.2+dfsg-13+deb10u1
has caused the Debian Bug report #939978,
regarding buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
939978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939978
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Subject: buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1
Package: release.debian.org
User: [email protected]
Usertags: pu
Tags: buster
Severity: normal

Hello,

I would like to update the flightcrew package in Buster release.

The goal is to fix the CVE-2019-13241.

Please find attached the debdiff.

Best Regards,
François


-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500,
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash

From 1ee41f78678f520402823b1524e02cba5c5d0d88 Mon Sep 17 00:00:00 2001
From: Francois Mazen <[email protected]>
Date: Tue, 10 Sep 2019 09:27:47 +0200
Subject: [PATCH] Fix CVE-2019-13241

---
 debian/changelog                         |  6 ++++++
 debian/patches/fix-CVE-2019-13241.diff   | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 debian/patches/series                    |  1 +
 debian/source/include-binaries           |  1 +
 debian/tests/CVE-2019-13241              | 28 ++++++++++++++++++++++++++++
 debian/tests/CVE-2019-13241_zip-slip.zip | Bin 0 -> 545 bytes
 debian/tests/control                     |  2 ++
 7 files changed, 96 insertions(+)
 create mode 100644 debian/patches/fix-CVE-2019-13241.diff
 create mode 100644 debian/source/include-binaries
 create mode 100644 debian/tests/CVE-2019-13241
 create mode 100644 debian/tests/CVE-2019-13241_zip-slip.zip
 create mode 100644 debian/tests/control

diff --git a/debian/changelog b/debian/changelog
index b6a222f..dd9a681 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+flightcrew (0.7.2+dfsg-13+deb10u1) buster; urgency=high
+
+  * Fix CVE-2019-13241 for buster.
+
+ -- Francois Mazen <[email protected]>  Sun, 08 Sep 2019 21:55:23 +0200
+
 flightcrew (0.7.2+dfsg-13) unstable; urgency=medium
 
   [ Ondřej Nový ]
diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff
new file mode 100644
index 0000000..5357d6a
--- /dev/null
+++ b/debian/patches/fix-CVE-2019-13241.diff
@@ -0,0 +1,58 @@
+Description: fix CVE-2019-13241
+Author: Francois Mazen <[email protected]>
+
+
+--- a/src/zipios/src/zipextraction.cpp
++++ b/src/zipios/src/zipextraction.cpp
+@@ -63,6 +63,43 @@
+         fs::create_directory( filepath );
+ }
+ 
++void CheckPathTraversalVulnerability(const fs::path& root_folder,  const fs::path& file_path)
++{
++
++    fs::path canonical_path = fs::weakly_canonical(file_path);
++    fs::path canonical_root_path = fs::weakly_canonical(root_folder);
++
++    fs::path::iterator root_iterator = canonical_root_path.begin();
++    fs::path::iterator path_iterator = canonical_path.begin();
++    bool isDifferenceFound = false;
++    while(!isDifferenceFound &&
++          root_iterator != canonical_root_path.end() &&
++          path_iterator != canonical_path.end())
++    {
++        if((*root_iterator) != (*path_iterator))
++        {
++            isDifferenceFound = true;
++        }
++        else
++        {
++            ++root_iterator;
++            ++path_iterator;
++        }
++    }
++
++    if(!isDifferenceFound &&
++       root_iterator != canonical_root_path.end() &&
++       path_iterator == canonical_path.end())
++    {
++        // We reached the end of the path without iterating the whole root.
++        isDifferenceFound = true;
++    }
++
++    if(isDifferenceFound)
++    {
++        throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ;
++    }
++}
+ 
+ void ExtractZipToFolder( const fs::path &path_to_zip, const fs::path &path_to_folder )
+ {
+@@ -75,6 +112,7 @@
+ 
+         fs::path new_file_path = path_to_folder / (*it)->getName();
+ 
++        CheckPathTraversalVulnerability(path_to_folder, new_file_path);
+         CreateFilepath( new_file_path );
+         WriteEntryToFile( *stream, new_file_path );
+     }
diff --git a/debian/patches/series b/debian/patches/series
index dd411b2..f8c0cdb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ disable_filesystem3_overload
 modify_cmake_for_debian
 reproducible-build
 use_random_unique_tmp_path
+fix-CVE-2019-13241.diff
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
new file mode 100644
index 0000000..5b216eb
--- /dev/null
+++ b/debian/source/include-binaries
@@ -0,0 +1 @@
+debian/tests/CVE-2019-13241_zip-slip.zip
diff --git a/debian/tests/CVE-2019-13241 b/debian/tests/CVE-2019-13241
new file mode 100644
index 0000000..baac7e0
--- /dev/null
+++ b/debian/tests/CVE-2019-13241
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+# Check the CVE-2019-13241 vulnerability.
+# See https://security-tracker.debian.org/tracker/CVE-2019-13241
+# Author: Francois Mazen <[email protected]>
+
+EVIL_FILE=/tmp/evil.txt
+
+if [ -f "$EVIL_FILE" ]; then
+    echo "$EVIL_FILE exists, removing it."
+    rm -f $EVIL_FILE
+else 
+    echo "$EVIL_FILE does not exist"
+fi
+
+echo "Opening the evil zip file."
+flightcrew-cli --input-file CVE-2019-13241_zip-slip.zip 2>&1
+
+if [ -f "$EVIL_FILE" ]; then
+    echo "$EVIL_FILE exists! The program is vulnerable."
+    exit 1
+else 
+    echo "$EVIL_FILE does not exist, no vulnerability."
+    exit 0
+fi
+
+
+
diff --git a/debian/tests/CVE-2019-13241_zip-slip.zip b/debian/tests/CVE-2019-13241_zip-slip.zip
new file mode 100644
index 0000000000000000000000000000000000000000..38b3f499de0163e62ca15ce18350a9d9a477a51b
GIT binary patch
literal 545
zc$^FHW@h1H0D=Au{XYEp{-1?`Y!K#PkYPyA&ri`SsVE5z;bdU8U359h4v0%DxEUB(
zzA-W|u!sQFm1JZVD*#cV0!Xz&eqJh90MJkou%T0dh9)>xTY`8X+ycaUdin!`N^%SI
zQ_C`QKpuiSI!^&41a&ndlN>Xyz>olo13k^Kq!GkI1Pv=BXwZTMWSR&w?ofb%C5@qj
WBuoOlS=m4?Vgf>tN4Y_sWdH#5lWQ0N

literal 0
Hc$@<O00001

diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..d4371d1
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: CVE-2019-13241
+Depends: flightcrew
--
libgit2 0.27.7

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
On Tue, 2019-09-10 at 09:55 +0200, François Mazen wrote:
> I would like to update the flightcrew package in Buster release.
> 
> The goal is to fix the CVE-2019-13241.
> 

You already requested that in #939965.

Regards,

Adam

--- End Message ---

Reply via email to