Your message dated Wed, 11 Mar 2015 21:56:03 +0100
with message-id <[email protected]>
and subject line Re: Bug#780297: unblock: cpio/2.11+dfsg-4.1
has caused the Debian Bug report #780297,
regarding unblock: cpio/2.11+dfsg-4.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
780297: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780297
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package cpio. It fixes CVE-2015-1197.
unblock cpio/2.11+dfsg-4.1
debdiff:
diff -Nru cpio-2.11+dfsg/debian/changelog cpio-2.11+dfsg/debian/changelog
--- cpio-2.11+dfsg/debian/changelog 2014-12-22 12:42:30.000000000 +0100
+++ cpio-2.11+dfsg/debian/changelog 2015-03-05 11:47:10.000000000 +0100
@@ -1,3 +1,12 @@
+cpio (2.11+dfsg-4.1) unstable; urgency=medium
+
+ * Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197.
+ Upstream is dormant or no longer existing. To restore the old
+ behaviour use --extract-over-symlinks (Closes: #774669)
+ This issue has been discovered by Alexander Cherepanov.
+
+ -- Moritz Muehlenhoff <[email protected]> Thu, 05 Mar 2015 11:44:25 +0100
+
cpio (2.11+dfsg-4) unstable; urgency=high
[ Michael Gilbert <[email protected]> ]
diff -Nru cpio-2.11+dfsg/debian/patches/CVE-2015-1197.patch
cpio-2.11+dfsg/debian/patches/CVE-2015-1197.patch
--- cpio-2.11+dfsg/debian/patches/CVE-2015-1197.patch 1970-01-01
01:00:00.000000000 +0100
+++ cpio-2.11+dfsg/debian/patches/CVE-2015-1197.patch 2015-03-05
11:50:52.000000000 +0100
@@ -0,0 +1,150 @@
+Description: CVE-2015-1197
+ Apply patch by Vitezslav Cizek of SuSE to fix CVE-2015-1197.
+ Upstream is dormant or no longer existing. To restore the old
+ behaviour use --extract-over-symlinks (Closes: #774669)
+ This issue has been discovered by Alexander Cherepanov.
+Author: Vitezslav Cizek <[email protected]>
+Bug-Debian: https://bugs.debian.org/774669
+
+--- cpio-2.11+dfsg.orig/doc/cpio.1
++++ cpio-2.11+dfsg/doc/cpio.1
+@@ -22,6 +22,7 @@ cpio \- copy files to and from archives
+ [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
+ [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
+ [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command]
++[\-\-extract\-over\-symlinks]
+ [\-\-help] [\-\-version] [pattern...] [< archive]
+
+ .B cpio
+--- cpio-2.11+dfsg.orig/src/copyin.c
++++ cpio-2.11+dfsg/src/copyin.c
+@@ -700,6 +700,51 @@ copyin_link (struct cpio_file_stat *file
+ free (link_name);
+ }
+ �
++
++static int
++path_contains_symlink(char *path)
++{
++ struct stat st;
++ char *slash;
++ char *nextslash;
++
++ /* we got NULL pointer or empty string */
++ if (!path || !*path) {
++ return false;
++ }
++
++ slash = path;
++
++ while ((nextslash = strchr(slash + 1, '/')) != NULL) {
++ slash = nextslash;
++ *slash = '\0';
++
++ if (lstat(path, &st) != 0) {
++ if (errno == ELOOP) {
++ /* ELOOP - too many symlinks */
++ *slash = '/';
++ return true;
++ } else if (errno == ENOMEM) {
++ /* No memory for lstat - terminate */
++ xalloc_die();
++ } else {
++ /* cannot lstat path - give up */
++ *slash = '/';
++ return false;
++ }
++ }
++
++ if (S_ISLNK(st.st_mode)) {
++ *slash = '/';
++ return true;
++ }
++
++ *slash = '/';
++ }
++
++ return false;
++}
++
+ static void
+ copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+@@ -1471,6 +1516,23 @@ process_copy_in ()
+ {
+ /* Copy the input file into the directory structure. */
+
++ /* Can we write files over symlinks? */
++ if (!extract_over_symlinks)
++ {
++ if (path_contains_symlink(file_hdr.c_name))
++ {
++ /* skip the file */
++ /*
++ fprintf(stderr, "Can't write over symlinks. Skipping %s\n",
file_hdr.c_name);
++ tape_toss_input (in_file_des, file_hdr.c_filesize);
++ tape_skip_padding (in_file_des, file_hdr.c_filesize);
++ continue;
++ */
++ /* terminate */
++ error (1, 0, _("Can't write over symlinks: %s\n"),
file_hdr.c_name);
++ }
++ }
++
+ /* Do we need to rename the file? */
+ if (rename_flag || rename_batch_file)
+ {
+--- cpio-2.11+dfsg.orig/src/extern.h
++++ cpio-2.11+dfsg/src/extern.h
+@@ -95,6 +95,7 @@ extern char input_is_special;
+ extern char output_is_special;
+ extern char input_is_seekable;
+ extern char output_is_seekable;
++extern bool extract_over_symlinks;
+ extern int (*xstat) ();
+ extern void (*copy_function) ();
+ �
+--- cpio-2.11+dfsg.orig/src/global.c
++++ cpio-2.11+dfsg/src/global.c
+@@ -187,6 +187,9 @@ bool to_stdout_option = false;
+ /* The name this program was run with. */
+ char *program_name;
+
++/* Extract files over symbolic links */
++bool extract_over_symlinks;
++
+ /* A pointer to either lstat or stat, depending on whether
+ dereferencing of symlinks is done for input files. */
+ int (*xstat) ();
+--- cpio-2.11+dfsg.orig/src/main.c
++++ cpio-2.11+dfsg/src/main.c
+@@ -57,7 +57,8 @@ enum cpio_options {
+ FORCE_LOCAL_OPTION,
+ DEBUG_OPTION,
+ BLOCK_SIZE_OPTION,
+- TO_STDOUT_OPTION
++ TO_STDOUT_OPTION,
++ EXTRACT_OVER_SYMLINKS
+ };
+
+ const char *program_authors[] =
+@@ -222,6 +223,8 @@ static struct argp_option options[] = {
+ N_("Create leading directories where needed"), GRID+1 },
+ {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0,
+ N_("Do not change the ownership of the files"), GRID+1 },
++ {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0,
++ N_("Force writing over symbolic links"), GRID+1 },
+ {"unconditional", 'u', NULL, 0,
+ N_("Replace all files unconditionally"), GRID+1 },
+ {"sparse", SPARSE_OPTION, NULL, 0,
+@@ -412,6 +415,10 @@ crc newc odc bin ustar tar (all-caps als
+ no_chown_flag = true;
+ break;
+
++ case EXTRACT_OVER_SYMLINKS: /*
--extract-over-symlinks */
++ extract_over_symlinks = true;
++ break;
++
+ case 'o': /* Copy-out mode. */
+ if (copy_function != 0)
+ error (PAXEXIT_FAILURE, 0, _("Mode already defined"));
diff -Nru cpio-2.11+dfsg/debian/patches/series
cpio-2.11+dfsg/debian/patches/series
--- cpio-2.11+dfsg/debian/patches/series 2014-12-22 12:28:38.000000000
+0100
+++ cpio-2.11+dfsg/debian/patches/series 2015-03-05 11:49:50.000000000
+0100
@@ -16,3 +16,4 @@
58df4f1b.patch
fd262d11.patch
f6a8a2cb.patch
+CVE-2015-1197.patch
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On 2015-03-11 20:11, Moritz Muehlenhoff wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package cpio. It fixes CVE-2015-1197.
>
> unblock cpio/2.11+dfsg-4.1
>
> debdiff:
>
> [...]
>
>
Unblocked, thanks.
~Niels
--- End Message ---
