From: Jiaying Song <[email protected]> diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-25711 Upstream patches: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476 Signed-off-by: Jiaying Song <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- .../diffoscope/CVE-2024-25711.patch | 116 ++++++++++++++++++ .../diffoscope/diffoscope_208.bb | 1 + 2 files changed, 117 insertions(+) create mode 100644 meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch diff --git a/meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch b/meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch new file mode 100644 index 0000000000..de1099c40b --- /dev/null +++ b/meta/recipes-support/diffoscope/diffoscope/CVE-2024-25711.patch @@ -0,0 +1,116 @@ +From 1eda4012c5350efae02fcc058e0a36cc71ad62fd Mon Sep 17 00:00:00 2001 +From: Chris Lamb <[email protected]> +Date: Fri, 9 Feb 2024 10:43:18 -0800 +Subject: [PATCH] Use a determistic name instead of trusting gpg's + --use-embedded-filenames. (Closes: reproducible-builds/diffoscope#361) + +... but also expose the embedded name by attaching the ("unstable") output of +--list-packets. + +Many thanks to Daniel Kahn Gillmor <[email protected]> for reporting this issue +and providing feedback. + +Upstream-Status: Backport +[https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476] + +CVE: CVE-2024-25711 + +Signed-off-by: Jiaying Song <[email protected]> +--- + diffoscope/comparators/pgp.py | 34 +++++++++++++++++++++++++++++----- + tests/comparators/test_pgp.py | 3 ++- + 2 files changed, 31 insertions(+), 6 deletions(-) + +diff --git a/diffoscope/comparators/pgp.py b/diffoscope/comparators/pgp.py +index eea997b..9215664 100644 +--- a/diffoscope/comparators/pgp.py ++++ b/diffoscope/comparators/pgp.py +@@ -32,6 +32,8 @@ from .utils.command import Command, our_check_output + + logger = logging.getLogger(__name__) + ++re_name = re.compile(r", created \d+, name=\"(?P<name>[^\"]+)\",") ++ + + class Pgpdump(Command): + @tool_required("pgpdump") +@@ -46,21 +48,31 @@ class Pgpdump(Command): + ) + + ++class GpgListPackets(Command): ++ @tool_required("gpg") ++ def cmdline(self): ++ return ( ++ "gpg", ++ "--no-keyring", ++ "--list-packets", ++ self.path, ++ ) ++ ++ + class PGPContainer(Archive): + @tool_required("gpg") + def open_archive(self): +- # Extract to a fresh temporary directory so that we can use the +- # embedded filename. +- ++ # Extract to a fresh temporary directory. + self._temp_dir = get_temporary_directory(suffix="pgp") + + try: + our_check_output( + ( + "gpg", +- "--use-embedded-filename", + "--decrypt", + "--no-keyring", ++ "--output", ++ os.path.join(self._temp_dir.name, "contents"), + os.path.abspath(self.source.path), + ), + cwd=self._temp_dir.name, +@@ -75,7 +87,7 @@ class PGPContainer(Archive): + self._temp_dir.cleanup() + + def get_member_names(self): +- # Will only return one filename, taken from the signature file itself. ++ # Will only ever return one filename + return os.listdir(self._temp_dir.name) + + def extract(self, member_name, dest_dir): +@@ -136,4 +148,16 @@ class PgpSignature(TextFile): + ] + ) + ++ # ... as well as gpg --list-packets ++ difference.add_details( ++ [ ++ Difference.from_operation( ++ GpgListPackets, ++ self.path, ++ other.path, ++ source="gpg --list-packets", ++ ) ++ ] ++ ) ++ + return difference +diff --git a/tests/comparators/test_pgp.py b/tests/comparators/test_pgp.py +index 8652ea9..49b3fa0 100644 +--- a/tests/comparators/test_pgp.py ++++ b/tests/comparators/test_pgp.py +@@ -80,8 +80,9 @@ def test_pgp_signature_identification(signature1, signature2): + def test_pgp_signature(signature1, signature2): + difference = signature1.compare(signature2) + assert_diff(difference, "pgp_signature_expected_diff") ++ assert len(difference.details) == 2 + assert difference.details[0].source1 == "pgpdump" +- assert len(difference.details) == 1 ++ assert difference.details[1].source1 == "gpg --list-packets" + + + @skip_unless_tools_exist("pgpdump") +-- +2.25.1 + diff --git a/meta/recipes-support/diffoscope/diffoscope_208.bb b/meta/recipes-support/diffoscope/diffoscope_208.bb index 3c3b007d60..e4fde88c95 100644 --- a/meta/recipes-support/diffoscope/diffoscope_208.bb +++ b/meta/recipes-support/diffoscope/diffoscope_208.bb @@ -12,6 +12,7 @@ PYPI_PACKAGE = "diffoscope" inherit pypi setuptools3 +SRC_URI += " file://CVE-2024-25711.patch" SRC_URI[sha256sum] = "2c5c0ac1159eefce158154849fe67f0f527dffc5295bfd3ca1aef14962ffcbcb" RDEPENDS:${PN} += "binutils vim squashfs-tools python3-libarchive-c python3-magic python3-rpm" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#208308): https://lists.openembedded.org/g/openembedded-core/message/208308 Mute This Topic: https://lists.openembedded.org/mt/109924667/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
