Package: diffoscope
Version: 67
Severity: grave
Tags: patch security
Justification: user security hole

Dear Maintainer,

5fdfe91e71f1c520d902350b18f793b8c69d9118 introduced a security hole where
diffoscope may write to arbitrary locations on disk depending on the contents
of an untrusted archive. For example, comparing the following two files:

https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=843811;filename=libBrokenLocale.a.0;msg=5
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=843811;filename=libBrokenLocale.a.1;msg=5

Traceback (most recent call last):
  File "/home/infinity0/xx/diffoscope/diffoscope/main.py", line 281, in main
    sys.exit(run_diffoscope(parsed_args))
[..]
  File 
"/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", 
line 174, in extract
    self.ensure_unpacked()
  File 
"/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", 
line 219, in ensure_unpacked
    os.makedirs(os.path.dirname(dst), exist_ok=True)
  File "/usr/lib/python3.5/os.py", line 241, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/SYM64'

Note that this could easily have been something like /home/infinity0/.profile.

I have pushed a nearly-complete fix to git (after version 75 was just released)
which prevents the writes. However reads are still done using the uncleaned
names, but this is a much less severe issue. So, if I don't supply a fix for
the second lesser issue soon, the existing fix should be released ASAP.

X

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (300, 'unstable'), (200, 'experimental'), (1, 
'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages diffoscope depends on:
ii  python3-libarchive-c   2.1-3.1
ii  python3-magic          1:5.29-3
ii  python3-pkg-resources  33.1.1-1
pn  python3:any            <none>

Versions of packages diffoscope recommends:
ii  acl                        2.2.52-3
ii  apktool                    2.2.1+dfsg-2
ii  binutils-multiarch         2.27.90.20170124-2
ii  bzip2                      1.0.6-8.1
ii  caca-utils                 0.99.beta19-2+b1
ii  colord                     1.3.3-2
ii  cpio                       2.11+dfsg-6
ii  default-jdk [java-sdk]     2:1.8-58
ii  default-jdk-headless       2:1.8-58
ii  enjarify                   1:1.0.3-3
ii  fontforge-extras           0.3-4
ii  fp-utils                   3.0.0+dfsg-10
ii  fp-utils-3.0.0 [fp-utils]  3.0.0+dfsg-10
ii  genisoimage                9:1.1.11-3
ii  gettext                    0.19.8.1-2
ii  ghc                        8.0.1-17
ii  ghostscript                9.20~dfsg-2
ii  gnupg                      2.1.18-3
ii  jsbeautifier               1.6.4-6
ii  llvm                       1:3.8-34+b1
ii  mono-utils                 4.6.2.7+dfsg-1
ii  openjdk-8-jdk [java-sdk]   8u121-b13-2
ii  openssh-client             1:7.4p1-6
ii  pdftk                      2.02-4+b1
ii  poppler-utils              0.48.0-2
ii  python3-argcomplete        1.8.1-1
ii  python3-debian             0.1.30
ii  python3-guestfs            1:1.34.3-7
ii  python3-progressbar        2.3-4
ii  python3-rpm                4.12.0.2+dfsg1-1
ii  python3-tlsh               3.4.4+20151206-1+b1
ii  rpm2cpio                   4.12.0.2+dfsg1-1
ii  sng                        1.1.0-1+b1
ii  sqlite3                    3.16.2-2
ii  squashfs-tools             1:4.3-3
ii  unzip                      6.0-21
ii  vim-common                 2:8.0.0197-1
ii  xxd                        2:8.0.0197-1
ii  xz-utils                   5.2.2-1.2

Versions of packages diffoscope suggests:
ii  libjs-jquery  3.1.1-2

-- no debconf information

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to