Your message dated Mon, 13 Feb 2017 16:33:35 +0000
with message-id <>
and subject line Bug#854723: fixed in diffoscope 77
has caused the Debian Bug report #854723,
regarding diffoscope: CVE-2017-0359: writes to arbitrary locations on disk 
based on the contents of an untrusted archive
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact

Debian Bug Tracking System
Contact with problems
--- Begin Message ---
Package: diffoscope
Version: 67
Severity: grave
Tags: patch security
Justification: user security hole

Dear Maintainer,

5fdfe91e71f1c520d902350b18f793b8c69d9118 introduced a security hole where
diffoscope may write to arbitrary locations on disk depending on the contents
of an untrusted archive. For example, comparing the following two files:;bug=843811;filename=libBrokenLocale.a.0;msg=5;bug=843811;filename=libBrokenLocale.a.1;msg=5

Traceback (most recent call last):
  File "/home/infinity0/xx/diffoscope/diffoscope/", line 281, in main
line 174, in extract
line 219, in ensure_unpacked
    os.makedirs(os.path.dirname(dst), exist_ok=True)
  File "/usr/lib/python3.5/", line 241, in makedirs
    mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/SYM64'

Note that this could easily have been something like /home/infinity0/.profile.

I have pushed a nearly-complete fix to git (after version 75 was just released)
which prevents the writes. However reads are still done using the uncleaned
names, but this is a much less severe issue. So, if I don't supply a fix for
the second lesser issue soon, the existing fix should be released ASAP.


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (300, 'unstable'), (200, 'experimental'), (1, 
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages diffoscope depends on:
ii  python3-libarchive-c   2.1-3.1
ii  python3-magic          1:5.29-3
ii  python3-pkg-resources  33.1.1-1
pn  python3:any            <none>

Versions of packages diffoscope recommends:
ii  acl                        2.2.52-3
ii  apktool                    2.2.1+dfsg-2
ii  binutils-multiarch
ii  bzip2                      1.0.6-8.1
ii  caca-utils                 0.99.beta19-2+b1
ii  colord                     1.3.3-2
ii  cpio                       2.11+dfsg-6
ii  default-jdk [java-sdk]     2:1.8-58
ii  default-jdk-headless       2:1.8-58
ii  enjarify                   1:1.0.3-3
ii  fontforge-extras           0.3-4
ii  fp-utils                   3.0.0+dfsg-10
ii  fp-utils-3.0.0 [fp-utils]  3.0.0+dfsg-10
ii  genisoimage                9:1.1.11-3
ii  gettext          
ii  ghc                        8.0.1-17
ii  ghostscript                9.20~dfsg-2
ii  gnupg                      2.1.18-3
ii  jsbeautifier               1.6.4-6
ii  llvm                       1:3.8-34+b1
ii  mono-utils       
ii  openjdk-8-jdk [java-sdk]   8u121-b13-2
ii  openssh-client             1:7.4p1-6
ii  pdftk                      2.02-4+b1
ii  poppler-utils              0.48.0-2
ii  python3-argcomplete        1.8.1-1
ii  python3-debian             0.1.30
ii  python3-guestfs            1:1.34.3-7
ii  python3-progressbar        2.3-4
ii  python3-rpm      
ii  python3-tlsh               3.4.4+20151206-1+b1
ii  rpm2cpio         
ii  sng                        1.1.0-1+b1
ii  sqlite3                    3.16.2-2
ii  squashfs-tools             1:4.3-3
ii  unzip                      6.0-21
ii  vim-common                 2:8.0.0197-1
ii  xxd                        2:8.0.0197-1
ii  xz-utils                   5.2.2-1.2

Versions of packages diffoscope suggests:
ii  libjs-jquery  3.1.1-2

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: diffoscope
Source-Version: 77

We believe that the bug you reported is fixed in the latest version of
diffoscope, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Mattia Rizzolo <> (supplier of updated diffoscope package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA512

Format: 1.8
Date: Mon, 13 Feb 2017 16:25:02 +0100
Source: diffoscope
Binary: diffoscope
Architecture: source
Version: 77
Distribution: unstable
Urgency: medium
Maintainer: Reproducible builds folks 
Changed-By: Mattia Rizzolo <>
 diffoscope - in-depth comparison of files, archives, and directories
Closes: 854723 854745 854783
 diffoscope (77) unstable; urgency=medium
   [ Chris Lamb ]
   * tests/comparators/utils:
     + Correct logic of module_exists, ensuring we correctly skip in case of
       modules containing a dot in their name.  Closes: #854745
   * comparators/utils/libarchive:
     + No need to track archive directory locations.
   * Add --exclude option.  Closes: #854783
   * Add PyPI badge to README.rst.
   * Update .travis.yml from
   [ Mattia Rizzolo ]
   * Add CVE reference to the changelog of v76.
   * Add my key to debian/upstream/signing-key.asc.
   [ Ximin Luo ]
   * comparators/utils/libarchive:
     + When extracting archives, try to keep directory sizes small.
 diffoscope (76) unstable; urgency=medium
   [ Chris Lamb ]
   * Extract archive members using an auto-incrementing integer, avoiding the
     need to sanitise filenames and avoiding writes to arbitrary locations.
     (Closes: #854723 - CVE-2017-0359)
   [ Ximin Luo ]
   * Simplify call to subprocess.Popen
 88ab09a8ecf57244ee21bd5c2f19a39b0f1c5062 2972 diffoscope_77.dsc
 b0c72453546afd30364c36aa2a86355d712ad55f 349436 diffoscope_77.tar.xz
 619ab27596d84ee53ebe2e8924c3ad662e1deea8 16138 diffoscope_77_amd64.buildinfo
 964f94d42f970ba32d73770e9d0c151fe149633cfb9054333bafe7df3f0271ee 2972 
 c9adeb0bfb0c92a3501df04b6ea4300c3896f15a9008803e4e12c1f312528499 349436 
 3e10be4a12c432443536830551d536e73dbb4de8f1374cf7ec6c5a033104a793 16138 
 853b57d21d18fafb72701114b189a315 2972 devel optional diffoscope_77.dsc
 13f5d4623bfd49a3787a3d03c9f4f076 349436 devel optional diffoscope_77.tar.xz
 dc24dbcee5c0028bc590f98a97504d14 16138 devel optional 



--- End Message ---
Reproducible-builds mailing list

Reply via email to