Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1
Control: tags -1 + confirmed On Mon, 2021-12-27 at 22:10 +0200, Peter Pentchev wrote: > This is a future unblock request before I upload > libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were > fixed in later upstream versions and in unstable. They are all > related to setting permissions and ACLs when extracting > archive members that represent symbolic and hard links. > > [ Impact ] > Extracting some (rarely seen) archives may result in files > having the wrong access permissions. > Please go ahead, thanks. Regards, Adam
Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1
On Thu, Dec 30, 2021 at 09:10:34PM +0100, Salvatore Bonaccorso wrote: > Hi Peter, > > On Mon, Dec 27, 2021 at 10:10:58PM +0200, Peter Pentchev wrote: > > Package: release.debian.org > > Severity: normal > > Tags: bullseye > > User: release.debian@packages.debian.org > > Usertags: pu > > X-Debbugs-Cc: r...@ringlet.net > > > > [ Reason ] > > This is a future unblock request before I upload > > libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were > > fixed in later upstream versions and in unstable. They are all > > related to setting permissions and ACLs when extracting > > archive members that represent symbolic and hard links. > > > > [ Impact ] > > Extracting some (rarely seen) archives may result in files > > having the wrong access permissions. > > > > [ Tests ] > > All the added patches are taken from upstream commits that > > include both the bugfixes and the testsuite additions to > > check for regressions. > > > > [ Risks ] > > The code is mostly easy to follow, the fixes are straightforward. > > > > [ Checklist ] > > [x] *all* changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in stable > > [x] the issue is verified as fixed in unstable > > > > [ Changes ] > > - correctly extract a hardlink to a symlink using the linkat(2) > > system call > > - do not change the ACLs on symlinks, since that would affect > > the symlink target instead > > - do not accidentally change the access mode of a symlink target > > when a change to the symlink's mode was intended > > > > [ Other info ] > > Thanks in advance for looking at this, and keep up the great work! > > > diff -Nru libarchive-3.4.3/debian/changelog > > libarchive-3.4.3/debian/changelog > > --- libarchive-3.4.3/debian/changelog 2020-08-01 21:46:12.0 > > +0300 > > +++ libarchive-3.4.3/debian/changelog 2021-12-27 18:45:51.0 > > +0200 > > @@ -1,3 +1,12 @@ > > +libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium > > + > > + * Add four upstream fixes for various problems: > > +- fix extracting hardlinks to symlinks > > +- fix handling of symlink ACLs; Closes: 1001986 > > +- never follow symlinks when setting file flags; Closes: 1001990 > > While at it, can you as well add the CVE references to the > debian/changelog? Right... I'm not very smart these days, am I? Thanks a lot for your patience with me these past few weeks! Attached is an updated debdiff, the only difference being the CVE references added to the changelog entry. G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key:http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 diff -Nru libarchive-3.4.3/debian/changelog libarchive-3.4.3/debian/changelog --- libarchive-3.4.3/debian/changelog 2020-08-01 21:46:12.0 +0300 +++ libarchive-3.4.3/debian/changelog 2021-12-27 18:45:51.0 +0200 @@ -1,3 +1,13 @@ +libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium + + * Add four upstream fixes for various problems: +- fix extracting hardlinks to symlinks +- CVE-2021-23177: fix handling of symlink ACLs; Closes: 1001986 +- CVE-2021-31566: never follow symlinks when setting file flags; + Closes: 1001990 + + -- Peter Pentchev Mon, 27 Dec 2021 18:45:51 +0200 + libarchive (3.4.3-2) unstable; urgency=medium * Add some more upstream patches: diff -Nru libarchive-3.4.3/debian/patches/series libarchive-3.4.3/debian/patches/series --- libarchive-3.4.3/debian/patches/series 2020-08-01 21:46:12.0 +0300 +++ libarchive-3.4.3/debian/patches/series 2021-12-27 18:45:51.0 +0200 @@ -8,3 +8,7 @@ upstream-rar-read-format.patch upstream-memory-stdlib.patch upstream-max-comp-level.patch +upstream-hardlinks-to-symlinks.patch +upstream-symlink-acls.patch +upstream-set-flags-nofollow.patch +upstream-fixup-nofollow.patch diff -Nru libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch --- libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch 1970-01-01 02:00:00.0 +0200 +++ libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch 2021-12-27 18:45:51.0 +0200 @@ -0,0 +1,168 @@ +Description: Do not follow symlinks when processing the fixup list + Published as CVE-2021-31566 +Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 +Bug-Debian: https://bugs.debian.org/1001990 +Author: Martin Matuska +Last-Update: 2021-12-20 + +--- a/Makefile.am b/Makefile.am +@@ -556,6 +556,7 @@ + libarchive/test/test_write_disk.c \ + libarchive/test/test_write_disk_appledouble.c \ + libarchive/test/test_write_disk_failures.c \ ++ libarchive/test/test_write_disk_fixup.c \ + libarchive/test/test_write_disk_hardlink.c \ +
Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1
Hi Peter, On Mon, Dec 27, 2021 at 10:10:58PM +0200, Peter Pentchev wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: r...@ringlet.net > > [ Reason ] > This is a future unblock request before I upload > libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were > fixed in later upstream versions and in unstable. They are all > related to setting permissions and ACLs when extracting > archive members that represent symbolic and hard links. > > [ Impact ] > Extracting some (rarely seen) archives may result in files > having the wrong access permissions. > > [ Tests ] > All the added patches are taken from upstream commits that > include both the bugfixes and the testsuite additions to > check for regressions. > > [ Risks ] > The code is mostly easy to follow, the fixes are straightforward. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > - correctly extract a hardlink to a symlink using the linkat(2) > system call > - do not change the ACLs on symlinks, since that would affect > the symlink target instead > - do not accidentally change the access mode of a symlink target > when a change to the symlink's mode was intended > > [ Other info ] > Thanks in advance for looking at this, and keep up the great work! > diff -Nru libarchive-3.4.3/debian/changelog libarchive-3.4.3/debian/changelog > --- libarchive-3.4.3/debian/changelog 2020-08-01 21:46:12.0 +0300 > +++ libarchive-3.4.3/debian/changelog 2021-12-27 18:45:51.0 +0200 > @@ -1,3 +1,12 @@ > +libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium > + > + * Add four upstream fixes for various problems: > +- fix extracting hardlinks to symlinks > +- fix handling of symlink ACLs; Closes: 1001986 > +- never follow symlinks when setting file flags; Closes: 1001990 While at it, can you as well add the CVE references to the debian/changelog? Regards, Salvatore
Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: r...@ringlet.net [ Reason ] This is a future unblock request before I upload libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were fixed in later upstream versions and in unstable. They are all related to setting permissions and ACLs when extracting archive members that represent symbolic and hard links. [ Impact ] Extracting some (rarely seen) archives may result in files having the wrong access permissions. [ Tests ] All the added patches are taken from upstream commits that include both the bugfixes and the testsuite additions to check for regressions. [ Risks ] The code is mostly easy to follow, the fixes are straightforward. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] - correctly extract a hardlink to a symlink using the linkat(2) system call - do not change the ACLs on symlinks, since that would affect the symlink target instead - do not accidentally change the access mode of a symlink target when a change to the symlink's mode was intended [ Other info ] Thanks in advance for looking at this, and keep up the great work! diff -Nru libarchive-3.4.3/debian/changelog libarchive-3.4.3/debian/changelog --- libarchive-3.4.3/debian/changelog 2020-08-01 21:46:12.0 +0300 +++ libarchive-3.4.3/debian/changelog 2021-12-27 18:45:51.0 +0200 @@ -1,3 +1,12 @@ +libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium + + * Add four upstream fixes for various problems: +- fix extracting hardlinks to symlinks +- fix handling of symlink ACLs; Closes: 1001986 +- never follow symlinks when setting file flags; Closes: 1001990 + + -- Peter Pentchev Mon, 27 Dec 2021 18:45:51 +0200 + libarchive (3.4.3-2) unstable; urgency=medium * Add some more upstream patches: diff -Nru libarchive-3.4.3/debian/patches/series libarchive-3.4.3/debian/patches/series --- libarchive-3.4.3/debian/patches/series 2020-08-01 21:46:12.0 +0300 +++ libarchive-3.4.3/debian/patches/series 2021-12-27 18:27:13.0 +0200 @@ -8,3 +8,7 @@ upstream-rar-read-format.patch upstream-memory-stdlib.patch upstream-max-comp-level.patch +upstream-hardlinks-to-symlinks.patch +upstream-symlink-acls.patch +upstream-set-flags-nofollow.patch +upstream-fixup-nofollow.patch diff -Nru libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch --- libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch 1970-01-01 02:00:00.0 +0200 +++ libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch 2021-12-27 18:26:12.0 +0200 @@ -0,0 +1,168 @@ +Description: Do not follow symlinks when processing the fixup list + Published as CVE-2021-31566 +Origin: upstream, https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 +Bug-Debian: https://bugs.debian.org/1001990 +Author: Martin Matuska +Last-Update: 2021-12-20 + +--- a/Makefile.am b/Makefile.am +@@ -556,6 +556,7 @@ + libarchive/test/test_write_disk.c \ + libarchive/test/test_write_disk_appledouble.c \ + libarchive/test/test_write_disk_failures.c \ ++ libarchive/test/test_write_disk_fixup.c \ + libarchive/test/test_write_disk_hardlink.c \ + libarchive/test/test_write_disk_hfs_compression.c \ + libarchive/test/test_write_disk_lookup.c \ +--- a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c +@@ -2461,6 +2461,7 @@ + { + struct archive_write_disk *a = (struct archive_write_disk *)_a; + struct fixup_entry *next, *p; ++ struct stat st; + int fd, ret; + + archive_check_magic(>archive, ARCHIVE_WRITE_DISK_MAGIC, +@@ -2478,6 +2479,20 @@ + (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) { + fd = open(p->name, + O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC); ++ if (fd == -1) { ++ /* If we cannot lstat, skip entry */ ++ if (lstat(p->name, ) != 0) ++ goto skip_fixup_entry; ++ /* ++ * If we deal with a symbolic link, mark ++ * it in the fixup mode to ensure no ++ * modifications are made to its target. ++ */ ++ if (S_ISLNK(st.st_mode)) { ++ p->mode &= ~S_IFMT; ++ p->mode |= S_IFLNK; ++ } ++ } + } +