Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1

2022-02-19 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Mon, 2021-12-27 at 22:10 +0200, Peter Pentchev wrote:
> This is a future unblock request before I upload
> libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were
> fixed in later upstream versions and in unstable. They are all
> related to setting permissions and ACLs when extracting
> archive members that represent symbolic and hard links.
> 
> [ Impact ]
> Extracting some (rarely seen) archives may result in files
> having the wrong access permissions.
> 

Please go ahead, thanks.

Regards,

Adam

Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1

2022-01-03 Thread Peter Pentchev 
On Thu, Dec 30, 2021 at 09:10:34PM +0100, Salvatore Bonaccorso wrote:
> Hi Peter,
> 
> On Mon, Dec 27, 2021 at 10:10:58PM +0200, Peter Pentchev wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: bullseye
> > User: release.debian@packages.debian.org
> > Usertags: pu
> > X-Debbugs-Cc: r...@ringlet.net
> > 
> > [ Reason ]
> > This is a future unblock request before I upload
> > libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were
> > fixed in later upstream versions and in unstable. They are all
> > related to setting permissions and ACLs when extracting
> > archive members that represent symbolic and hard links.
> > 
> > [ Impact ]
> > Extracting some (rarely seen) archives may result in files
> > having the wrong access permissions.
> > 
> > [ Tests ]
> > All the added patches are taken from upstream commits that
> > include both the bugfixes and the testsuite additions to
> > check for regressions.
> > 
> > [ Risks ]
> > The code is mostly easy to follow, the fixes are straightforward.
> > 
> > [ Checklist ]
> >   [x] *all* changes are documented in the d/changelog
> >   [x] I reviewed all changes and I approve them
> >   [x] attach debdiff against the package in stable
> >   [x] the issue is verified as fixed in unstable
> > 
> > [ Changes ]
> > - correctly extract a hardlink to a symlink using the linkat(2)
> >   system call
> > - do not change the ACLs on symlinks, since that would affect
> >   the symlink target instead
> > - do not accidentally change the access mode of a symlink target
> >   when a change to the symlink's mode was intended
> > 
> > [ Other info ]
> > Thanks in advance for looking at this, and keep up the great work!
> 
> > diff -Nru libarchive-3.4.3/debian/changelog 
> > libarchive-3.4.3/debian/changelog
> > --- libarchive-3.4.3/debian/changelog   2020-08-01 21:46:12.0 
> > +0300
> > +++ libarchive-3.4.3/debian/changelog   2021-12-27 18:45:51.0 
> > +0200
> > @@ -1,3 +1,12 @@
> > +libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium
> > +
> > +  * Add four upstream fixes for various problems:
> > +- fix extracting hardlinks to symlinks
> > +- fix handling of symlink ACLs; Closes: 1001986
> > +- never follow symlinks when setting file flags; Closes: 1001990
> 
> While at it, can you as well add the CVE references to the
> debian/changelog?

Right... I'm not very smart these days, am I? Thanks a lot for
your patience with me these past few weeks!

Attached is an updated debdiff, the only difference being the CVE
references added to the changelog entry.

G'luck,
Peter

-- 
Peter Pentchev  r...@ringlet.net r...@debian.org p...@storpool.com
PGP key:http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
diff -Nru libarchive-3.4.3/debian/changelog libarchive-3.4.3/debian/changelog
--- libarchive-3.4.3/debian/changelog   2020-08-01 21:46:12.0 +0300
+++ libarchive-3.4.3/debian/changelog   2021-12-27 18:45:51.0 +0200
@@ -1,3 +1,13 @@
+libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium
+
+  * Add four upstream fixes for various problems:
+- fix extracting hardlinks to symlinks
+- CVE-2021-23177: fix handling of symlink ACLs; Closes: 1001986
+- CVE-2021-31566: never follow symlinks when setting file flags;
+  Closes: 1001990
+
+ -- Peter Pentchev   Mon, 27 Dec 2021 18:45:51 +0200
+
 libarchive (3.4.3-2) unstable; urgency=medium
 
   * Add some more upstream patches:
diff -Nru libarchive-3.4.3/debian/patches/series 
libarchive-3.4.3/debian/patches/series
--- libarchive-3.4.3/debian/patches/series  2020-08-01 21:46:12.0 
+0300
+++ libarchive-3.4.3/debian/patches/series  2021-12-27 18:45:51.0 
+0200
@@ -8,3 +8,7 @@
 upstream-rar-read-format.patch
 upstream-memory-stdlib.patch
 upstream-max-comp-level.patch
+upstream-hardlinks-to-symlinks.patch
+upstream-symlink-acls.patch
+upstream-set-flags-nofollow.patch
+upstream-fixup-nofollow.patch
diff -Nru libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch 
libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch
--- libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch   
1970-01-01 02:00:00.0 +0200
+++ libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch   
2021-12-27 18:45:51.0 +0200
@@ -0,0 +1,168 @@
+Description: Do not follow symlinks when processing the fixup list
+ Published as CVE-2021-31566
+Origin: upstream, 
https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
+Bug-Debian: https://bugs.debian.org/1001990
+Author: Martin Matuska 
+Last-Update: 2021-12-20
+
+--- a/Makefile.am
 b/Makefile.am
+@@ -556,6 +556,7 @@
+   libarchive/test/test_write_disk.c \
+   libarchive/test/test_write_disk_appledouble.c \
+   libarchive/test/test_write_disk_failures.c \
++  libarchive/test/test_write_disk_fixup.c \
+   libarchive/test/test_write_disk_hardlink.c \
+

Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1

2021-12-30 Thread Salvatore Bonaccorso 
Hi Peter,

On Mon, Dec 27, 2021 at 10:10:58PM +0200, Peter Pentchev wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: r...@ringlet.net
> 
> [ Reason ]
> This is a future unblock request before I upload
> libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were
> fixed in later upstream versions and in unstable. They are all
> related to setting permissions and ACLs when extracting
> archive members that represent symbolic and hard links.
> 
> [ Impact ]
> Extracting some (rarely seen) archives may result in files
> having the wrong access permissions.
> 
> [ Tests ]
> All the added patches are taken from upstream commits that
> include both the bugfixes and the testsuite additions to
> check for regressions.
> 
> [ Risks ]
> The code is mostly easy to follow, the fixes are straightforward.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> - correctly extract a hardlink to a symlink using the linkat(2)
>   system call
> - do not change the ACLs on symlinks, since that would affect
>   the symlink target instead
> - do not accidentally change the access mode of a symlink target
>   when a change to the symlink's mode was intended
> 
> [ Other info ]
> Thanks in advance for looking at this, and keep up the great work!

> diff -Nru libarchive-3.4.3/debian/changelog libarchive-3.4.3/debian/changelog
> --- libarchive-3.4.3/debian/changelog 2020-08-01 21:46:12.0 +0300
> +++ libarchive-3.4.3/debian/changelog 2021-12-27 18:45:51.0 +0200
> @@ -1,3 +1,12 @@
> +libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium
> +
> +  * Add four upstream fixes for various problems:
> +- fix extracting hardlinks to symlinks
> +- fix handling of symlink ACLs; Closes: 1001986
> +- never follow symlinks when setting file flags; Closes: 1001990

While at it, can you as well add the CVE references to the
debian/changelog?

Regards,
Salvatore

Bug#1002703: bullseye-pu: package libarchive/3.4.3-2+deb11u1

2021-12-27 Thread Peter Pentchev 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: r...@ringlet.net

[ Reason ]
This is a future unblock request before I upload
libarchive-3.4.3-2+deb11u1 to fix a couple of bugs that were
fixed in later upstream versions and in unstable. They are all
related to setting permissions and ACLs when extracting
archive members that represent symbolic and hard links.

[ Impact ]
Extracting some (rarely seen) archives may result in files
having the wrong access permissions.

[ Tests ]
All the added patches are taken from upstream commits that
include both the bugfixes and the testsuite additions to
check for regressions.

[ Risks ]
The code is mostly easy to follow, the fixes are straightforward.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- correctly extract a hardlink to a symlink using the linkat(2)
  system call
- do not change the ACLs on symlinks, since that would affect
  the symlink target instead
- do not accidentally change the access mode of a symlink target
  when a change to the symlink's mode was intended

[ Other info ]
Thanks in advance for looking at this, and keep up the great work!
diff -Nru libarchive-3.4.3/debian/changelog libarchive-3.4.3/debian/changelog
--- libarchive-3.4.3/debian/changelog   2020-08-01 21:46:12.0 +0300
+++ libarchive-3.4.3/debian/changelog   2021-12-27 18:45:51.0 +0200
@@ -1,3 +1,12 @@
+libarchive (3.4.3-2+deb11u1) bullseye; urgency=medium
+
+  * Add four upstream fixes for various problems:
+- fix extracting hardlinks to symlinks
+- fix handling of symlink ACLs; Closes: 1001986
+- never follow symlinks when setting file flags; Closes: 1001990
+
+ -- Peter Pentchev   Mon, 27 Dec 2021 18:45:51 +0200
+
 libarchive (3.4.3-2) unstable; urgency=medium
 
   * Add some more upstream patches:
diff -Nru libarchive-3.4.3/debian/patches/series 
libarchive-3.4.3/debian/patches/series
--- libarchive-3.4.3/debian/patches/series  2020-08-01 21:46:12.0 
+0300
+++ libarchive-3.4.3/debian/patches/series  2021-12-27 18:27:13.0 
+0200
@@ -8,3 +8,7 @@
 upstream-rar-read-format.patch
 upstream-memory-stdlib.patch
 upstream-max-comp-level.patch
+upstream-hardlinks-to-symlinks.patch
+upstream-symlink-acls.patch
+upstream-set-flags-nofollow.patch
+upstream-fixup-nofollow.patch
diff -Nru libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch 
libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch
--- libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch   
1970-01-01 02:00:00.0 +0200
+++ libarchive-3.4.3/debian/patches/upstream-fixup-nofollow.patch   
2021-12-27 18:26:12.0 +0200
@@ -0,0 +1,168 @@
+Description: Do not follow symlinks when processing the fixup list
+ Published as CVE-2021-31566
+Origin: upstream, 
https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
+Bug-Debian: https://bugs.debian.org/1001990
+Author: Martin Matuska 
+Last-Update: 2021-12-20
+
+--- a/Makefile.am
 b/Makefile.am
+@@ -556,6 +556,7 @@
+   libarchive/test/test_write_disk.c \
+   libarchive/test/test_write_disk_appledouble.c \
+   libarchive/test/test_write_disk_failures.c \
++  libarchive/test/test_write_disk_fixup.c \
+   libarchive/test/test_write_disk_hardlink.c \
+   libarchive/test/test_write_disk_hfs_compression.c \
+   libarchive/test/test_write_disk_lookup.c \
+--- a/libarchive/archive_write_disk_posix.c
 b/libarchive/archive_write_disk_posix.c
+@@ -2461,6 +2461,7 @@
+ {
+   struct archive_write_disk *a = (struct archive_write_disk *)_a;
+   struct fixup_entry *next, *p;
++  struct stat st;
+   int fd, ret;
+ 
+   archive_check_magic(>archive, ARCHIVE_WRITE_DISK_MAGIC,
+@@ -2478,6 +2479,20 @@
+   (TODO_TIMES | TODO_MODE_BASE | TODO_ACLS | TODO_FFLAGS)) {
+   fd = open(p->name,
+   O_WRONLY | O_BINARY | O_NOFOLLOW | O_CLOEXEC);
++  if (fd == -1) {
++  /* If we cannot lstat, skip entry */
++  if (lstat(p->name, ) != 0)
++  goto skip_fixup_entry;
++  /*
++   * If we deal with a symbolic link, mark
++   * it in the fixup mode to ensure no
++   * modifications are made to its target.
++   */
++  if (S_ISLNK(st.st_mode)) {
++  p->mode &= ~S_IFMT;
++  p->mode |= S_IFLNK;
++  }
++  }
+   }
+