Your message dated Tue, 10 Sep 2019 19:11:20 +0100 with message-id <8878ff801666ef402d18c771343db4d2fd56d901.ca...@adam-barratt.org.uk> and subject line Re: Bug#939978: buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1 has caused the Debian Bug report #939978, regarding buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 939978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Subject: buster-pu: package flightcrew/0.7.2+dfsg-13+deb10u1 Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: buster Severity: normal Hello, I would like to update the flightcrew package in Buster release. The goal is to fix the CVE-2019-13241. Please find attached the debdiff. Best Regards, François -- System Information: Debian Release: 10.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dashFrom 1ee41f78678f520402823b1524e02cba5c5d0d88 Mon Sep 17 00:00:00 2001 From: Francois Mazen <franc...@mzf.fr> Date: Tue, 10 Sep 2019 09:27:47 +0200 Subject: [PATCH] Fix CVE-2019-13241 --- debian/changelog | 6 ++++++ debian/patches/fix-CVE-2019-13241.diff | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + debian/source/include-binaries | 1 + debian/tests/CVE-2019-13241 | 28 ++++++++++++++++++++++++++++ debian/tests/CVE-2019-13241_zip-slip.zip | Bin 0 -> 545 bytes debian/tests/control | 2 ++ 7 files changed, 96 insertions(+) create mode 100644 debian/patches/fix-CVE-2019-13241.diff create mode 100644 debian/source/include-binaries create mode 100644 debian/tests/CVE-2019-13241 create mode 100644 debian/tests/CVE-2019-13241_zip-slip.zip create mode 100644 debian/tests/control diff --git a/debian/changelog b/debian/changelog index b6a222f..dd9a681 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +flightcrew (0.7.2+dfsg-13+deb10u1) buster; urgency=high + + * Fix CVE-2019-13241 for buster. + + -- Francois Mazen <franc...@mzf.fr> Sun, 08 Sep 2019 21:55:23 +0200 + flightcrew (0.7.2+dfsg-13) unstable; urgency=medium [ Ondřej Nový ] diff --git a/debian/patches/fix-CVE-2019-13241.diff b/debian/patches/fix-CVE-2019-13241.diff new file mode 100644 index 0000000..5357d6a --- /dev/null +++ b/debian/patches/fix-CVE-2019-13241.diff @@ -0,0 +1,58 @@ +Description: fix CVE-2019-13241 +Author: Francois Mazen <franc...@mzf.fr> + + +--- a/src/zipios/src/zipextraction.cpp ++++ b/src/zipios/src/zipextraction.cpp +@@ -63,6 +63,43 @@ + fs::create_directory( filepath ); + } + ++void CheckPathTraversalVulnerability(const fs::path& root_folder, const fs::path& file_path) ++{ ++ ++ fs::path canonical_path = fs::weakly_canonical(file_path); ++ fs::path canonical_root_path = fs::weakly_canonical(root_folder); ++ ++ fs::path::iterator root_iterator = canonical_root_path.begin(); ++ fs::path::iterator path_iterator = canonical_path.begin(); ++ bool isDifferenceFound = false; ++ while(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator != canonical_path.end()) ++ { ++ if((*root_iterator) != (*path_iterator)) ++ { ++ isDifferenceFound = true; ++ } ++ else ++ { ++ ++root_iterator; ++ ++path_iterator; ++ } ++ } ++ ++ if(!isDifferenceFound && ++ root_iterator != canonical_root_path.end() && ++ path_iterator == canonical_path.end()) ++ { ++ // We reached the end of the path without iterating the whole root. ++ isDifferenceFound = true; ++ } ++ ++ if(isDifferenceFound) ++ { ++ throw InvalidStateException( "Corrupt epub detected with local file path: " + file_path.string()) ; ++ } ++} + + void ExtractZipToFolder( const fs::path &path_to_zip, const fs::path &path_to_folder ) + { +@@ -75,6 +112,7 @@ + + fs::path new_file_path = path_to_folder / (*it)->getName(); + ++ CheckPathTraversalVulnerability(path_to_folder, new_file_path); + CreateFilepath( new_file_path ); + WriteEntryToFile( *stream, new_file_path ); + } diff --git a/debian/patches/series b/debian/patches/series index dd411b2..f8c0cdb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ disable_filesystem3_overload modify_cmake_for_debian reproducible-build use_random_unique_tmp_path +fix-CVE-2019-13241.diff diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 0000000..5b216eb --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +debian/tests/CVE-2019-13241_zip-slip.zip diff --git a/debian/tests/CVE-2019-13241 b/debian/tests/CVE-2019-13241 new file mode 100644 index 0000000..baac7e0 --- /dev/null +++ b/debian/tests/CVE-2019-13241 @@ -0,0 +1,28 @@ +#!/bin/sh + +# Check the CVE-2019-13241 vulnerability. +# See https://security-tracker.debian.org/tracker/CVE-2019-13241 +# Author: Francois Mazen <franc...@mzf.fr> + +EVIL_FILE=/tmp/evil.txt + +if [ -f "$EVIL_FILE" ]; then + echo "$EVIL_FILE exists, removing it." + rm -f $EVIL_FILE +else + echo "$EVIL_FILE does not exist" +fi + +echo "Opening the evil zip file." +flightcrew-cli --input-file CVE-2019-13241_zip-slip.zip 2>&1 + +if [ -f "$EVIL_FILE" ]; then + echo "$EVIL_FILE exists! The program is vulnerable." + exit 1 +else + echo "$EVIL_FILE does not exist, no vulnerability." + exit 0 +fi + + + diff --git a/debian/tests/CVE-2019-13241_zip-slip.zip b/debian/tests/CVE-2019-13241_zip-slip.zip new file mode 100644 index 0000000000000000000000000000000000000000..38b3f499de0163e62ca15ce18350a9d9a477a51b GIT binary patch literal 545 zc$^FHW@h1H0D=Au{XYEp{-1?`Y!K#PkYPyA&ri`SsVE5z;bdU8U359h4v0%DxEUB( zzA-W|u!sQFm1JZVD*#cV0!Xz&eqJh90MJkou%T0dh9)>xTY`8X+ycaUdin!`N^%SI zQ_C`QKpuiSI!^&41a&ndlN>Xyz>olo13k^Kq!GkI1Pv=BXwZTMWSR&w?ofb%C5@qj WBuoOlS=m4?Vgf>tN4Y_sWdH#5lWQ0N literal 0 Hc$@<O00001 diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..d4371d1 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,2 @@ +Tests: CVE-2019-13241 +Depends: flightcrew -- libgit2 0.27.7signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---On Tue, 2019-09-10 at 09:55 +0200, François Mazen wrote: > I would like to update the flightcrew package in Buster release. > > The goal is to fix the CVE-2019-13241. > You already requested that in #939965. Regards, Adam
--- End Message ---