Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
On Fri, Feb 10, 2017 at 11:07:22AM +1300, Chris Lamb wrote: > tags 854723 + pending > thanks > > > diffoscope may write to arbitrary locations on disk depending on the > > contents > > of an untrusted archive Please use CVE-2017-0359 Cheers, Moritz ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Ximin Luo wrote: > this particular scheme might not work so well with large archives > with lots and lots of members Mm although unlikely to be a serious problem as we aren't iterating over the directory. > Also, are you sure this doesn't interfere with the detection of > order-only differences, or the ability to match up > similar-member-names? We still use the archive's member name throughout diffoscope; the unpacked path shouldn't leak outside of that comparator. Also, the tests pass… *g* Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Ximin Luo: > Chris Lamb: >> tags 854723 + pending >> thanks >> >>> diffoscope may write to arbitrary locations on disk depending on the >>> contents >>> of an untrusted archive >> >> We can actually avoid all edge-cases of sanitisation by simply not using >> the supplied filename and maintaining our own mapping. >> >> Given this is both safer (and has far less code) I've gone ahead and >> committed >> that here: >> >> >> https://anonscm.debian.org/git/reproducible/diffoscope.git/commit/?id=632a40828a54b399787c25e7fa243f732aef7e05 >> > > Thanks, this is better. > > However this particular scheme might not work so well with large archives > with lots and lots of members (>many thousands), depending on what filesystem > the tempdir contained in. I'd suggest to use names like $x/$y where $x = idx > // 4096, $y = idx % 4096. > Also, are you sure this doesn't interfere with the detection of order-only differences, or the ability to match up similar-member-names? X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Chris Lamb: > tags 854723 + pending > thanks > >> diffoscope may write to arbitrary locations on disk depending on the contents >> of an untrusted archive > > We can actually avoid all edge-cases of sanitisation by simply not using > the supplied filename and maintaining our own mapping. > > Given this is both safer (and has far less code) I've gone ahead and committed > that here: > > > https://anonscm.debian.org/git/reproducible/diffoscope.git/commit/?id=632a40828a54b399787c25e7fa243f732aef7e05 > Thanks, this is better. However this particular scheme might not work so well with large archives with lots and lots of members (>many thousands), depending on what filesystem the tempdir contained in. I'd suggest to use names like $x/$y where $x = idx // 4096, $y = idx % 4096. X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
tags 854723 + pending thanks > diffoscope may write to arbitrary locations on disk depending on the contents > of an untrusted archive We can actually avoid all edge-cases of sanitisation by simply not using the supplied filename and maintaining our own mapping. Given this is both safer (and has far less code) I've gone ahead and committed that here: https://anonscm.debian.org/git/reproducible/diffoscope.git/commit/?id=632a40828a54b399787c25e7fa243f732aef7e05 Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Processed: Re: Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Processing commands for cont...@bugs.debian.org: > tags 854723 + pending Bug #854723 [diffoscope] diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 854723: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854723 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Package: diffoscope Version: 67 Severity: grave Tags: patch security Justification: user security hole Dear Maintainer, 5fdfe91e71f1c520d902350b18f793b8c69d9118 introduced a security hole where diffoscope may write to arbitrary locations on disk depending on the contents of an untrusted archive. For example, comparing the following two files: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=843811;filename=libBrokenLocale.a.0;msg=5 https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=843811;filename=libBrokenLocale.a.1;msg=5 Traceback (most recent call last): File "/home/infinity0/xx/diffoscope/diffoscope/main.py", line 281, in main sys.exit(run_diffoscope(parsed_args)) [..] File "/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", line 174, in extract self.ensure_unpacked() File "/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", line 219, in ensure_unpacked os.makedirs(os.path.dirname(dst), exist_ok=True) File "/usr/lib/python3.5/os.py", line 241, in makedirs mkdir(name, mode) PermissionError: [Errno 13] Permission denied: '/SYM64' Note that this could easily have been something like /home/infinity0/.profile. I have pushed a nearly-complete fix to git (after version 75 was just released) which prevents the writes. However reads are still done using the uncleaned names, but this is a much less severe issue. So, if I don't supply a fix for the second lesser issue soon, the existing fix should be released ASAP. X -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (200, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages diffoscope depends on: ii python3-libarchive-c 2.1-3.1 ii python3-magic 1:5.29-3 ii python3-pkg-resources 33.1.1-1 pn python3:any Versions of packages diffoscope recommends: ii acl2.2.52-3 ii apktool2.2.1+dfsg-2 ii binutils-multiarch 2.27.90.20170124-2 ii bzip2 1.0.6-8.1 ii caca-utils 0.99.beta19-2+b1 ii colord 1.3.3-2 ii cpio 2.11+dfsg-6 ii default-jdk [java-sdk] 2:1.8-58 ii default-jdk-headless 2:1.8-58 ii enjarify 1:1.0.3-3 ii fontforge-extras 0.3-4 ii fp-utils 3.0.0+dfsg-10 ii fp-utils-3.0.0 [fp-utils] 3.0.0+dfsg-10 ii genisoimage9:1.1.11-3 ii gettext0.19.8.1-2 ii ghc8.0.1-17 ii ghostscript9.20~dfsg-2 ii gnupg 2.1.18-3 ii jsbeautifier 1.6.4-6 ii llvm 1:3.8-34+b1 ii mono-utils 4.6.2.7+dfsg-1 ii openjdk-8-jdk [java-sdk] 8u121-b13-2 ii openssh-client 1:7.4p1-6 ii pdftk 2.02-4+b1 ii poppler-utils 0.48.0-2 ii python3-argcomplete1.8.1-1 ii python3-debian 0.1.30 ii python3-guestfs1:1.34.3-7 ii python3-progressbar2.3-4 ii python3-rpm4.12.0.2+dfsg1-1 ii python3-tlsh 3.4.4+20151206-1+b1 ii rpm2cpio 4.12.0.2+dfsg1-1 ii sng1.1.0-1+b1 ii sqlite33.16.2-2 ii squashfs-tools 1:4.3-3 ii unzip 6.0-21 ii vim-common 2:8.0.0197-1 ii xxd2:8.0.0197-1 ii xz-utils 5.2.2-1.2 Versions of packages diffoscope suggests: ii libjs-jquery 3.1.1-2 -- no debconf information ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
