|
The code parsing the patches was not taking into account that patches
w/ partial or no pathname headers are still valid patches, and that
they can specify the pathname in the Index: pseudo-header or in a
single «+++ » pathname header, which allows doing directory traversal
when unpacking source packages.
The first vector is due to how the Index: pseudo-header is handled by
patch. Its value gets used (on non-POSIX mode) only when both «+++ »
and «--- » pathname headers do not provide a pathname, by either having
an empty pathname or by the header being completely absent. The minimal
fix for this is to just consider that we've parsed the header when we
see a hunk header marker «@@ -». This is CVE-2014-3865 and #749183.
The other vector is due to patches with only a «+++ » pathname header,
which get skipped by the parser as it only checks for «--- » pathname
header lines. The minimal fix for this is to also check for «+++ » when
parsing the patch header. This is CVE-2014-3864 and #746498.
The first issue is a superset of the second, and its fix is sufficient
and covers and fixes too the second vector, as the «@@ -» marker is
mandatory for a patch to be valid.
An unspecified directory traversal vulnerability was initially reported
in #746498 by Javier Serrano Polo <javier@jasp.net>, and while no
information had been provided, I independently found #749183 and what
was supposed to be #746498, which was later on published.
Fixes: CVE-2014-3864, CVE-2014-3865
Closes: #746498, #749183
|
