Age | Commit message (Collapse) | Author | Files | Lines |
|
POSIX specifies that a diff hunk can be indented by spaces or tabs
(while the original patch(1) by Larry Wall also accepts 'X'), as long
as the amount of spaces is consistent for all subsequent lines. And as
we are not checking for this condition at all, any such indented hunk
can avoid the sanity checks performed by Dpkg::Source::Patch.
On systems using GNU patch >= 2.7.5, this should, in principle, not be
a problem anymore, as that implementation protects against directory
traversal issue. But on other systems where the patch implementation
does not perform such checks (such as the BSDs) this is an issue, so
check for this in the test-suite.
Those are arguably all security issues in these various patch
implementations, but given that we are performing sanity checks and that
those implementations are currently very lax, it seems prudent to do the
heavy lifting ourselves and also take the possible blame too.
Ref: CVE-2017-8283
Stable-Candidate: 1.17.x
|
|
This does not pose any security issue, as the hunk parser is strict, and
will reject a patch if it considers that the hunk marker is not present.
|
|
The code parsing the patches was not taking into account that patches
w/ partial or no pathname headers are still valid patches, and that
they can specify the pathname in the Index: pseudo-header or in a
single «+++ » pathname header, which allows doing directory traversal
when unpacking source packages.
The first vector is due to how the Index: pseudo-header is handled by
patch. Its value gets used (on non-POSIX mode) only when both «+++ »
and «--- » pathname headers do not provide a pathname, by either having
an empty pathname or by the header being completely absent. The minimal
fix for this is to just consider that we've parsed the header when we
see a hunk header marker «@@ -». This is CVE-2014-3865 and #749183.
The other vector is due to patches with only a «+++ » pathname header,
which get skipped by the parser as it only checks for «--- » pathname
header lines. The minimal fix for this is to also check for «+++ » when
parsing the patch header. This is CVE-2014-3864 and #746498.
The first issue is a superset of the second, and its fix is sufficient
and covers and fixes too the second vector, as the «@@ -» marker is
mandatory for a patch to be valid.
An unspecified directory traversal vulnerability was initially reported
in #746498 by Javier Serrano Polo <javier@jasp.net>, and while no
information had been provided, I independently found #749183 and what
was supposed to be #746498, which was later on published.
Fixes: CVE-2014-3864, CVE-2014-3865
Closes: #746498, #749183
|
|
This covers the directory traversal issues from CVE-2014-0471 and
CVE-2014-3127.
|