summaryrefslogtreecommitdiff
path: root/scripts/t/Dpkg_Source_Patch
AgeCommit message (Collapse)AuthorFilesLines
2017-05-17Dpkg::Source::Patch: Indented patch test-caseGuillem Jover1-0/+9
POSIX specifies that a diff hunk can be indented by spaces or tabs (while the original patch(1) by Larry Wall also accepts 'X'), as long as the amount of spaces is consistent for all subsequent lines. And as we are not checking for this condition at all, any such indented hunk can avoid the sanity checks performed by Dpkg::Source::Patch. On systems using GNU patch >= 2.7.5, this should, in principle, not be a problem anymore, as that implementation protects against directory traversal issue. But on other systems where the patch implementation does not perform such checks (such as the BSDs) this is an issue, so check for this in the test-suite. Those are arguably all security issues in these various patch implementations, but given that we are performing sanity checks and that those implementations are currently very lax, it seems prudent to do the heavy lifting ourselves and also take the possible blame too. Ref: CVE-2017-8283 Stable-Candidate: 1.17.x
2014-06-05scripts: Add test case for patch disabling hunksGuillem Jover1-0/+7
This does not pose any security issue, as the hunk parser is strict, and will reject a patch if it considers that the hunk marker is not present.
2014-06-05Dpkg::Source::Patch: Fix patch header parsing to avoid directory traversalsGuillem Jover4-0/+18
The code parsing the patches was not taking into account that patches w/ partial or no pathname headers are still valid patches, and that they can specify the pathname in the Index: pseudo-header or in a single «+++ » pathname header, which allows doing directory traversal when unpacking source packages. The first vector is due to how the Index: pseudo-header is handled by patch. Its value gets used (on non-POSIX mode) only when both «+++ » and «--- » pathname headers do not provide a pathname, by either having an empty pathname or by the header being completely absent. The minimal fix for this is to just consider that we've parsed the header when we see a hunk header marker «@@ -». This is CVE-2014-3865 and #749183. The other vector is due to patches with only a «+++ » pathname header, which get skipped by the parser as it only checks for «--- » pathname header lines. The minimal fix for this is to also check for «+++ » when parsing the patch header. This is CVE-2014-3864 and #746498. The first issue is a superset of the second, and its fix is sufficient and covers and fixes too the second vector, as the «@@ -» marker is mandatory for a patch to be valid. An unspecified directory traversal vulnerability was initially reported in #746498 by Javier Serrano Polo <javier@jasp.net>, and while no information had been provided, I independently found #749183 and what was supposed to be #746498, which was later on published. Fixes: CVE-2014-3864, CVE-2014-3865 Closes: #746498, #749183
2014-06-05scripts: Add test cases for C-style encoded pathnames in patchesGuillem Jover1-0/+4
This covers the directory traversal issues from CVE-2014-0471 and CVE-2014-3127.