Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hello, I would like to push security fix into stable for `obs-build`. The patch fixes CVE-2017-14804 as described in #887306. Please consider the following patch attached. Regards -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru obs-build-20170201/debian/changelog obs-build-20170201/debian/changelog --- obs-build-20170201/debian/changelog 2017-08-04 23:24:36.000000000 +0200 +++ obs-build-20170201/debian/changelog 2018-03-04 23:05:06.000000000 +0100 @@ -1,3 +1,11 @@ +obs-build (20170201-3+deb9u1) stretch; urgency=medium + + * CVE-2017-14804 (Closes: #887306) + - Improve extractbuild to avoid write to files in the host system. + - debian/patches/Improve-sanity-checks-in-extractbuild.patch: add new + + -- Héctor Orón Martínez <zu...@debian.org> Sun, 04 Mar 2018 23:05:06 +0100 + obs-build (20170201-3) unstable; urgency=medium [ Sjoerd Simons ] diff -Nru obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch --- obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch 1970-01-01 01:00:00.000000000 +0100 +++ obs-build-20170201/debian/patches/Improve-sanity-checks-in-extractbuild.patch 2018-03-04 23:01:56.000000000 +0100 @@ -0,0 +1,34 @@ +From fc36b1c95afbe11e65fd1ed6f75c1824cdb26230 Mon Sep 17 00:00:00 2001 +Message-Id: <fc36b1c95afbe11e65fd1ed6f75c1824cdb26230.1511739165.git.suse-...@gmx.de> +From: Marcus Huewe <suse-...@gmx.de> +Date: Sun, 26 Nov 2017 20:25:48 +0100 +Subject: [PATCH] Improve sanity checks in extractbuild + +A \0 in a symlink target can be used to write to a file in the host +system. For the same reason, we do not allow to process a file more +than once. A \0 in a filename makes no sense, hence forbid it. +--- + extractbuild | 3 +++ + 1 file changed, 3 insertions(+) + +Index: obs-build-20160921/extractbuild +=================================================================== +--- obs-build-20160921.orig/extractbuild ++++ obs-build-20160921/extractbuild +@@ -74,6 +74,8 @@ while (<S>) { + my ($filetype, $file, $filesize, $blksize, @blocks) = split(/ /); + die("invalid input '$_'\n") unless defined($file); + $file =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge; ++ die("bad file '$file' (contains \\0)\n") if $file =~ /\0/; ++ die("already processed: $file\n") if $done{$file}; + die("bad file '$file'\n") if "/$file/" =~ /\/\.{0,2}\//s; + if ($file =~ /^(.*)\//s) { + die("file without directory: $file\n") unless $done{$1} && $done{$1} eq 'd'; +@@ -88,6 +90,7 @@ while (<S>) { + my $target = $filesize; + die("symlink without target\n") unless defined $target; + $target =~ s/%([a-fA-F0-9]{2})/chr(hex($1))/ge; ++ die("bad symlink: $target (contains \\0)\n") if $target =~ /\0/; + die("bad symlink: $target\n") if "/$target/" =~ /\/\.?\//s; + if ("/$target/" =~ /^(\/\.\.)+\/(.*?)$/s) { + my ($head, $tail) = ($1, $2); diff -Nru obs-build-20170201/debian/patches/series obs-build-20170201/debian/patches/series --- obs-build-20170201/debian/patches/series 2017-08-04 23:24:36.000000000 +0200 +++ obs-build-20170201/debian/patches/series 2018-03-04 23:03:58.000000000 +0100 @@ -15,3 +15,4 @@ HACK-Make-glibc-build.patch debootstrap-generate-apt-caches.patch +Improve-sanity-checks-in-extractbuild.patch