Hello Roberto C. Sánchez On Wednesday 18 July 2018 11:17 PM, Roberto C. Sánchez wrote: > On Wed, Jul 18, 2018 at 09:06:43PM +0530, Abhijith PA wrote: >> >> Made all the corrections. Thanks for the review. >> >> >> --abhijith >> > > Thanks! It is now uploaded. > > Regards, > > -Roberto >
Can you upload ant again to fix TEMP-0904191-9063D5. Debdiff is attached. I will take care of DLA. Thanks in advance. --abhijith
diff -Nru ant-1.9.4/debian/changelog ant-1.9.4/debian/changelog --- ant-1.9.4/debian/changelog 2018-07-18 13:03:03.000000000 +0200 +++ ant-1.9.4/debian/changelog 2018-08-02 17:01:29.000000000 +0200 @@ -1,3 +1,12 @@ +ant (1.9.4-3+deb8u2) jessie-security; urgency=high + + * Non-maintainer upload by the Debian LTS Team. + * Fix TEMP-0904191-9063D5: Incomplete fix for CVE-2018-10886 + * Add NEWS.Debian file to document possibly breaking changes + (Closes: #904191) + + -- Abhijith PA <abhij...@disroot.org> Thu, 02 Aug 2018 20:31:29 +0530 + ant (1.9.4-3+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Debian LTS Team diff -Nru ant-1.9.4/debian/NEWS ant-1.9.4/debian/NEWS --- ant-1.9.4/debian/NEWS 1970-01-01 01:00:00.000000000 +0100 +++ ant-1.9.4/debian/NEWS 2018-08-02 17:01:29.000000000 +0200 @@ -0,0 +1,16 @@ +ant (1.9.4-3+deb8u2) jessie-security; urgency=high + + Changes that could break older environments + ------------------------------------------- + <unzip>, <unjar> and <untar> will no longer extract entries whose + names would make the created files be placed outside of the + destination directory anymore by default. A new attribute + allowFilesToEscapeDest can be used to override the behavior. + Another special case is when stripAbsolutePathSpec is false (which + no longer is the default) and the entry's name starts with a + (back)slash and allowFilesToEscapeDest hasn't been specified + explicitly, in this case the file may be created outside of the + dest directory as well. + In addition stripAbsolutePathSpec is now true by default. + + -- Abhijith PA <abhij...@disroot.org> Thu, 02 Aug 2018 20:31:29 +0530 \ No newline at end of file diff -Nru ant-1.9.4/debian/patches/series ant-1.9.4/debian/patches/series --- ant-1.9.4/debian/patches/series 2018-07-18 13:03:03.000000000 +0200 +++ ant-1.9.4/debian/patches/series 2018-08-02 17:01:29.000000000 +0200 @@ -4,3 +4,4 @@ 0007-use-build.classpath.patch 0008-junit4-replace-assumeFalse.patch CVE-2018-10886.patch +TEMP-0904191-9063D5.patch diff -Nru ant-1.9.4/debian/patches/TEMP-0904191-9063D5.patch ant-1.9.4/debian/patches/TEMP-0904191-9063D5.patch --- ant-1.9.4/debian/patches/TEMP-0904191-9063D5.patch 1970-01-01 01:00:00.000000000 +0100 +++ ant-1.9.4/debian/patches/TEMP-0904191-9063D5.patch 2018-08-02 17:01:29.000000000 +0200 @@ -0,0 +1,66 @@ +Description: TEMP-0904191-9063D5 + Incomplete fix to CVE-2018-10886. Add another isLeadingPath method to + resolves symlinks. Also consider symlinks when expanding archives + and checking entries. + +Author: Abhijith PA <abhij...@disroot.org> +Origin: https://github.com/apache/ant/commit/5a8c37b271677587046bfd0fea18c1675d5a6300 + https://github.com/apache/ant/commit/6a41d62cb9ab4e640b72cb4de42a6c211dea645d +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=62502 +Bug-Debian: https://bugs.debian.org/904191 +Last-Update: 2018-08-02 + +--- ant-1.9.4.orig/src/main/org/apache/tools/ant/taskdefs/Expand.java ++++ ant-1.9.4/src/main/org/apache/tools/ant/taskdefs/Expand.java +@@ -317,9 +317,9 @@ public class Expand extends Task { + mappedNames = new String[] {entryName}; + } + File f = fileUtils.resolveFile(dir, mappedNames[0]); +- if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) { +- log("skipping " + entryName + " as its target " + f + " is outside of " +- + dir + ".", Project.MSG_VERBOSE); ++ if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f, true)) { ++ log("skipping " + entryName + " as its target " + f.getCanonicalPath() ++ + " is outside of " + dir.getCanonicalPath() + ".", Project.MSG_VERBOSE); + return; + } + +--- ant-1.9.4.orig/src/main/org/apache/tools/ant/util/FileUtils.java ++++ ant-1.9.4/src/main/org/apache/tools/ant/util/FileUtils.java +@@ -1191,6 +1191,36 @@ public class FileUtils { + } + + /** ++ * Learn whether one path "leads" another. ++ * ++ * @param leading The leading path, must not be null, must be absolute. ++ * @param path The path to check, must not be null, must be absolute. ++ * @param resolveSymlinks whether symbolic links shall be resolved ++ * prior to comparing the paths. ++ * @return true if path starts with leading; false otherwise. ++ * @since Ant 1.9.4-3+deb8u2 ++ * @throws IOException if resolveSymlinks is true and invoking ++ * getCanonicaPath on either argument throws an exception ++ */ ++ public boolean isLeadingPath(File leading, File path, boolean resolveSymlinks) ++ throws IOException { ++ if (!resolveSymlinks) { ++ return isLeadingPath(leading, path); ++ } ++ String l = leading.getCanonicalPath(); ++ String p = path.getCanonicalPath(); ++ if (l.equals(p)) { ++ return true; ++ } ++ // ensure that l ends with a / ++ // so we never think /foo was a parent directory of /foobar ++ if (!l.endsWith(File.separator)) { ++ l += File.separator; ++ } ++ return p.startsWith(l); ++ } ++ ++ /** + * Constructs a <code>file:</code> URI that represents the + * external form of the given pathname. + *
