Bug#886482: stretch-pu: package global/6.5.6-2

Sat, 06 Jan 2018 07:45:40 -0800 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

Recently CVE-2017-17531 was reported against gozilla binary contained
in GNU Global. The issue wasn't deemed to warrant a DSA by the Debian
Security team but I was wondering if this is something that is pu
material for the next stretch update.

The update contains a fix which has been backported from the upstream
release 6.6.1.

Thanks for your consideration.

Punit

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, i386

Kernel: Linux 4.14.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru global-6.5.6/debian/changelog global-6.5.6/debian/changelog
--- global-6.5.6/debian/changelog       2017-01-07 14:22:40.000000000 +0000
+++ global-6.5.6/debian/changelog       2018-01-03 21:41:34.000000000 +0000
@@ -1,3 +1,9 @@
+global (6.5.6-2+deb9u1) stretch; urgency=medium
+
+  * Backport fix for CVE-2017-17531 from 6.6.1 (Closes: #884912)
+
+ -- Punit Agrawal <pu...@debian.org>  Wed, 03 Jan 2018 21:41:34 +0000
+
 global (6.5.6-2) unstable; urgency=medium
 
   * Include gtags.conf manpage in the package
diff -Nru 
global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch
 
global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch
--- 
global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch
    2018-01-03 21:41:34.000000000 +0000
@@ -0,0 +1,68 @@
+From: Punit Agrawal <pu...@debian.org>
+Date: Wed, 3 Jan 2018 21:35:38 +0000
+Subject: gozilla: Validate strings before launching browser
+
+gozilla does not validate strings before launching the program
+specified by the BROWSER environment variable, which might allow
+remote attackers to conduct argument-injection attacks via a crafted
+URL. This issue is reported as CVE-2017-17531.
+
+Backport a fix for this issue from upstream 6.6.1.
+---
+ gozilla/gozilla.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/gozilla/gozilla.c b/gozilla/gozilla.c
+index 22d2a95..9d53271 100644
+--- a/gozilla/gozilla.c
++++ b/gozilla/gozilla.c
+@@ -611,7 +611,8 @@ make_url_file(const char *url)
+ void
+ show_page_by_url(const char *browser, const char *url)
+ {
+-      char com[1024];
++      STRBUF  *sb = strbuf_open(0);
++      STRBUF  *arg = strbuf_open(0);
+ 
+       /*
+        * Browsers which have openURL() command.
+@@ -624,22 +625,33 @@ show_page_by_url(const char *browser, const char *url)
+           locatestring(browser, "netscape", MATCH_AT_LAST) ||
+           locatestring(browser, "netscape-remote", MATCH_AT_LAST))
+       {
+-              snprintf(com, sizeof(com), "%s -remote \"openURL(%s)\"", 
browser, url);
+-              system(com);
++              strbuf_puts(sb, quote_shell(browser));
++              strbuf_putc(sb, ' ');
++              strbuf_puts(sb, "-remote");
++              strbuf_putc(sb, ' ');
++              strbuf_sprintf(arg, "openURL(%s)", url);
++              strbuf_puts(sb, quote_shell(strbuf_value(arg)));
++              system(strbuf_value(sb));
+       }
+       /*
+        * Load default browser of OSX.
+        */
+       else if (!strcmp(browser, "osx-default")) {
+-              snprintf(com, sizeof(com), "open \"%s\"", make_url_file(url));
+-              system(com);
++              strbuf_puts(sb, "open");
++              strbuf_putc(sb, ' ');
++              strbuf_puts(sb, quote_shell(make_url_file(url)));
++              system(strbuf_value(sb));
+       }
+       /*
+        * Generic browser.
+        */
+       else {
+-              snprintf(com, sizeof(com), "%s \"%s\"", browser, url);
+-              system(com);
++              strbuf_puts(sb, quote_shell(browser));
++              strbuf_putc(sb, ' ');
++              strbuf_puts(sb, quote_shell(url));
++              system(strbuf_value(sb));
+       }
++      strbuf_close(sb);
++      strbuf_close(arg);
+ }
+ #endif
diff -Nru global-6.5.6/debian/patches/series global-6.5.6/debian/patches/series
--- global-6.5.6/debian/patches/series  2017-01-07 14:22:40.000000000 +0000
+++ global-6.5.6/debian/patches/series  2018-01-03 21:41:34.000000000 +0000
@@ -1 +1,2 @@
 0001-gtags-Fix-lintian-warning-with-gtags-manpage.patch
+0002-gozilla-Validate-strings-before-launching-browser.patch

Reply via email to