git-annex / CVE-2018-10857 and CVE-2018-10859
Just looking at these security issue in Jessie, which was fixed in Stretch. The set upstream changes to fix these problems appear to be somewhat large and invasive. Probably back porting from the patches in Stretch may be the best approach. Predictably I get a large number of conflicts when I attempt to apply the patches. Fixing this likely to time consuming task. -- Brian May
upload ant
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi.
I've prepared security update for ant. Please review and upload.
Debdiff is attached. Maintainer has disabled tests in build. So I
manually run /testEntriesDontEscapeDestByDefault/,
/testEntriesCanEscapeDestIfRequested/ (specific to CVE-2018-10886)
tasks from [1] upstream testsuite. I will prepare the DLA once package
hit the archive.
Thanks
- --abhijith
[1] -
https://github.com/apache/ant/blob/master/src/tests/antunit/taskdefs/unz
ip-test.xml
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAltPJ9UACgkQhj1N8u2c
KO81XQ/+JgIF8gGfpqAZFB7/PW0IpwpaSb3B3+LjvJFX35O8CUzjrKf0RfMB6GuK
Dfx+aZA5LHapegUrZCPHnPn1BF1hGRSbUk/XtxQBFNdHqBbPPnZzHvRX/fVn7XCf
ZVO69RgonzJvl+VWfCpEIPQcbBBGP+F5U7IrnE6NgF2lQMZxAkgVk9DjEu8p7k+G
Hp8pdxu0yoPgzvi9YQ6PSOfBehgr2G3en7bdM2dOB74h4yT+sAznGJ9YZNmMluvC
OUn+uL1mt5umcCs+KiMYN1YBgrm6Pb7miLTsT5seXp4x0b6MVyC/+LkAkOqEgR9q
50IsKqVcKUXYJUjmJ9aIH+A/2zl3dFeRsP1u7yZQ/h2/W27lVYyje6SFM+swaU6r
Ir+gSftKGbOBZDBOp1kVTPiuuz0ejSmWfgjvsnITVWpPKPX86bF7T43DGTURUgLa
TR5EBCiwn80dwFIdKfmyorGWAa+qpGGX7ANqs1JodqPkxYIYegOIY1Gjxqy9oSA6
lIA+2fDNny0SoFcGTT8gF/6aGELV0v5lxjJX1CKJk6PIqwm/WjuQY99J06gYReBB
ef/YBpGJo/0e/+flpQ4I7lyR+SLG8WA5s2hG0FlAkmdqfOHWQBk1SDgdtDQ+WcIp
fOwTTTRZ9hqWuhldgIb4VDDOzJlqMpyYOipTTqo88LQ+ABnE4fY=
=5mNH
-END PGP SIGNATURE-
diff -Nru ant-1.9.4/debian/changelog ant-1.9.4/debian/changelog
--- ant-1.9.4/debian/changelog 2014-10-08 01:08:52.0 +0200
+++ ant-1.9.4/debian/changelog 2018-07-18 13:03:03.0 +0200
@@ -1,3 +1,13 @@
+ant (1.9.4-3+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2018-10886: unzip and untar targets allow the extraction of
+files outside the target directory. A crafted zip or tar file
+submitted to an Ant build could create or overwrite arbitrary files
+with the privileges of the user running Ant
+
+ -- Abhijith PA Wed, 18 Jul 2018 16:33:03 +0530
+
ant (1.9.4-3) unstable; urgency=medium
* Removed the patch adding Xerces to the Ant classpath
diff -Nru ant-1.9.4/debian/patches/CVE-2018-10886.patch
ant-1.9.4/debian/patches/CVE-2018-10886.patch
--- ant-1.9.4/debian/patches/CVE-2018-10886.patch 1970-01-01
01:00:00.0 +0100
+++ ant-1.9.4/debian/patches/CVE-2018-10886.patch 2018-07-18
13:03:03.0 +0200
@@ -0,0 +1,112 @@
+Description: CVE-2018-10886
+ unzip and untar targets allows the extraction of files outside the target
+ directory. A crafted zip or tar file submitted to an Ant build could create
or
+ overwrite arbitrary files with the privileges of the user running Ant.
+
+Author: Abhijith PA
+Origin:
https://github.com/apache/ant/commit/e56e54565804991c62ec76dad385d2bdda8972a7
+
https://github.com/apache/ant/commit/1a2b1e37e3616991588f21efa89c474dd6ff83ff
+
https://github.com/apache/ant/commit/f72406d53cfb3b3425cc9d000eea421a0e05d8fe
+
https://github.com/apache/ant/commit/857095da5153fd18504b46f276d84f1e76a66970
+Last-Update: 2018-07-18
+
+--- ant-1.9.4.orig/manual/Tasks/unzip.html
ant-1.9.4/manual/Tasks/unzip.html
+@@ -116,7 +116,8 @@ archive.
+ failOnEmptyArchive
+ whether trying to extract an empty archive is an
+ error. since Ant 1.8.0
+-No, defaults to false
++No, defaults to true since 1.9.4-3+deb8u1
++ (used to defaukt to false prior to that)
+
+
+ stripAbsolutePathSpec
+@@ -137,6 +138,15 @@ archive.
+ zip task page
+ No, defaults to true
+
++
++allowFilesToEscapeDest
++Whether to allow the extracted file or directory
++ to be outside of the dest directory.
++ since Ant 1.9.12
++No, defaults to false unless
++stripAbsolutePathSpec is true and the entry's name starts with a leading
++path spec.
++
+
+ Examples
+
+--- ant-1.9.4.orig/src/main/org/apache/tools/ant/taskdefs/Expand.java
ant-1.9.4/src/main/org/apache/tools/ant/taskdefs/Expand.java
+@@ -67,8 +67,9 @@ public class Expand extends Task {
+ private Union resources = new Union();
+ private boolean resourcesSpecified = false;
+ private boolean failOnEmptyArchive = false;
+-private boolean stripAbsolutePathSpec = false;
++private boolean stripAbsolutePathSpec = true;
+ private boolean scanForUnicodeExtraFields = true;
++private Boolean allowFilesToEscapeDest = null;
+
+ public static final String NATIVE_ENCODING = "native-encoding";
+
+@@ -240,14 +241,17 @@ public class Expand extends Task {
+boolean isDirectory, FileNameMapper mapper)
+throws IOException {
+
+-if (stripAbsolutePathSpec && entryName.length() > 0
++final boolean entryNameStartsWithPathSpec = entryName.length() > 0
+ && (entryName.charAt(0) == File.separatorChar
+ || entryName.charAt(0) == '/'
+-|| entryName.charAt(0) == '\\')) {
++|| entryName.charAt(0) ==
Re: upload ant
On Wed, Jul 18, 2018 at 05:13:22PM +0530, Abhijith PA wrote: > Hi. > > > I've prepared security update for ant. Please review and upload. > Debdiff is attached. Maintainer has disabled tests in build. So I > manually run /testEntriesDontEscapeDestByDefault/, > /testEntriesCanEscapeDestIfRequested/ (specific to CVE-2018-10886) > tasks from [1] upstream testsuite. I will prepare the DLA once package > hit the archive. I am taking a look now. Regards, -Roberto -- Roberto C. Sánchez
Re: upload ant
On Wed, Jul 18, 2018 at 05:13:22PM +0530, Abhijith PA wrote: > Hi. > > > I've prepared security update for ant. Please review and upload. > Debdiff is attached. Maintainer has disabled tests in build. So I > manually run /testEntriesDontEscapeDestByDefault/, > /testEntriesCanEscapeDestIfRequested/ (specific to CVE-2018-10886) > tasks from [1] upstream testsuite. I will prepare the DLA once package > hit the archive. > > Hi Abhijith, A few notes: - Your debian/changelog entry has trailing whitespace, which should be removed - You additionally need this commit for a minor documentation/typo fix: https://github.com/apache/ant/commit/19910e518a669c8cc4d9b74c9ab11471c18cb634 - In the documentation changes you modified upstream's "since 1.9.12" to "since 1.9.4-3+deb8u1", which is good, but you left it as 1.9.12 in once place; all instances should be changed, I think (note that the additional commit I mentioned above contains another instance of the version number that needs to be changed) - You mention running the testEntriesDontEscapeDestByDefault and testEntriesCanEscapeDestIfRequested tests, but do not mention the testEntriesCanEscapeDestViaAbsolutePathByDefault and testEntriesDontEscapeDestViaAbsolutePathIfProhibited tests; can you run the other two and confirm that they also pass? If you can make these corrections and confirm the additional tests, your changes will be ready to upload. Regards, -Roberto -- Roberto C. Sánchez
Re: upload ant
Hi Roberto.
On Wednesday 18 July 2018 05:46 PM, Roberto C. Sánchez wrote:
> Hi Abhijith,
>
> A few notes:
>
> - Your debian/changelog entry has trailing whitespace, which should be
> removed
Done
> - You additionally need this commit for a minor documentation/typo fix:
>
> https://github.com/apache/ant/commit/19910e518a669c8cc4d9b74c9ab11471c18cb634
Done
> - In the documentation changes you modified upstream's "since 1.9.12" to
> "since 1.9.4-3+deb8u1", which is good, but you left it as 1.9.12
> in once place; all instances should be changed, I think (note that the
> additional commit I mentioned above contains another instance of the
> version number that needs to be changed)
Done
> - You mention running the testEntriesDontEscapeDestByDefault and
> testEntriesCanEscapeDestIfRequested tests, but do not mention the
> testEntriesCanEscapeDestViaAbsolutePathByDefault and
> testEntriesDontEscapeDestViaAbsolutePathIfProhibited tests; can you
> run the other two and confirm that they also pass?
The test names are little different. I followed tests from master[1]
branch. But yes, I ran stripping absolute path tests successfully.
>
> If you can make these corrections and confirm the additional tests, your
> changes will be ready to upload.
>
Made all the corrections. Thanks for the review.
--abhijith
diff -Nru ant-1.9.4/debian/changelog ant-1.9.4/debian/changelog
--- ant-1.9.4/debian/changelog 2014-10-08 01:08:52.0 +0200
+++ ant-1.9.4/debian/changelog 2018-07-18 13:03:03.0 +0200
@@ -1,3 +1,13 @@
+ant (1.9.4-3+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS Team
+ * Fix CVE-2018-10886: unzip and untar targets allow the extraction of
+files outside the target directory. A crafted zip or tar file
+submitted to an Ant build could create or overwrite arbitrary files
+with the privileges of the user running Ant
+
+ -- Abhijith PA Wed, 18 Jul 2018 16:33:03 +0530
+
ant (1.9.4-3) unstable; urgency=medium
* Removed the patch adding Xerces to the Ant classpath
diff -Nru ant-1.9.4/debian/patches/CVE-2018-10886.patch
ant-1.9.4/debian/patches/CVE-2018-10886.patch
--- ant-1.9.4/debian/patches/CVE-2018-10886.patch 1970-01-01
01:00:00.0 +0100
+++ ant-1.9.4/debian/patches/CVE-2018-10886.patch 2018-07-18
13:03:03.0 +0200
@@ -0,0 +1,118 @@
+Description: CVE-2018-10886
+ unzip and untar targets allows the extraction of files outside the target
+ directory. A crafted zip or tar file submitted to an Ant build could create
or
+ overwrite arbitrary files with the privileges of the user running Ant.
+
+Author: Abhijith PA
+Origin:
https://github.com/apache/ant/commit/e56e54565804991c62ec76dad385d2bdda8972a7
+
https://github.com/apache/ant/commit/1a2b1e37e3616991588f21efa89c474dd6ff83ff
+
https://github.com/apache/ant/commit/f72406d53cfb3b3425cc9d000eea421a0e05d8fe
+
https://github.com/apache/ant/commit/857095da5153fd18504b46f276d84f1e76a66970
+Last-Update: 2018-07-18
+
+Index: ant-1.9.4/manual/Tasks/unzip.html
+===
+--- ant-1.9.4.orig/manual/Tasks/unzip.html
ant-1.9.4/manual/Tasks/unzip.html
+@@ -125,8 +125,9 @@ archive.
+ Note that this changes the entry's name before applying
+ include/exclude patterns and before using the nested mappers (if
+ any). since Ant 1.8.0
+-No, defaults to false
+-
++No, defaults to true since
1.9.4-3+deb8u1
++ (used to default to false prior to that)
++
+
+ scanForUnicodeExtraFields
+ Note: This attribute is not available for
+@@ -137,6 +138,15 @@ archive.
+ zip task page
+ No, defaults to true
+
++
++allowFilesToEscapeDest
++Whether to allow the extracted file or directory
++ to be outside of the dest directory.
++ since Ant 1.9.4-3+deb8u1
++No, defaults to false unless
++stripAbsolutePathSpec is true and the entry's name starts with a leading
++path spec.
++
+
+ Examples
+
+Index: ant-1.9.4/src/main/org/apache/tools/ant/taskdefs/Expand.java
+===
+--- ant-1.9.4.orig/src/main/org/apache/tools/ant/taskdefs/Expand.java
ant-1.9.4/src/main/org/apache/tools/ant/taskdefs/Expand.java
+@@ -67,8 +67,9 @@ public class Expand extends Task {
+ private Union resources = new Union();
+ private boolean resourcesSpecified = false;
+ private boolean failOnEmptyArchive = false;
+-private boolean stripAbsolutePathSpec = false;
++private boolean stripAbsolutePathSpec = true;
+ private boolean scanForUnicodeExtraFields = true;
++private Boolean allowFilesToEscapeDest = null;
+
+ public static final String NATIVE_ENCODING = "native-encoding";
+
+@@ -240,14 +241,17 @@ public class Expand extends Task {
+boolean isDirectory, FileNameMapper mapper)
+
Re: upload ant
On Wed, Jul 18, 2018 at 09:06:43PM +0530, Abhijith PA wrote: > > Made all the corrections. Thanks for the review. > > > --abhijith > Thanks! It is now uploaded. Regards, -Roberto -- Roberto C. Sánchez
Re: Advice for building tomcat8 on jessie?
On Mon, Jul 09, 2018 at 09:07:00AM -0400, Roberto C. Sánchez wrote: > On Sun, Jul 08, 2018 at 09:15:26PM -0700, tony mancill wrote: > > Hello Roberto, > > > > If you're still running into build failures, I would be interested in > > taking a look. Could you push your branch to Salsa when you have a > > chance? > > > > Hi Tony, > > I am still getting failures. I have pushed the minimal set of changes > that I think should work. Here is my fork on Salsa: > > g...@salsa.debian.org:roberto/tomcat8.git > Anything? Regards, -Roberto -- Roberto C. Sánchez
