r32632 - in /branches/etch/libarchive-tar-perl/debian: changelog control patches/ patches/CVE-2007-4829_part_2.patch patches/series rules

gregoa at users.alioth.debian.org gregoa at users.alioth.debian.org
Sat Apr 4 23:12:01 UTC 2009 

Author: gregoa
Date: Sat Apr  4 23:11:57 2009
New Revision: 32632

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=32632
Log:
Add patch CVE-2007-4829_part_2.patch by Niko Tyni: fixes the "second half
of CVE-2007-4829": Archive::Tar no longer follows symlinks when unpacking
(cf. #509802). Add quilt framework (debian/control, debian/rules).

Added:
    branches/etch/libarchive-tar-perl/debian/patches/
    branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch
    branches/etch/libarchive-tar-perl/debian/patches/series
Modified:
    branches/etch/libarchive-tar-perl/debian/changelog
    branches/etch/libarchive-tar-perl/debian/control
    branches/etch/libarchive-tar-perl/debian/rules

Modified: branches/etch/libarchive-tar-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/changelog?rev=32632&op=diff
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/changelog (original)
+++ branches/etch/libarchive-tar-perl/debian/changelog Sat Apr  4 23:11:57 2009
@@ -1,3 +1,11 @@
+libarchive-tar-perl (1.38-3) UNRELEASED; urgency=low
+
+  * Add patch CVE-2007-4829_part_2.patch by Niko Tyni: fixes the "second half
+    of CVE-2007-4829": Archive::Tar no longer follows symlinks when unpacking
+    (cf. #509802). Add quilt framework (debian/control, debian/rules).
+
+ -- gregor herrmann <gregoa at debian.org>  Sun, 05 Apr 2009 01:00:44 +0200
+
 libarchive-tar-perl (1.38-2) unstable; urgency=low
 
   [ gregor herrmann ]

Modified: branches/etch/libarchive-tar-perl/debian/control
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/control?rev=32632&op=diff
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/control (original)
+++ branches/etch/libarchive-tar-perl/debian/control Sat Apr  4 23:11:57 2009
@@ -10,7 +10,7 @@
 Homepage: http://search.cpan.org/dist/Archive-Tar/
 Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libarchive-tar-perl/
 Vcs-Browser: http://svn.debian.org/wsvn/pkg-perl/trunk/libarchive-tar-perl/
-Build-Depends: debhelper (>= 5)
+Build-Depends: debhelper (>= 5), quilt (>= 0.40)
 Build-Depends-Indep: perl (>> 5.8.1), libtest-pod-perl, libio-zlib-perl
 
 Package: libarchive-tar-perl

Added: branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch?rev=32632&op=file
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch (added)
+++ branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch Sat Apr  4 23:11:57 2009
@@ -1,0 +1,121 @@
+[SECURITY] "second half of CVE-2007-4829": Archive::Tar no longer follows
+symlinks when unpacking.  Upstream fix backported by Ubuntu. (Closes: #509802)
+
+http://rt.cpan.org/Public/Bug/Display.html?id=30380#txn-436899
+second half of unpack issue CVE-2007-4829, from 1.39_01 of Archive::Tar
+
+Original patch from Ubuntu version 5.10.0-11.1ubuntu2.2.
+--- a/lib/Archive/Tar.pm
++++ b/lib/Archive/Tar.pm
+@@ -561,26 +561,61 @@
+ 
+     ### it's a relative path ###
+     } else {
+-        my $cwd     = (defined $self->{cwd} ? $self->{cwd} : cwd());
++        my $cwd     = (ref $self and defined $self->{cwd})
++                        ? $self->{cwd}
++                        : cwd();
+ 
+         my @dirs = defined $alt
+             ? File::Spec->splitdir( $dirs )         # It's a local-OS path
+             : File::Spec::Unix->splitdir( $dirs );  # it's UNIX-style, likely
+                                                     # straight from the tarball
+ 
+-        ### paths that leave the current directory are not allowed under
+-        ### strict mode, so only allow it if a user tells us to do this.
+         if( not defined $alt            and 
+-            not $INSECURE_EXTRACT_MODE  and 
+-            grep { $_ eq '..' } @dirs
+-        ) {
+-            $self->_error(
+-                q[Entry ']. $entry->full_path .q[' is attempting to leave the ].
+-                q[current working directory. Not extracting under SECURE ].
+-                q[EXTRACT MODE]
+-            );
+-            return;
+-        }            
++            not $INSECURE_EXTRACT_MODE
++        ) {
++
++            ### paths that leave the current directory are not allowed under
++            ### strict mode, so only allow it if a user tells us to do this.
++            if( grep { $_ eq '..' } @dirs ) {
++
++                $self->_error(
++                    q[Entry ']. $entry->full_path .q[' is attempting to leave ].
++                    q[the current working directory. Not extracting under ].
++                    q[SECURE EXTRACT MODE]
++                );
++                return;
++            }
++
++            ### the archive may be asking us to extract into a symlink. This
++            ### is not sane and a possible security issue, as outlined here:
++            ### https://rt.cpan.org/Ticket/Display.html?id=30380
++            ### https://bugzilla.redhat.com/show_bug.cgi?id=295021
++            ### https://issues.rpath.com/browse/RPL-1716
++            my $full_path = $cwd;
++            for my $d ( @dirs ) {
++                $full_path = File::Spec->catdir( $full_path, $d );
++
++                ### we've already checked this one, and it's safe. Move on.
++                next if ref $self and $self->{_link_cache}->{$full_path};
++
++                if( -l $full_path ) {
++                    my $to   = readlink $full_path;
++                    my $diag = "symlinked directory ($full_path => $to)";
++
++                    $self->_error(
++                        q[Entry ']. $entry->full_path .q[' is attempting to ].
++                        qq[extract to a $diag. This is considered a security ].
++                        q[vulnerability and not allowed under SECURE EXTRACT ].
++                        q[MODE]
++                    );
++                    return;
++                }
++
++                ### XXX keep a cache if possible, so the stats become cheaper:
++                $self->{_link_cache}->{$full_path} = 1 if ref $self;
++            }
++        }
++
+         
+         ### '.' is the directory delimiter, of which the first one has to
+         ### be escaped/changed.
+@@ -622,7 +657,8 @@
+     unless ( -d _ ) {
+         eval { File::Path::mkpath( $dir, 0, 0777 ) };
+         if( $@ ) {
+-            $self->_error( qq[Could not create directory '$dir': $@] );
++            my $fp = $entry->full_path;
++            $self->_error(qq[Could not create directory '$dir' for '$fp': $@]);
+             return;
+         }
+         
+@@ -672,8 +708,13 @@
+         $self->_make_special_file( $entry, $full ) or return;
+     }
+ 
+-    utime time, $entry->mtime - TIME_OFFSET, $full or
+-        $self->_error( qq[Could not update timestamp] );
++    ### only update the timestamp if it's not a symlink; that will change the
++    ### timestamp of the original. This addresses bug #33669: Could not update
++    ### timestamp warning on symlinks
++    if( not -l $full ) {
++        utime time, $entry->mtime - TIME_OFFSET, $full or
++            $self->_error( qq[Could not update timestamp] );
++    }
+ 
+     if( $CHOWN && CAN_CHOWN ) {
+         chown $entry->uid, $entry->gid, $full or
+@@ -707,8 +748,8 @@
+                 or $fail++;
+         }
+ 
+-        $err =  qq[Making symbolink link from '] . $entry->linkname .
+-                qq[' to '$file' failed] if $fail;
++        $err =  qq[Making symbolic link '$file' to '] .
++                $entry->linkname .q[' failed] if $fail;
+ 
+     } elsif ( $entry->is_hardlink ) {
+         my $fail;

Added: branches/etch/libarchive-tar-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/patches/series?rev=32632&op=file
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/patches/series (added)
+++ branches/etch/libarchive-tar-perl/debian/patches/series Sat Apr  4 23:11:57 2009
@@ -1,0 +1,1 @@
+CVE-2007-4829_part_2.patch

Modified: branches/etch/libarchive-tar-perl/debian/rules
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/rules?rev=32632&op=diff
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/rules (original)
+++ branches/etch/libarchive-tar-perl/debian/rules Sat Apr  4 23:11:57 2009
@@ -6,17 +6,19 @@
 TMP     = $(CURDIR)/debian/$(PACKAGE)
 PERL   ?= /usr/bin/perl
 
+include /usr/share/quilt/quilt.make
+
 build: build-arch build-indep
 build-arch:
 build-indep: build-stamp
-build-stamp:
+build-stamp: $(QUILT_STAMPFN)
 	dh_testdir
 	$(PERL) Makefile.PL INSTALLDIRS=vendor
 	$(MAKE)
 	$(MAKE) test
 	touch $@
 
-clean:
+clean: unpatch
 	dh_testdir
 	dh_testroot
 	rm -f build-stamp install-stamp

More information about the Pkg-perl-cvs-commits mailing list