r32632 - in /branches/etch/libarchive-tar-perl/debian: changelog control patches/ patches/CVE-2007-4829_part_2.patch patches/series rules
gregoa at users.alioth.debian.org
gregoa at users.alioth.debian.org
Sat Apr 4 23:12:01 UTC 2009
Author: gregoa
Date: Sat Apr 4 23:11:57 2009
New Revision: 32632
URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=32632
Log:
Add patch CVE-2007-4829_part_2.patch by Niko Tyni: fixes the "second half
of CVE-2007-4829": Archive::Tar no longer follows symlinks when unpacking
(cf. #509802). Add quilt framework (debian/control, debian/rules).
Added:
branches/etch/libarchive-tar-perl/debian/patches/
branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch
branches/etch/libarchive-tar-perl/debian/patches/series
Modified:
branches/etch/libarchive-tar-perl/debian/changelog
branches/etch/libarchive-tar-perl/debian/control
branches/etch/libarchive-tar-perl/debian/rules
Modified: branches/etch/libarchive-tar-perl/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/changelog?rev=32632&op=diff
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/changelog (original)
+++ branches/etch/libarchive-tar-perl/debian/changelog Sat Apr 4 23:11:57 2009
@@ -1,3 +1,11 @@
+libarchive-tar-perl (1.38-3) UNRELEASED; urgency=low
+
+ * Add patch CVE-2007-4829_part_2.patch by Niko Tyni: fixes the "second half
+ of CVE-2007-4829": Archive::Tar no longer follows symlinks when unpacking
+ (cf. #509802). Add quilt framework (debian/control, debian/rules).
+
+ -- gregor herrmann <gregoa at debian.org> Sun, 05 Apr 2009 01:00:44 +0200
+
libarchive-tar-perl (1.38-2) unstable; urgency=low
[ gregor herrmann ]
Modified: branches/etch/libarchive-tar-perl/debian/control
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/control?rev=32632&op=diff
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/control (original)
+++ branches/etch/libarchive-tar-perl/debian/control Sat Apr 4 23:11:57 2009
@@ -10,7 +10,7 @@
Homepage: http://search.cpan.org/dist/Archive-Tar/
Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libarchive-tar-perl/
Vcs-Browser: http://svn.debian.org/wsvn/pkg-perl/trunk/libarchive-tar-perl/
-Build-Depends: debhelper (>= 5)
+Build-Depends: debhelper (>= 5), quilt (>= 0.40)
Build-Depends-Indep: perl (>> 5.8.1), libtest-pod-perl, libio-zlib-perl
Package: libarchive-tar-perl
Added: branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch?rev=32632&op=file
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch (added)
+++ branches/etch/libarchive-tar-perl/debian/patches/CVE-2007-4829_part_2.patch Sat Apr 4 23:11:57 2009
@@ -1,0 +1,121 @@
+[SECURITY] "second half of CVE-2007-4829": Archive::Tar no longer follows
+symlinks when unpacking. Upstream fix backported by Ubuntu. (Closes: #509802)
+
+http://rt.cpan.org/Public/Bug/Display.html?id=30380#txn-436899
+second half of unpack issue CVE-2007-4829, from 1.39_01 of Archive::Tar
+
+Original patch from Ubuntu version 5.10.0-11.1ubuntu2.2.
+--- a/lib/Archive/Tar.pm
++++ b/lib/Archive/Tar.pm
+@@ -561,26 +561,61 @@
+
+ ### it's a relative path ###
+ } else {
+- my $cwd = (defined $self->{cwd} ? $self->{cwd} : cwd());
++ my $cwd = (ref $self and defined $self->{cwd})
++ ? $self->{cwd}
++ : cwd();
+
+ my @dirs = defined $alt
+ ? File::Spec->splitdir( $dirs ) # It's a local-OS path
+ : File::Spec::Unix->splitdir( $dirs ); # it's UNIX-style, likely
+ # straight from the tarball
+
+- ### paths that leave the current directory are not allowed under
+- ### strict mode, so only allow it if a user tells us to do this.
+ if( not defined $alt and
+- not $INSECURE_EXTRACT_MODE and
+- grep { $_ eq '..' } @dirs
+- ) {
+- $self->_error(
+- q[Entry ']. $entry->full_path .q[' is attempting to leave the ].
+- q[current working directory. Not extracting under SECURE ].
+- q[EXTRACT MODE]
+- );
+- return;
+- }
++ not $INSECURE_EXTRACT_MODE
++ ) {
++
++ ### paths that leave the current directory are not allowed under
++ ### strict mode, so only allow it if a user tells us to do this.
++ if( grep { $_ eq '..' } @dirs ) {
++
++ $self->_error(
++ q[Entry ']. $entry->full_path .q[' is attempting to leave ].
++ q[the current working directory. Not extracting under ].
++ q[SECURE EXTRACT MODE]
++ );
++ return;
++ }
++
++ ### the archive may be asking us to extract into a symlink. This
++ ### is not sane and a possible security issue, as outlined here:
++ ### https://rt.cpan.org/Ticket/Display.html?id=30380
++ ### https://bugzilla.redhat.com/show_bug.cgi?id=295021
++ ### https://issues.rpath.com/browse/RPL-1716
++ my $full_path = $cwd;
++ for my $d ( @dirs ) {
++ $full_path = File::Spec->catdir( $full_path, $d );
++
++ ### we've already checked this one, and it's safe. Move on.
++ next if ref $self and $self->{_link_cache}->{$full_path};
++
++ if( -l $full_path ) {
++ my $to = readlink $full_path;
++ my $diag = "symlinked directory ($full_path => $to)";
++
++ $self->_error(
++ q[Entry ']. $entry->full_path .q[' is attempting to ].
++ qq[extract to a $diag. This is considered a security ].
++ q[vulnerability and not allowed under SECURE EXTRACT ].
++ q[MODE]
++ );
++ return;
++ }
++
++ ### XXX keep a cache if possible, so the stats become cheaper:
++ $self->{_link_cache}->{$full_path} = 1 if ref $self;
++ }
++ }
++
+
+ ### '.' is the directory delimiter, of which the first one has to
+ ### be escaped/changed.
+@@ -622,7 +657,8 @@
+ unless ( -d _ ) {
+ eval { File::Path::mkpath( $dir, 0, 0777 ) };
+ if( $@ ) {
+- $self->_error( qq[Could not create directory '$dir': $@] );
++ my $fp = $entry->full_path;
++ $self->_error(qq[Could not create directory '$dir' for '$fp': $@]);
+ return;
+ }
+
+@@ -672,8 +708,13 @@
+ $self->_make_special_file( $entry, $full ) or return;
+ }
+
+- utime time, $entry->mtime - TIME_OFFSET, $full or
+- $self->_error( qq[Could not update timestamp] );
++ ### only update the timestamp if it's not a symlink; that will change the
++ ### timestamp of the original. This addresses bug #33669: Could not update
++ ### timestamp warning on symlinks
++ if( not -l $full ) {
++ utime time, $entry->mtime - TIME_OFFSET, $full or
++ $self->_error( qq[Could not update timestamp] );
++ }
+
+ if( $CHOWN && CAN_CHOWN ) {
+ chown $entry->uid, $entry->gid, $full or
+@@ -707,8 +748,8 @@
+ or $fail++;
+ }
+
+- $err = qq[Making symbolink link from '] . $entry->linkname .
+- qq[' to '$file' failed] if $fail;
++ $err = qq[Making symbolic link '$file' to '] .
++ $entry->linkname .q[' failed] if $fail;
+
+ } elsif ( $entry->is_hardlink ) {
+ my $fail;
Added: branches/etch/libarchive-tar-perl/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/patches/series?rev=32632&op=file
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/patches/series (added)
+++ branches/etch/libarchive-tar-perl/debian/patches/series Sat Apr 4 23:11:57 2009
@@ -1,0 +1,1 @@
+CVE-2007-4829_part_2.patch
Modified: branches/etch/libarchive-tar-perl/debian/rules
URL: http://svn.debian.org/wsvn/pkg-perl/branches/etch/libarchive-tar-perl/debian/rules?rev=32632&op=diff
==============================================================================
--- branches/etch/libarchive-tar-perl/debian/rules (original)
+++ branches/etch/libarchive-tar-perl/debian/rules Sat Apr 4 23:11:57 2009
@@ -6,17 +6,19 @@
TMP = $(CURDIR)/debian/$(PACKAGE)
PERL ?= /usr/bin/perl
+include /usr/share/quilt/quilt.make
+
build: build-arch build-indep
build-arch:
build-indep: build-stamp
-build-stamp:
+build-stamp: $(QUILT_STAMPFN)
dh_testdir
$(PERL) Makefile.PL INSTALLDIRS=vendor
$(MAKE)
$(MAKE) test
touch $@
-clean:
+clean: unpatch
dh_testdir
dh_testroot
rm -f build-stamp install-stamp
More information about the Pkg-perl-cvs-commits
mailing list