[dpkg] 19/192: Dpkg::Source::Patch: Indented patch test-case
Ximin Luo
infinity0 at debian.org
Tue Oct 17 11:03:52 UTC 2017
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch pu/reproducible_builds
in repository dpkg.
commit 7c77a05faaff3e23ca39f27e946f4edee5b8b144
Author: Guillem Jover <guillem at debian.org>
Date: Sun Mar 19 19:40:14 2017 +0100
Dpkg::Source::Patch: Indented patch test-case
POSIX specifies that a diff hunk can be indented by spaces or tabs
(while the original patch(1) by Larry Wall also accepts 'X'), as long
as the amount of spaces is consistent for all subsequent lines. And as
we are not checking for this condition at all, any such indented hunk
can avoid the sanity checks performed by Dpkg::Source::Patch.
On systems using GNU patch >= 2.7.5, this should, in principle, not be
a problem anymore, as that implementation protects against directory
traversal issue. But on other systems where the patch implementation
does not perform such checks (such as the BSDs) this is an issue, so
check for this in the test-suite.
Those are arguably all security issues in these various patch
implementations, but given that we are performing sanity checks and that
those implementations are currently very lax, it seems prudent to do the
heavy lifting ourselves and also take the possible blame too.
Ref: CVE-2017-8283
Stable-Candidate: 1.17.x
---
debian/changelog | 3 +++
scripts/Makefile.am | 1 +
scripts/t/Dpkg_Source_Patch.t | 6 +++++-
scripts/t/Dpkg_Source_Patch/indent-header.patch | 9 +++++++++
4 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 1c8b80b..cf9b5cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -21,6 +21,9 @@ dpkg (1.18.24) UNRELEASED; urgency=medium
traversal resistant patch implementation. This fixes CVE-2017-8283 by
delegating those checks to patch(1), so that we trap blank-indented
diff hunks trying to escape from the source tree.
+ * Test suite:
+ - Add a test case for blank-indented patches which were the cause for
+ CVE-2017-8283.
[ Updated programs translations ]
* Catalan (Guillem Jover).
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index cf0828f..16862cc 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -285,6 +285,7 @@ test_data = \
t/Dpkg_Shlibs/spacesyms-o-map.pl \
t/Dpkg_Source_Patch/c-style.patch \
t/Dpkg_Source_Patch/ghost-hunk.patch \
+ t/Dpkg_Source_Patch/indent-header.patch \
t/Dpkg_Source_Patch/index-+++.patch \
t/Dpkg_Source_Patch/index-alone.patch \
t/Dpkg_Source_Patch/index-inert.patch \
diff --git a/scripts/t/Dpkg_Source_Patch.t b/scripts/t/Dpkg_Source_Patch.t
index 8f382f5..d81a1a3 100644
--- a/scripts/t/Dpkg_Source_Patch.t
+++ b/scripts/t/Dpkg_Source_Patch.t
@@ -16,7 +16,7 @@
use strict;
use warnings;
-use Test::More tests => 9;
+use Test::More tests => 10;
use Test::Dpkg qw(:paths);
use File::Path qw(make_path);
@@ -67,4 +67,8 @@ test_patch_escape('partial', 'symlink', 'partial.patch',
test_patch_escape('ghost-hunk', 'symlink', 'ghost-hunk.patch',
'Patch cannot escape using a disabling hunk');
+# This is CVE-2017-8283
+test_patch_escape('indent-header', 'symlink', 'indent-header.patch',
+ 'Patch cannot escape indented hunks');
+
1;
diff --git a/scripts/t/Dpkg_Source_Patch/indent-header.patch b/scripts/t/Dpkg_Source_Patch/indent-header.patch
new file mode 100644
index 0000000..4bef008
--- /dev/null
+++ b/scripts/t/Dpkg_Source_Patch/indent-header.patch
@@ -0,0 +1,9 @@
+ --- /dev/null
+ +++ b/symlink/index-file
+ @@ -0,0 +1,1 @@
+ +Escaped
+
+--- /dev/null
++++ b/dummy-file
+@@ -0,0 +1,1 @@
++Dummy to make the code see a valid hunk
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list