1 files changed, 83 insertions, 0 deletions

diff --git a/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch b/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch
new file mode 100644
index 0000000..5632d8f
--- /dev/null
+++ b/recipes-devtools/dpkg/dpkg/test-case-for-CVE-2017-8283.patch
@@ -0,0 +1,83 @@
+From 57a3daba4d3dee1c33571e84f160aa1c67aece4c Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+Date: Thu, 14 Dec 2017 10:40:42 +0100
+Subject: [PATCH] Dpkg::Source::Patch: Indented patch test-case
+
+POSIX specifies that a diff hunk can be indented by spaces or tabs
+(while the original patch(1) by Larry Wall also accepts 'X'), as long
+as the amount of spaces is consistent for all subsequent lines. And as
+we are not checking for this condition at all, any such indented hunk
+can avoid the sanity checks performed by Dpkg::Source::Patch.
+
+On systems using GNU patch >= 2.7.5, this should, in principle, not be
+a problem anymore, as that implementation protects against directory
+traversal issue. But on other systems where the patch implementation
+does not perform such checks (such as the BSDs) this is an issue, so
+check for this in the test-suite.
+
+Those are arguably all security issues in these various patch
+implementations, but given that we are performing sanity checks and that
+those implementations are currently very lax, it seems prudent to do the
+heavy lifting ourselves and also take the possible blame too.
+
+Ref: test-case for CVE-2017-8283
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ debian/changelog              | 3 +++
+ scripts/Makefile.am           | 1 +
+ scripts/t/Dpkg_Source_Patch.t | 6 +++++-
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/debian/changelog b/debian/changelog
+index 4b5b36b..596a59e 100644
+--- a/debian/changelog
++++ b/debian/changelog
+@@ -2,6 +2,9 @@
+       traversal resistant patch implementation. This fixes CVE-2017-8283 by
+       delegating those checks to patch(1), so that we trap blank-indented
+       diff hunks trying to escape from the source tree.
++  * Test suite:
++    - Add a test case for blank-indented patches which were the cause for
++      CVE-2017-8283.
+ 
+ dpkg (1.18.10) unstable; urgency=medium
+ 
+diff --git a/scripts/Makefile.am b/scripts/Makefile.am
+index 84059c1..6ce0ad6 100644
+--- a/scripts/Makefile.am
++++ b/scripts/Makefile.am
+@@ -275,6 +275,7 @@ test_data = \
+        t/Dpkg_Shlibs/spacesyms-o-map.pl \
+        t/Dpkg_Source_Patch/c-style.patch \
+        t/Dpkg_Source_Patch/ghost-hunk.patch \
++       t/Dpkg_Source_Patch/indent-header.patch \
+        t/Dpkg_Source_Patch/index-+++.patch \
+        t/Dpkg_Source_Patch/index-alone.patch \
+        t/Dpkg_Source_Patch/index-inert.patch \
+diff --git a/scripts/t/Dpkg_Source_Patch.t b/scripts/t/Dpkg_Source_Patch.t
+index 258a9aa..30be77a 100644
+--- a/scripts/t/Dpkg_Source_Patch.t
++++ b/scripts/t/Dpkg_Source_Patch.t
+@@ -16,7 +16,7 @@
+ use strict;
+ use warnings;
+ 
+-use Test::More tests => 9;
++use Test::More tests => 10;
+ 
+ use File::Path qw(make_path);
+ 
+@@ -67,4 +67,8 @@ test_patch_escape('partial', 'symlink', 'partial.patch',
+ test_patch_escape('ghost-hunk', 'symlink', 'ghost-hunk.patch',
+                   'Patch cannot escape using a disabling hunk');
+ 
++# This is CVE-2017-8283
++test_patch_escape('indent-header', 'symlink', 'indent-header.patch',
++                  'Patch cannot escape indented hunks');
++
+ 1;
+-- 
+1.9.1
+