From 57a3daba4d3dee1c33571e84f160aa1c67aece4c Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 14 Dec 2017 10:40:42 +0100 Subject: [PATCH] Dpkg::Source::Patch: Indented patch test-case POSIX specifies that a diff hunk can be indented by spaces or tabs (while the original patch(1) by Larry Wall also accepts 'X'), as long as the amount of spaces is consistent for all subsequent lines. And as we are not checking for this condition at all, any such indented hunk can avoid the sanity checks performed by Dpkg::Source::Patch. On systems using GNU patch >= 2.7.5, this should, in principle, not be a problem anymore, as that implementation protects against directory traversal issue. But on other systems where the patch implementation does not perform such checks (such as the BSDs) this is an issue, so check for this in the test-suite. Those are arguably all security issues in these various patch implementations, but given that we are performing sanity checks and that those implementations are currently very lax, it seems prudent to do the heavy lifting ourselves and also take the possible blame too. Ref: test-case for CVE-2017-8283 Upstream-Status: Backport Signed-off-by: Sona Sarmadi --- debian/changelog | 3 +++ scripts/Makefile.am | 1 + scripts/t/Dpkg_Source_Patch.t | 6 +++++- 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 4b5b36b..596a59e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,9 @@ traversal resistant patch implementation. This fixes CVE-2017-8283 by delegating those checks to patch(1), so that we trap blank-indented diff hunks trying to escape from the source tree. + * Test suite: + - Add a test case for blank-indented patches which were the cause for + CVE-2017-8283. dpkg (1.18.10) unstable; urgency=medium diff --git a/scripts/Makefile.am b/scripts/Makefile.am index 84059c1..6ce0ad6 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -275,6 +275,7 @@ test_data = \ t/Dpkg_Shlibs/spacesyms-o-map.pl \ t/Dpkg_Source_Patch/c-style.patch \ t/Dpkg_Source_Patch/ghost-hunk.patch \ + t/Dpkg_Source_Patch/indent-header.patch \ t/Dpkg_Source_Patch/index-+++.patch \ t/Dpkg_Source_Patch/index-alone.patch \ t/Dpkg_Source_Patch/index-inert.patch \ diff --git a/scripts/t/Dpkg_Source_Patch.t b/scripts/t/Dpkg_Source_Patch.t index 258a9aa..30be77a 100644 --- a/scripts/t/Dpkg_Source_Patch.t +++ b/scripts/t/Dpkg_Source_Patch.t @@ -16,7 +16,7 @@ use strict; use warnings; -use Test::More tests => 9; +use Test::More tests => 10; use File::Path qw(make_path); @@ -67,4 +67,8 @@ test_patch_escape('partial', 'symlink', 'partial.patch', test_patch_escape('ghost-hunk', 'symlink', 'ghost-hunk.patch', 'Patch cannot escape using a disabling hunk'); +# This is CVE-2017-8283 +test_patch_escape('indent-header', 'symlink', 'indent-header.patch', + 'Patch cannot escape indented hunks'); + 1; -- 1.9.1