1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
From 57a3daba4d3dee1c33571e84f160aa1c67aece4c Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Thu, 14 Dec 2017 10:40:42 +0100
Subject: [PATCH] Dpkg::Source::Patch: Indented patch test-case
POSIX specifies that a diff hunk can be indented by spaces or tabs
(while the original patch(1) by Larry Wall also accepts 'X'), as long
as the amount of spaces is consistent for all subsequent lines. And as
we are not checking for this condition at all, any such indented hunk
can avoid the sanity checks performed by Dpkg::Source::Patch.
On systems using GNU patch >= 2.7.5, this should, in principle, not be
a problem anymore, as that implementation protects against directory
traversal issue. But on other systems where the patch implementation
does not perform such checks (such as the BSDs) this is an issue, so
check for this in the test-suite.
Those are arguably all security issues in these various patch
implementations, but given that we are performing sanity checks and that
those implementations are currently very lax, it seems prudent to do the
heavy lifting ourselves and also take the possible blame too.
Ref: test-case for CVE-2017-8283
Upstream-Status: Backport
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
debian/changelog | 3 +++
scripts/Makefile.am | 1 +
scripts/t/Dpkg_Source_Patch.t | 6 +++++-
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 4b5b36b..596a59e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,9 @@
traversal resistant patch implementation. This fixes CVE-2017-8283 by
delegating those checks to patch(1), so that we trap blank-indented
diff hunks trying to escape from the source tree.
+ * Test suite:
+ - Add a test case for blank-indented patches which were the cause for
+ CVE-2017-8283.
dpkg (1.18.10) unstable; urgency=medium
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 84059c1..6ce0ad6 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -275,6 +275,7 @@ test_data = \
t/Dpkg_Shlibs/spacesyms-o-map.pl \
t/Dpkg_Source_Patch/c-style.patch \
t/Dpkg_Source_Patch/ghost-hunk.patch \
+ t/Dpkg_Source_Patch/indent-header.patch \
t/Dpkg_Source_Patch/index-+++.patch \
t/Dpkg_Source_Patch/index-alone.patch \
t/Dpkg_Source_Patch/index-inert.patch \
diff --git a/scripts/t/Dpkg_Source_Patch.t b/scripts/t/Dpkg_Source_Patch.t
index 258a9aa..30be77a 100644
--- a/scripts/t/Dpkg_Source_Patch.t
+++ b/scripts/t/Dpkg_Source_Patch.t
@@ -16,7 +16,7 @@
use strict;
use warnings;
-use Test::More tests => 9;
+use Test::More tests => 10;
use File::Path qw(make_path);
@@ -67,4 +67,8 @@ test_patch_escape('partial', 'symlink', 'partial.patch',
test_patch_escape('ghost-hunk', 'symlink', 'ghost-hunk.patch',
'Patch cannot escape using a disabling hunk');
+# This is CVE-2017-8283
+test_patch_escape('indent-header', 'symlink', 'indent-header.patch',
+ 'Patch cannot escape indented hunks');
+
1;
--
1.9.1
|
