dpkg: Security Advisory - CVE-2014-0471

v2 changes: * update format for commit log * add Upstream-Status for patch commit a82651188476841d190c58693f95827d61959b51 upstream Dkpkg::Source::Patch: Correctly parse C-style diff filenames We need to strip the surrounding quotes, and unescape any escape sequence, so that we check the same files that the patch program will be using, otherwise a malicious package could overpass those checks, and perform directory traversal attacks on source package unpacking. Fixes: CVE-2014-0471 Reported-by: Jakub Wilk <jwilk@debian.org> [drop the text for debian/changelog,because it's not suitable for the veriosn] (From OE-Core rev: 81880b34a8261e824c5acafaa4cb321908e554a0) (From OE-Core rev: c75316fc256d229cfad45cd57328920993d93d8d) Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Guillem Jover <guillem@debian.org> 2014-06-17 04:25:51 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-10 15:06:06 +0100
commit: 570345adfd10847e40de573457f127c70d7c7b33 (patch)
tree: ded308e9a69591917307355adcff86c676e313e2
parent: 90623776248e50a7a2b95247ba7b4aeac2dcbdc2 (diff)
download: poky-570345adfd10847e40de573457f127c70d7c7b33.tar.gz
2 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch
new file mode 100644
index 0000000000..195d309506
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch
@@ -0,0 +1,97 @@
+dpkg: Security Advisory - CVE-2014-0471
+commit a82651188476841d190c58693f95827d61959b51 upstream
+Directory traversal vulnerability in the unpacking functionality in
+dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8
+allows remote attackers to write arbitrary files via a crafted source
+package, related to "C-style filename quoting."
+Upstream-Status: Backport
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+===================================================
+diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm
+--- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm        2014-06-05 15:24:07.422446284 +0800
+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm    2014-06-05 15:41:37.746446314 +0800
+@@ -324,14 +324,53 @@
+     return $line;
+ }
+ 
+-# Strip timestamp
+-sub _strip_ts {
+-    my $header = shift;
+-
+-    # Tab is the official separator, it's always used when
+-    # filename contain spaces. Try it first, otherwise strip on space
+-    # if there's no tab
+-    $header =~ s/\s.*// unless ($header =~ s/\t.*//);
+my %ESCAPE = ((
+    'a' => "\a",
+    'b' => "\b",
+    'f' => "\f",
+    'n' => "\n",
+    'r' => "\r",
+    't' => "\t",
+    'v' => "\cK",
+    '\\' => '\\',
+    '"' => '"',
+), (
+    map { sprintf('%03o', $_) => chr($_) } (0..255)
+));
+
+sub _unescape {
+    my ($diff, $str) = @_;
+
+    if (exists $ESCAPE{$str}) {
+        return $ESCAPE{$str};
+    } else {
+        error(_g('diff %s patches file with unknown escape sequence \\%s'),
+              $diff, $str);
+    }
+}
+
+# Fetch the header filename ignoring the optional timestamp
+sub _fetch_filename {
+    my ($diff, $header) = @_;
+
+    # Strip any leading spaces.
+    $header =~ s/^\s+//;
+
+    # Is it a C-style string?
+    if ($header =~ m/^"/) {
+        $header =~ m/^"((?:[^\\"]|\\.)*)"/;
+        error(_g('diff %s patches file with unbalanced quote'), $diff)
+            unless defined $1;
+
+        $header = $1;
+        $header =~ s/\\([0-3][0-7]{2}|.)/_unescape($diff, $1)/eg;
+    } else {
+        # Tab is the official separator, it's always used when
+        # filename contain spaces. Try it first, otherwise strip on space
+        # if there's no tab
+        $header =~ s/\s.*// unless $header =~ s/\t.*//;
+    }
+
+     return $header;
+ }
+ 
+@@ -400,7 +439,7 @@
+        unless(s/^--- //) {
+            error(_g("expected ^--- in line %d of diff `%s'"), $., $diff);
+        }
+-        $path{old} = $_ = _strip_ts($_);
+       $path{old} = $_ = _fetch_filename($diff, $_);
+        $fn{old} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/};
+        if (/\.dpkg-orig$/) {
+            error(_g("diff `%s' patches file with name ending .dpkg-orig"), $diff);
+@@ -412,7 +451,7 @@
+        unless (s/^\+\+\+ //) {
+            error(_g("line after --- isn't as expected in diff `%s' (line %d)"), $diff, $.);
+        }
+-        $path{new} = $_ = _strip_ts($_);
+       $path{new} = $_ = _fetch_filename($diff, $_);
+        $fn{new} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/};
+ 
+        unless (defined $fn{old} or defined $fn{new}) {
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
index 5507352a27..48e13948f0 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://noman.patch \
            file://dpkg-configure.service \
            file://glibc2.5-sync_file_range.patch \
            file://no-vla-warning.patch \
+            file://dpkg-1.17.4-CVE-2014-0471.patch \
           "
 SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1"
author	Guillem Jover <guillem@debian.org>	2014-06-17 04:25:51 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-10 15:06:06 +0100
commit	570345adfd10847e40de573457f127c70d7c7b33 (patch)
tree	ded308e9a69591917307355adcff86c676e313e2
parent	90623776248e50a7a2b95247ba7b4aeac2dcbdc2 (diff)
download	poky-570345adfd10847e40de573457f127c70d7c7b33.tar.gz

diff --git a/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch new file mode 100644 index 0000000000..195d309506 --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg/dpkg-1.17.4-CVE-2014-0471.patch
@@ -0,0 +1,97 @@
		1	dpkg: Security Advisory - CVE-2014-0471
		2
		3	commit a82651188476841d190c58693f95827d61959b51 upstream
		4
		5	Directory traversal vulnerability in the unpacking functionality in
		6	dpkg before 1.15.9, 1.16.x before 1.16.13, and 1.17.x before 1.17.8
		7	allows remote attackers to write arbitrary files via a crafted source
		8	package, related to "C-style filename quoting."
		9
		10	Upstream-Status: Backport
		11
		12	Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
		13	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
		14	===================================================
		15	diff -uarN dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm
		16	--- dpkg-1.17.1-org/scripts/Dpkg/Source/Patch.pm 2014-06-05 15:24:07.422446284 +0800
		17	+++ dpkg-1.17.1/scripts/Dpkg/Source/Patch.pm 2014-06-05 15:41:37.746446314 +0800
		18	@@ -324,14 +324,53 @@
		19	return $line;
		20	}
		21
		22	-# Strip timestamp
		23	-sub _strip_ts {
		24	- my $header = shift;
		25	-
		26	- # Tab is the official separator, it's always used when
		27	- # filename contain spaces. Try it first, otherwise strip on space
		28	- # if there's no tab
		29	- $header =~ s/\s.// unless ($header =~ s/\t.//);
		30	+my %ESCAPE = ((
		31	+ 'a' => "\a",
		32	+ 'b' => "\b",
		33	+ 'f' => "\f",
		34	+ 'n' => "\n",
		35	+ 'r' => "\r",
		36	+ 't' => "\t",
		37	+ 'v' => "\cK",
		38	+ '\\' => '\\',
		39	+ '"' => '"',
		40	+), (
		41	+ map { sprintf('%03o', $_) => chr($_) } (0..255)
		42	+));
		43	+
		44	+sub _unescape {
		45	+ my ($diff, $str) = @_;
		46	+
		47	+ if (exists $ESCAPE{$str}) {
		48	+ return $ESCAPE{$str};
		49	+ } else {
		50	+ error(_g('diff %s patches file with unknown escape sequence \\%s'),
		51	+ $diff, $str);
		52	+ }
		53	+}
		54	+
		55	+# Fetch the header filename ignoring the optional timestamp
		56	+sub _fetch_filename {
		57	+ my ($diff, $header) = @_;
		58	+
		59	+ # Strip any leading spaces.
		60	+ $header =~ s/^\s+//;
		61	+
		62	+ # Is it a C-style string?
		63	+ if ($header =~ m/^"/) {
		64	+ $header =~ m/^"((?:[^\\"]\|\\.)*)"/;
		65	+ error(_g('diff %s patches file with unbalanced quote'), $diff)
		66	+ unless defined $1;
		67	+
		68	+ $header = $1;
		69	+ $header =~ s/\\([0-3][0-7]{2}\|.)/_unescape($diff, $1)/eg;
		70	+ } else {
		71	+ # Tab is the official separator, it's always used when
		72	+ # filename contain spaces. Try it first, otherwise strip on space
		73	+ # if there's no tab
		74	+ $header =~ s/\s.// unless $header =~ s/\t.//;
		75	+ }
		76	+
		77	return $header;
		78	}
		79
		80	@@ -400,7 +439,7 @@
		81	unless(s/^--- //) {
		82	error(_g("expected ^--- in line %d of diff `%s'"), $., $diff);
		83	}
		84	- $path{old} = $_ = _strip_ts($_);
		85	+ $path{old} = $_ = _fetch_filename($diff, $_);
		86	$fn{old} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/};
		87	if (/\.dpkg-orig$/) {
		88	error(_g("diff `%s' patches file with name ending .dpkg-orig"), $diff);
		89	@@ -412,7 +451,7 @@
		90	unless (s/^\+\+\+ //) {
		91	error(_g("line after --- isn't as expected in diff `%s' (line %d)"), $diff, $.);
		92	}
		93	- $path{new} = $_ = _strip_ts($_);
		94	+ $path{new} = $_ = _fetch_filename($diff, $_);
		95	$fn{new} = $_ if $_ ne '/dev/null' and s{^[^/]*/+}{$destdir/};
		96
		97	unless (defined $fn{old} or defined $fn{new}) {


diff --git a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb index 5507352a27..48e13948f0 100644 --- a/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb +++ b/meta/recipes-devtools/dpkg/dpkg_1.17.4.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://noman.patch \
12	file://dpkg-configure.service \	12	file://dpkg-configure.service \
13	file://glibc2.5-sync_file_range.patch \	13	file://glibc2.5-sync_file_range.patch \
14	file://no-vla-warning.patch \	14	file://no-vla-warning.patch \
		15	file://dpkg-1.17.4-CVE-2014-0471.patch \
15	"	16	"
16		17
17	SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1"	18	SRC_URI[md5sum] = "cc25086e1e3bd9512a95f14cfe9002e1"