sergiomb pushed to dpkg (el6). "- Fix CVE-2010-0396"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 21 04:29:44 UTC 2015
>From 6fffb44b1c1524a5689d497e8f5ba7be571003dd Mon Sep 17 00:00:00 2001
From: topdog <topdog at fedoraproject.org>
Date: Thu, 11 Mar 2010 13:46:34 +0000
Subject: - Fix CVE-2010-0396
diff --git a/dpkg.spec b/dpkg.spec
index 9ca4d98..01e334e 100644
--- a/dpkg.spec
+++ b/dpkg.spec
@@ -1,6 +1,6 @@
Name: dpkg
Version: 1.15.5.6
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Package maintenance system for Debian Linux
Group: System Environment/Base
# The entire source code is GPLv2+ with exception of the following
@@ -17,6 +17,9 @@ Source1: dpkg.archtable
# Fedora specific patch to store files under /usr/share/dpkg, not these are not binary
# libs. and set user search path to /usr/local/share/dpkg
Patch1: dpkg-change-libdir-path.patch
+# Fixes CVE-2010-0396 bugzilla #572522
+Patch2: fedora-fix-CVE-2010-0396-00.patch
+Patch3: fedora-fix-CVE-2010-0396-01.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: zlib-devel, bzip2-devel, libselinux-devel, gettext, ncurses-devel
@@ -58,6 +61,8 @@ dselect is a high-level interface for the installation/removal of debs .
%setup -q
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
# Filter unwanted Requires:
cat << \EOF > %{name}-req
@@ -196,6 +201,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu Mar 11 2010 Andrew Colin Kissa <andrew at topdog.za.net> - 1.15.5.6-4
+- Fix CVE-2010-0396
+
* Mon Feb 15 2010 Andrew Colin Kissa <andrew at topdog.za.net> - 1.15.5.6-3
- review changes
diff --git a/fedora-fix-CVE-2010-0396-00.patch b/fedora-fix-CVE-2010-0396-00.patch
new file mode 100644
index 0000000..6f9fc07
--- /dev/null
+++ b/fedora-fix-CVE-2010-0396-00.patch
@@ -0,0 +1,43 @@
+diff --git a/scripts/Dpkg/Source/Patch.pm b/scripts/Dpkg/Source/Patch.pm
+--- a/scripts/Dpkg/Source/Patch.pm
++++ b/scripts/Dpkg/Source/Patch.pm
+@@ -322,8 +322,9 @@ sub analyze {
+ error(_g("expected ^--- in line %d of diff `%s'"), $., $diff);
+ }
+ $_ = strip_ts($_);
+- if ($_ eq '/dev/null' or s{^(\./)?[^/]+/}{$destdir/}) {
++ if ($_ eq '/dev/null' or s{^[^/]+/}{$destdir/}) {
+ $fn = $_;
++ error(_g("%s contains an insecure path: %s"), $diff, $_) if m{/\.\./};
+ }
+ if (/\.dpkg-orig$/) {
+ error(_g("diff `%s' patches file with name ending .dpkg-orig"), $diff);
+@@ -336,8 +337,9 @@ sub analyze {
+ error(_g("line after --- isn't as expected in diff `%s' (line %d)"), $diff, $.);
+ }
+ $_ = strip_ts($_);
+- if ($_ eq '/dev/null' or s{^(\./)?[^/]+/}{$destdir/}) {
++ if ($_ eq '/dev/null' or s{^[^/]+/}{$destdir/}) {
+ $fn2 = $_;
++ error(_g("%s contains an insecure path: %s"), $diff, $_) if m{/\.\./};
+ } else {
+ unless (defined $fn) {
+ error(_g("none of the filenames in ---/+++ are relative in diff `%s' (line %d)"),
+@@ -363,6 +365,17 @@ sub analyze {
+ if ($dirname =~ s{/[^/]+$}{} && not -d $dirname) {
+ $dirtocreate{$dirname} = 1;
+ }
++
++ # Sanity check, refuse to patch through a symlink
++ $dirname = $fn;
++ while (1) {
++ if (-l $dirname) {
++ error(_g("diff %s modifies file %s through a symlink: %s"),
++ $diff, $fn, $dirname);
++ }
++ last unless $dirname =~ s{/[^/]+$}{};
++ }
++
+ if (-e $fn and not -f _) {
+ error(_g("diff `%s' patches something which is not a plain file"), $diff);
+ }
diff --git a/fedora-fix-CVE-2010-0396-01.patch b/fedora-fix-CVE-2010-0396-01.patch
new file mode 100644
index 0000000..c862e05
--- /dev/null
+++ b/fedora-fix-CVE-2010-0396-01.patch
@@ -0,0 +1,11 @@
+diff --git a/scripts/Dpkg/Source/Package/V3/quilt.pm b/scripts/Dpkg/Source/Package/V3/quilt.pm
+--- a/scripts/Dpkg/Source/Package/V3/quilt.pm
++++ b/scripts/Dpkg/Source/Package/V3/quilt.pm
+@@ -123,6 +123,7 @@ sub read_patch_list {
+ }
+ }
+ next if $opts{"skip_auto"} and $_ eq $auto_patch;
++ error(_g("%s contains an insecure path: %s"), $file, $_) if m{(^|/)\.\./};
+ push @patches, $_;
+ }
+ close(SERIES);
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/dpkg.git/commit/?h=el6&id=6fffb44b1c1524a5689d497e8f5ba7be571003dd
More information about the scm-commits
mailing list