[atril] 01/03: debian/patches: Drop 0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch. Upstream has a better fix for this.

Tue Jul 25 16:22:44 UTC 2017

This is an automated email from the git hooks/post-receive script.

sunweaver pushed a commit to branch master
in repository atril.

commit e0e2c238bc6afe2dcb546efe889caad11fa7e41c
Author: Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
Date:   Tue Jul 25 17:58:57 2017 +0200

    debian/patches: Drop 0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch. Upstream has a better fix for this.
---
 ...move-support-for-tar-and-tar-like-command.patch | 128 ---------------------
 debian/patches/series                              |   1 -
 2 files changed, 129 deletions(-)

diff --git a/debian/patches/0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch b/debian/patches/0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch
deleted file mode 100644
index 3ae8014..0000000
--- a/debian/patches/0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-Origin: https://bugzilla.gnome.org/show_bug.cgi?id=784630#c5
-Reviewed-by: Santiago R.R. <santiagorr at riseup.net>
-Bug-Debian: http://bugs.debian.org/868500
-
-From 717df38fd8509bf883b70d680c9b1b3cf36732ee Mon Sep 17 00:00:00 2001
-From: Bastien Nocera <hadess at hadess.net>
-Date: Thu, 6 Jul 2017 20:02:00 +0200
-Subject: [PATCH] comics: Remove support for tar and tar-like commands
-
-When handling tar files, or using a command with tar-compatible syntax,
-to open comic-book archives, both the archive name (the name of the
-comics file) and the filename (the name of a page within the archive)
-are quoted to not be interpreted by the shell.
-
-But the filename is completely with the attacker's control and can start
-with "--" which leads to tar interpreting it as a command line flag.
-
-This can be exploited by creating a CBT file (a tar archive with the
-.cbt suffix) with an embedded file named something like this:
-"--checkpoint-action=exec=bash -c 'touch ~/hacked;'.jpg"
-
-CBT files are infinitely rare (CBZ is usually used for DRM-free
-commercial releases, CBR for those from more dubious provenance), so
-removing support is the easiest way to avoid the bug triggering. All
-this code was rewritten in the development release for GNOME 3.26 to not
-shell out to any command, closing off this particular attack vector.
-
-This also removes the ability to use libarchive's bsdtar-compatible
-binary for CBZ (ZIP), CB7 (7zip), and CBR (RAR) formats. The first two
-are already supported by unzip and 7zip respectively. libarchive's RAR
-support is limited, so unrar is a requirement anyway.
-
-Discovered by Felix Wilhelm from the Google Security Team.
-
-https://bugzilla.gnome.org/show_bug.cgi?id=784630
-
--Index: atril-1.16.1/backend/comics/comics-document.c
-===================================================================
---- atril-1.16.1.orig/backend/comics/comics-document.c
-+++ atril-1.16.1/backend/comics/comics-document.c
-@@ -44,8 +44,7 @@ typedef enum
- 	RARLABS,
- 	GNAUNRAR,
- 	UNZIP,
--	P7ZIP,
--	TAR
-+	P7ZIP
- } ComicBookDecompressType;
- 
- typedef struct _ComicsDocumentClass ComicsDocumentClass;
-@@ -105,9 +104,6 @@ static const ComicBookDecompressCommand
- 
-         /* 7zip */
- 	{NULL               , "%s l -- %s"     , "%s x -y %s -o%s", FALSE, OFFSET_7Z},
--
--        /* tar */
--	{"%s -xOf"          , "%s -tf %s"      , NULL             , FALSE, NO_OFFSET}
- };
- 
- static void       comics_document_document_thumbnails_iface_init (EvDocumentThumbnailsInterface *iface);
-@@ -355,13 +351,6 @@ comics_check_decompress_command	(gchar
- 			comics_document->command_usage = GNAUNRAR;
- 			return TRUE;
- 		}
--		comics_document->selected_command =
--				g_find_program_in_path ("bsdtar");
--		if (comics_document->selected_command) {
--			comics_document->command_usage = TAR;
--			return TRUE;
--		}
--
- 	} else if (g_content_type_is_a (mime_type, "application/x-cbz") ||
- 		   g_content_type_is_a (mime_type, "application/zip")) {
- 		/* InfoZIP's unzip program */
-@@ -374,12 +363,6 @@ comics_check_decompress_command	(gchar
- 			comics_document->command_usage = UNZIP;
- 			return TRUE;
- 		}
--		comics_document->selected_command =
--				g_find_program_in_path ("bsdtar");
--		if (comics_document->selected_command) {
--			comics_document->command_usage = TAR;
--			return TRUE;
--		}
- 
- 	} else if (g_content_type_is_a (mime_type, "application/x-cb7") ||
- 		   g_content_type_is_a (mime_type, "application/x-7z-compressed")) {
-@@ -403,27 +386,6 @@ comics_check_decompress_command	(gchar
- 			comics_document->command_usage = P7ZIP;
- 			return TRUE;
- 		}
--		comics_document->selected_command =
--				g_find_program_in_path ("bsdtar");
--		if (comics_document->selected_command) {
--			comics_document->command_usage = TAR;
--			return TRUE;
--		}
--	} else if (g_content_type_is_a (mime_type, "application/x-cbt") ||
--		   g_content_type_is_a (mime_type, "application/x-tar")) {
--		/* tar utility (Tape ARchive) */
--		comics_document->selected_command =
--				g_find_program_in_path ("tar");
--		if (comics_document->selected_command) {
--			comics_document->command_usage = TAR;
--			return TRUE;
--		}
--		comics_document->selected_command =
--				g_find_program_in_path ("bsdtar");
--		if (comics_document->selected_command) {
--			comics_document->command_usage = TAR;
--			return TRUE;
--		}
- 	} else {
- 		g_set_error (error,
- 			     EV_DOCUMENT_ERROR,
-Index: atril-1.16.1/configure.ac
-===================================================================
---- atril-1.16.1.orig/configure.ac
-+++ atril-1.16.1/configure.ac
-@@ -625,7 +625,7 @@ if test "x$enable_tiff" = "xyes"; then
-     ATRIL_MIME_TYPES="${ATRIL_MIME_TYPES}image/tiff;"
- fi
- if test "x$enable_comics" = "xyes"; then
--    ATRIL_MIME_TYPES="${ATRIL_MIME_TYPES}application/x-cbr;application/x-cbz;application/x-cb7;application/x-cbt;application/vnd.comicbook+zip;"
-+    ATRIL_MIME_TYPES="${ATRIL_MIME_TYPES}application/x-cbr;application/x-cbz;application/x-cb7;application/vnd.comicbook+zip;"
- fi
- if test "x$enable_pixbuf" = "xyes"; then
-     ATRIL_MIME_TYPES="${ATRIL_MIME_TYPES}image/*;"
diff --git a/debian/patches/series b/debian/patches/series
index ae1d86d..e69de29 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +0,0 @@
-0001-CVE-2017-1000083-comics-Remove-support-for-tar-and-tar-like-command.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mate/atril.git

