Bug#854723: diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive
Ximin Luo
infinity0 at debian.org
Thu Feb 9 21:14:12 UTC 2017
Package: diffoscope
Version: 67
Severity: grave
Tags: patch security
Justification: user security hole
Dear Maintainer,
5fdfe91e71f1c520d902350b18f793b8c69d9118 introduced a security hole where
diffoscope may write to arbitrary locations on disk depending on the contents
of an untrusted archive. For example, comparing the following two files:
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=843811;filename=libBrokenLocale.a.0;msg=5
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=843811;filename=libBrokenLocale.a.1;msg=5
Traceback (most recent call last):
File "/home/infinity0/xx/diffoscope/diffoscope/main.py", line 281, in main
sys.exit(run_diffoscope(parsed_args))
[..]
File "/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", line 174, in extract
self.ensure_unpacked()
File "/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", line 219, in ensure_unpacked
os.makedirs(os.path.dirname(dst), exist_ok=True)
File "/usr/lib/python3.5/os.py", line 241, in makedirs
mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/SYM64'
Note that this could easily have been something like /home/infinity0/.profile.
I have pushed a nearly-complete fix to git (after version 75 was just released)
which prevents the writes. However reads are still done using the uncleaned
names, but this is a much less severe issue. So, if I don't supply a fix for
the second lesser issue soon, the existing fix should be released ASAP.
X
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (200, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages diffoscope depends on:
ii python3-libarchive-c 2.1-3.1
ii python3-magic 1:5.29-3
ii python3-pkg-resources 33.1.1-1
pn python3:any <none>
Versions of packages diffoscope recommends:
ii acl 2.2.52-3
ii apktool 2.2.1+dfsg-2
ii binutils-multiarch 2.27.90.20170124-2
ii bzip2 1.0.6-8.1
ii caca-utils 0.99.beta19-2+b1
ii colord 1.3.3-2
ii cpio 2.11+dfsg-6
ii default-jdk [java-sdk] 2:1.8-58
ii default-jdk-headless 2:1.8-58
ii enjarify 1:1.0.3-3
ii fontforge-extras 0.3-4
ii fp-utils 3.0.0+dfsg-10
ii fp-utils-3.0.0 [fp-utils] 3.0.0+dfsg-10
ii genisoimage 9:1.1.11-3
ii gettext 0.19.8.1-2
ii ghc 8.0.1-17
ii ghostscript 9.20~dfsg-2
ii gnupg 2.1.18-3
ii jsbeautifier 1.6.4-6
ii llvm 1:3.8-34+b1
ii mono-utils 4.6.2.7+dfsg-1
ii openjdk-8-jdk [java-sdk] 8u121-b13-2
ii openssh-client 1:7.4p1-6
ii pdftk 2.02-4+b1
ii poppler-utils 0.48.0-2
ii python3-argcomplete 1.8.1-1
ii python3-debian 0.1.30
ii python3-guestfs 1:1.34.3-7
ii python3-progressbar 2.3-4
ii python3-rpm 4.12.0.2+dfsg1-1
ii python3-tlsh 3.4.4+20151206-1+b1
ii rpm2cpio 4.12.0.2+dfsg1-1
ii sng 1.1.0-1+b1
ii sqlite3 3.16.2-2
ii squashfs-tools 1:4.3-3
ii unzip 6.0-21
ii vim-common 2:8.0.0197-1
ii xxd 2:8.0.0197-1
ii xz-utils 5.2.2-1.2
Versions of packages diffoscope suggests:
ii libjs-jquery 3.1.1-2
-- no debconf information
More information about the Reproducible-builds
mailing list