On Thu, Jan 30, 2014 at 09:06:38PM +0100, Jakub Wilk wrote: > A malicious .orig.tar file can trick uupdate into patching files > outside the source package directory. Proof of concept:
Thanks for the report and PoC. Looking into it some, below is my understanding of the issue and concerns on fixing it. First, this is only a problem for 1.0 format source packages, since unpacking a 3.0 format's diff tarball will replace a, potentially malicious, symlink in upstream's source with the corresponding directory in the diff tarball. With it constrained to 1.0 format, the problem exists for any file the diff.gz is adding (or possibly, but much less likely, modifying) where one of the directories in the path is a symlink pointing outside of the upstream source tree. We basically need to add the following just inside the if on line 730: for link in $(find -type l); do resolved="$(readlink -f "$link")" if ! expr "$resolved" : "$(pwd)" >/dev/null; then complain loudly fi done The problem with the above is that it's not robust in the face of paths which contain whitespace. That means, at best, some paths aren't properly detected and therefore are still subject to original issue. If someone more familiar with the inrticacies of handling this sort of scenario in (ba)sh has an idea on how to properly implement this, I'm all ears. Otherwise, I'm tempted to rewrite the whole thing in Perl, but I'd rather taking the time to do that. Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <james...@debian.org>
signature.asc
Description: Digital signature