Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
Recently CVE-2017-17531 was reported against gozilla binary contained
in GNU Global. The issue wasn't deemed to warrant a DSA by the Debian
Security team but I was wondering if this is something that is pu
material for the next stretch update.
The update contains a fix which has been backported from the upstream
release 6.6.1.
Thanks for your consideration.
Punit
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64, i386
Kernel: Linux 4.14.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru global-6.5.6/debian/changelog global-6.5.6/debian/changelog
--- global-6.5.6/debian/changelog 2017-01-07 14:22:40.000000000 +0000
+++ global-6.5.6/debian/changelog 2018-01-03 21:41:34.000000000 +0000
@@ -1,3 +1,9 @@
+global (6.5.6-2+deb9u1) stretch; urgency=medium
+
+ * Backport fix for CVE-2017-17531 from 6.6.1 (Closes: #884912)
+
+ -- Punit Agrawal <pu...@debian.org> Wed, 03 Jan 2018 21:41:34 +0000
+
global (6.5.6-2) unstable; urgency=medium
* Include gtags.conf manpage in the package
diff -Nru
global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch
global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch
---
global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch
1970-01-01 01:00:00.000000000 +0100
+++
global-6.5.6/debian/patches/0002-gozilla-Validate-strings-before-launching-browser.patch
2018-01-03 21:41:34.000000000 +0000
@@ -0,0 +1,68 @@
+From: Punit Agrawal <pu...@debian.org>
+Date: Wed, 3 Jan 2018 21:35:38 +0000
+Subject: gozilla: Validate strings before launching browser
+
+gozilla does not validate strings before launching the program
+specified by the BROWSER environment variable, which might allow
+remote attackers to conduct argument-injection attacks via a crafted
+URL. This issue is reported as CVE-2017-17531.
+
+Backport a fix for this issue from upstream 6.6.1.
+---
+ gozilla/gozilla.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/gozilla/gozilla.c b/gozilla/gozilla.c
+index 22d2a95..9d53271 100644
+--- a/gozilla/gozilla.c
++++ b/gozilla/gozilla.c
+@@ -611,7 +611,8 @@ make_url_file(const char *url)
+ void
+ show_page_by_url(const char *browser, const char *url)
+ {
+- char com[1024];
++ STRBUF *sb = strbuf_open(0);
++ STRBUF *arg = strbuf_open(0);
+
+ /*
+ * Browsers which have openURL() command.
+@@ -624,22 +625,33 @@ show_page_by_url(const char *browser, const char *url)
+ locatestring(browser, "netscape", MATCH_AT_LAST) ||
+ locatestring(browser, "netscape-remote", MATCH_AT_LAST))
+ {
+- snprintf(com, sizeof(com), "%s -remote \"openURL(%s)\"",
browser, url);
+- system(com);
++ strbuf_puts(sb, quote_shell(browser));
++ strbuf_putc(sb, ' ');
++ strbuf_puts(sb, "-remote");
++ strbuf_putc(sb, ' ');
++ strbuf_sprintf(arg, "openURL(%s)", url);
++ strbuf_puts(sb, quote_shell(strbuf_value(arg)));
++ system(strbuf_value(sb));
+ }
+ /*
+ * Load default browser of OSX.
+ */
+ else if (!strcmp(browser, "osx-default")) {
+- snprintf(com, sizeof(com), "open \"%s\"", make_url_file(url));
+- system(com);
++ strbuf_puts(sb, "open");
++ strbuf_putc(sb, ' ');
++ strbuf_puts(sb, quote_shell(make_url_file(url)));
++ system(strbuf_value(sb));
+ }
+ /*
+ * Generic browser.
+ */
+ else {
+- snprintf(com, sizeof(com), "%s \"%s\"", browser, url);
+- system(com);
++ strbuf_puts(sb, quote_shell(browser));
++ strbuf_putc(sb, ' ');
++ strbuf_puts(sb, quote_shell(url));
++ system(strbuf_value(sb));
+ }
++ strbuf_close(sb);
++ strbuf_close(arg);
+ }
+ #endif
diff -Nru global-6.5.6/debian/patches/series global-6.5.6/debian/patches/series
--- global-6.5.6/debian/patches/series 2017-01-07 14:22:40.000000000 +0000
+++ global-6.5.6/debian/patches/series 2018-01-03 21:41:34.000000000 +0000
@@ -1 +1,2 @@
0001-gtags-Fix-lintian-warning-with-gtags-manpage.patch
+0002-gozilla-Validate-strings-before-launching-browser.patch
