Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi arc/5.21q-6 adressed in unstable an older directory traversal issue, #774527 (CVE-2015-9275). Although the issue is marked as ignored in the security-tracker, given the same base version I decided to prepare as well a 5.21q-4+deb9u1 for stretch. Attached is the debdiff with the same three patches addes as for 5.21q-6 (yes there is typo in the patch name, but I just used the very same as for the unstable upload). Regards, Salvatore
diff -Nru arc-5.21q/debian/changelog arc-5.21q/debian/changelog --- arc-5.21q/debian/changelog 2015-09-02 16:44:25.000000000 +0200 +++ arc-5.21q/debian/changelog 2019-02-03 22:39:01.000000000 +0100 @@ -1,3 +1,13 @@ +arc (5.21q-4+deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Fix version 1 arc header reading + * Fix arcdie crash when called with more then 1 variable argument + * Fix directory traversal bugs (CVE-2015-9275) + Thanks to Hans de Goede <hdego...@redhat.com> (Closes: #774527) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 03 Feb 2019 22:39:01 +0100 + arc (5.21q-4) unstable; urgency=medium * New maintainer. Thanks to Klaus Reimer for your work over this package. diff -Nru arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch --- arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch 1970-01-01 01:00:00.000000000 +0100 +++ arc-5.21q/debian/patches/arc-5.21p-directory-traversel.patch 2019-02-03 22:39:01.000000000 +0100 @@ -0,0 +1,21 @@ +Fix directory traversal bugs + +arc archives do not contain directory hierarchies, only filenames, so refuse +to operate on archives which have the directory-seperator inside filenames. + +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774527 +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1179143 +Signed-off-by: Hans de Goede <hdego...@redhat.com> +diff -up arc-5.21p/arcio.c~ arc-5.21p/arcio.c +--- arc-5.21p/arcio.c~ 2015-01-16 13:04:16.000000000 +0100 ++++ arc-5.21p/arcio.c 2015-01-16 15:45:31.389010626 +0100 +@@ -109,6 +109,9 @@ readhdr(hdr, f) /* read a header from + #if _MTS + (void) atoe(hdr->name, strlen(hdr->name)); + #endif ++ if (strchr(hdr->name, CUTOFF) != NULL) ++ arcdie("%s contains illegal filename %s", arcname, hdr->name); ++ + for (i = 0, hdr->size=0; i<4; hdr->size<<=8, hdr->size += dummy[16-i], i++); + hdr->date = (short) ((dummy[18] << 8) + dummy[17]); + hdr->time = (short) ((dummy[20] << 8) + dummy[19]); diff -Nru arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch --- arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch 1970-01-01 01:00:00.000000000 +0100 +++ arc-5.21q/debian/patches/arc-5.21p-fix-arcdie.patch 2019-02-03 22:39:01.000000000 +0100 @@ -0,0 +1,34 @@ +Fix arcdie crash when called with more then 1 variable argument + +Add proper vararg handling to fix crash on 64 bit machines when arcdie gets +called with more then 1 variable argument. + +Signed-off-by: Hans de Goede <hdego...@redhat.com> +diff -up arc-5.21p/arcmisc.c~ arc-5.21p/arcmisc.c +--- arc-5.21p/arcmisc.c~ 2010-08-07 15:06:42.000000000 +0200 ++++ arc-5.21p/arcmisc.c 2015-01-16 16:10:29.322603290 +0100 +@@ -4,6 +4,7 @@ + */ + + #include <stdio.h> ++#include <stdarg.h> + #include <ctype.h> + #include "arc.h" + +@@ -223,11 +224,13 @@ upper(string) + } + /* VARARGS1 */ + VOID +-arcdie(s, arg1, arg2, arg3) +- char *s; ++arcdie(const char *s, ...) + { ++ va_list args; + fprintf(stderr, "ARC: "); +- fprintf(stderr, s, arg1, arg2, arg3); ++ va_start(args, s); ++ vfprintf(stderr, s, args); ++ va_end(args); + fprintf(stderr, "\n"); + #if UNIX + perror("UNIX"); diff -Nru arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch --- arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch 1970-01-01 01:00:00.000000000 +0100 +++ arc-5.21q/debian/patches/arc-5.21p-hdrv1-read-fix.patch 2019-02-03 22:39:01.000000000 +0100 @@ -0,0 +1,70 @@ +Fix version 1 arc header reading + +The code for v1 hdr reading was reading the packed header directly into an +unpacked struct. + +Use the same read to dummy array, then manual unpack to header struct as +used for v2 headers for v1 headers too. + +Signed-off-by: Hans de Goede <hdego...@redhat.com> +diff -ur arc-5.21p/arcio.c arc-5.21p.new/arcio.c +--- arc-5.21p/arcio.c 2010-08-07 15:06:42.000000000 +0200 ++++ arc-5.21p.new/arcio.c 2015-01-16 12:59:43.203289118 +0100 +@@ -37,6 +37,7 @@ + #endif + char name[FNLEN]; /* filename buffer */ + int try = 0;/* retry counter */ ++ int hdrlen; + static int first = 1; /* true only on first read */ + + if (!f) /* if archive didn't open */ +@@ -92,23 +93,19 @@ + printf("I think you need a newer version of ARC.\n"); + exit(1); + } ++ + /* amount to read depends on header type */ ++ if (hdrver == 1) { ++ hdrlen = 23; /* old style is shorter */ ++ } else { ++ hdrlen = 27; ++ } + +- if (hdrver == 1) { /* old style is shorter */ +- if (fread(hdr, sizeof(struct heads) - sizeof(long int), 1, f) != 1) +- arcdie("%s was truncated", arcname); +- hdrver = 2; /* convert header to new format */ +- hdr->length = hdr->size; /* size is same when not +- * packed */ +- } else +-#if MSDOS +- if (fread(hdr, sizeof(struct heads), 1, f) != 1) +- arcdie("%s was truncated", arcname); +-#else +- if (fread(dummy, 27, 1, f) != 1) +- arcdie("%s was truncated", arcname); ++ if (fread(dummy, hdrlen, 1, f) != 1) ++ arcdie("%s was truncated", arcname); + + for (i = 0; i < FNLEN; hdr->name[i] = dummy[i], i++); ++ hdr->name[FNLEN - 1] = 0; /* ensure 0 termination */ + #if _MTS + (void) atoe(hdr->name, strlen(hdr->name)); + #endif +@@ -116,8 +113,14 @@ + hdr->date = (short) ((dummy[18] << 8) + dummy[17]); + hdr->time = (short) ((dummy[20] << 8) + dummy[19]); + hdr->crc = (short) ((dummy[22] << 8) + dummy[21]); +- for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++); +-#endif ++ ++ if (hdrver == 1) { ++ hdrver = 2; /* convert header to new format */ ++ hdr->length = hdr->size; /* size is same when not ++ * packed */ ++ } else { ++ for (i = 0, hdr->length=0; i<4; hdr->length<<=8, hdr->length += dummy[26-i], i++); ++ } + + if (hdr->date > olddate + || (hdr->date == olddate && hdr->time > oldtime)) { diff -Nru arc-5.21q/debian/patches/series arc-5.21q/debian/patches/series --- arc-5.21q/debian/patches/series 2015-09-01 22:55:39.000000000 +0200 +++ arc-5.21q/debian/patches/series 2019-02-03 22:39:01.000000000 +0100 @@ -2,3 +2,6 @@ spelling manpage-section-fix fix-gcc-warnings +arc-5.21p-hdrv1-read-fix.patch +arc-5.21p-fix-arcdie.patch +arc-5.21p-directory-traversel.patch