Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
This fixes CVE-2020-11736 for stretch. I have confirmed that the update fixes that bug, and that basic package functionality didn't regress. Debdiff attached, package already uploaded. Cheers, Emilio
diff -Nru file-roller-3.22.3/debian/changelog file-roller-3.22.3/debian/changelog --- file-roller-3.22.3/debian/changelog 2019-09-22 15:10:05.000000000 +0200 +++ file-roller-3.22.3/debian/changelog 2020-07-09 09:31:47.000000000 +0200 @@ -1,3 +1,9 @@ +file-roller (3.22.3-1+deb9u2) stretch; urgency=medium + + * CVE-2020-11736 (Closes: #956638) + + -- Emilio Pozuelo Monfort <po...@debian.org> Thu, 09 Jul 2020 09:31:47 +0200 + file-roller (3.22.3-1+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru file-roller-3.22.3/debian/control file-roller-3.22.3/debian/control --- file-roller-3.22.3/debian/control 2019-09-22 15:07:13.000000000 +0200 +++ file-roller-3.22.3/debian/control 2020-07-09 09:31:47.000000000 +0200 @@ -1,12 +1,12 @@ # This file is autogenerated. DO NOT EDIT! -# +# # Modifications should be made to debian/control.in instead. # This file is regenerated automatically in the clean target. Source: file-roller Section: gnome Priority: optional Maintainer: Debian GNOME Maintainers <pkg-gnome-maintain...@lists.alioth.debian.org> -Uploaders: Andreas Henriksson <andr...@fatal.se>, Laurent Bigonville <bi...@debian.org>, Michael Biebl <bi...@debian.org> +Uploaders: Emilio Pozuelo Monfort <po...@debian.org>, Laurent Bigonville <bi...@debian.org>, Michael Biebl <bi...@debian.org> Build-Depends: debhelper (>= 10), desktop-file-utils, gettext, diff -Nru file-roller-3.22.3/debian/patches/02_CVE-2020-11736.patch file-roller-3.22.3/debian/patches/02_CVE-2020-11736.patch --- file-roller-3.22.3/debian/patches/02_CVE-2020-11736.patch 1970-01-01 01:00:00.000000000 +0100 +++ file-roller-3.22.3/debian/patches/02_CVE-2020-11736.patch 2020-07-09 09:31:47.000000000 +0200 @@ -0,0 +1,201 @@ +--- a/src/fr-archive-libarchive.c ++++ b/src/fr-archive-libarchive.c +@@ -601,6 +601,149 @@ _g_output_stream_add_padding (ExtractDat + } + + ++static gboolean ++_symlink_is_external_to_destination (GFile *file, ++ const char *symlink, ++ GFile *destination, ++ GHashTable *external_links); ++ ++ ++static gboolean ++_g_file_is_external_link (GFile *file, ++ GFile *destination, ++ GHashTable *external_links) ++{ ++ GFileInfo *info; ++ gboolean external; ++ ++ if (g_hash_table_lookup (external_links, file) != NULL) ++ return TRUE; ++ ++ info = g_file_query_info (file, ++ G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK "," G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET, ++ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, ++ NULL, ++ NULL); ++ ++ if (info == NULL) ++ return FALSE; ++ ++ external = FALSE; ++ ++ if (g_file_info_get_is_symlink (info)) { ++ if (_symlink_is_external_to_destination (file, ++ g_file_info_get_symlink_target (info), ++ destination, ++ external_links)) ++ { ++ g_hash_table_insert (external_links, g_object_ref (file), GINT_TO_POINTER (1)); ++ external = TRUE; ++ } ++ } ++ ++ g_object_unref (info); ++ ++ return external; ++} ++ ++ ++static gboolean ++_symlink_is_external_to_destination (GFile *file, ++ const char *symlink, ++ GFile *destination, ++ GHashTable *external_links) ++{ ++ gboolean external = FALSE; ++ GFile *parent; ++ char **components; ++ int i; ++ ++ if ((file == NULL) || (symlink == NULL)) ++ return FALSE; ++ ++ if (symlink[0] == '/') ++ return TRUE; ++ ++ parent = g_file_get_parent (file); ++ components = g_strsplit (symlink, "/", -1); ++ for (i = 0; components[i] != NULL; i++) { ++ char *name = components[i]; ++ GFile *tmp; ++ ++ if ((name[0] == 0) || ((name[0] == '.') && (name[1] == 0))) ++ continue; ++ ++ if ((name[0] == '.') && (name[1] == '.') && (name[2] == 0)) { ++ if (g_file_equal (parent, destination)) { ++ external = TRUE; ++ break; ++ } ++ else { ++ tmp = g_file_get_parent (parent); ++ g_object_unref (parent); ++ parent = tmp; ++ } ++ } ++ else { ++ tmp = g_file_get_child (parent, components[i]); ++ g_object_unref (parent); ++ parent = tmp; ++ } ++ ++ if (_g_file_is_external_link (parent, destination, external_links)) { ++ external = TRUE; ++ break; ++ } ++ } ++ ++ g_strfreev (components); ++ g_object_unref (parent); ++ ++ return external; ++} ++ ++ ++static gboolean ++_g_path_is_external_to_destination (const char *relative_path, ++ GFile *destination, ++ GHashTable *external_links) ++{ ++ gboolean external = FALSE; ++ GFile *parent; ++ char **components; ++ int i; ++ ++ if (relative_path == NULL) ++ return FALSE; ++ ++ if (destination == NULL) ++ return TRUE; ++ ++ parent = g_object_ref (destination); ++ components = g_strsplit (relative_path, "/", -1); ++ for (i = 0; (components[i] != NULL) && (components[i + 1] != NULL); i++) { ++ GFile *tmp; ++ ++ if (components[i][0] == 0) ++ continue; ++ ++ tmp = g_file_get_child (parent, components[i]); ++ g_object_unref (parent); ++ parent = tmp; ++ ++ if (_g_file_is_external_link (parent, destination, external_links)) { ++ external = TRUE; ++ break; ++ } ++ } ++ ++ g_strfreev (components); ++ g_object_unref (parent); ++ ++ return external; ++} ++ ++ + static void + extract_archive_thread (GSimpleAsyncResult *result, + GObject *object, +@@ -611,6 +754,7 @@ extract_archive_thread (GSimpleAsyncResu + GHashTable *checked_folders; + GHashTable *created_files; + GHashTable *folders_created_during_extraction; ++ GHashTable *external_links; + struct archive *a; + struct archive_entry *entry; + int r; +@@ -621,6 +765,7 @@ extract_archive_thread (GSimpleAsyncResu + checked_folders = g_hash_table_new_full (g_file_hash, (GEqualFunc) g_file_equal, g_object_unref, NULL); + created_files = g_hash_table_new_full (g_file_hash, (GEqualFunc) g_file_equal, g_object_unref, g_object_unref); + folders_created_during_extraction = g_hash_table_new_full (g_file_hash, (GEqualFunc) g_file_equal, g_object_unref, NULL); ++ external_links = g_hash_table_new_full (g_file_hash, (GEqualFunc) g_file_equal, g_object_unref, NULL); + fr_archive_progress_set_total_files (load_data->archive, extract_data->n_files_to_extract); + + a = archive_read_new (); +@@ -652,6 +797,15 @@ extract_archive_thread (GSimpleAsyncResu + fullpath = (*pathname == '/') ? g_strdup (pathname) : g_strconcat ("/", pathname, NULL); + relative_path = _g_path_get_relative_basename_safe (fullpath, extract_data->base_dir, extract_data->junk_paths); + if (relative_path == NULL) { ++ fr_archive_progress_inc_completed_files (load_data->archive, 1); ++ fr_archive_progress_inc_completed_bytes (load_data->archive, archive_entry_size_is_set (entry) ? archive_entry_size (entry) : 0); ++ archive_read_data_skip (a); ++ continue; ++ } ++ ++ if (_g_path_is_external_to_destination (relative_path, extract_data->destination, external_links)) { ++ fr_archive_progress_inc_completed_files (load_data->archive, 1); ++ fr_archive_progress_inc_completed_bytes (load_data->archive, archive_entry_size_is_set (entry) ? archive_entry_size (entry) : 0); + archive_read_data_skip (a); + continue; + } +@@ -860,6 +1014,8 @@ extract_archive_thread (GSimpleAsyncResu + load_data->error = g_error_copy (local_error); + g_clear_error (&local_error); + } ++ else if (_symlink_is_external_to_destination (file, archive_entry_symlink (entry), extract_data->destination, external_links)) ++ g_hash_table_insert (external_links, g_object_ref (file), GINT_TO_POINTER (1)); + archive_read_data_skip (a); + break; + +@@ -894,6 +1050,7 @@ extract_archive_thread (GSimpleAsyncResu + g_hash_table_unref (folders_created_during_extraction); + g_hash_table_unref (created_files); + g_hash_table_unref (checked_folders); ++ g_hash_table_unref (external_links); + archive_read_free (a); + extract_data_free (extract_data); + } diff -Nru file-roller-3.22.3/debian/patches/series file-roller-3.22.3/debian/patches/series --- file-roller-3.22.3/debian/patches/series 2019-09-22 15:07:45.000000000 +0200 +++ file-roller-3.22.3/debian/patches/series 2020-07-09 09:31:28.000000000 +0200 @@ -1,3 +1,5 @@ 01_package_names.patch wayland_workaround.patch Path-traversal-vulnerability.patch + +02_CVE-2020-11736.patch