diff options
author | Sam James <sam@gentoo.org> | 2022-04-07 19:10:32 +0100 |
---|---|---|
committer | Sam James <sam@gentoo.org> | 2022-04-07 19:10:32 +0100 |
commit | f5e1e0856c8c0fd62343a53590e2f29266a85d54 (patch) | |
tree | dd7416def7cf8de638860e4e9d3fea36dcf8f517 | |
parent | app-arch/gzip: add 1.12 (diff) | |
download | gentoo-f5e1e0856c8c0fd62343a53590e2f29266a85d54.tar.gz gentoo-f5e1e0856c8c0fd62343a53590e2f29266a85d54.tar.bz2 gentoo-f5e1e0856c8c0fd62343a53590e2f29266a85d54.zip |
app-arch/xz-utils: patch xzgrep vulnerability (ZDI-CAN-16587)
Bug: https://bugs.gentoo.org/837155
Signed-off-by: Sam James <sam@gentoo.org>
-rw-r--r-- | app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch | 88 | ||||
-rw-r--r-- | app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild | 118 |
2 files changed, 206 insertions, 0 deletions
diff --git a/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch b/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch new file mode 100644 index 000000000000..7293a982c269 --- /dev/null +++ b/app-arch/xz-utils/files/xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch @@ -0,0 +1,88 @@ +https://bugs.gentoo.org/837155 +https://git.tukaani.org/?p=xz.git;a=commitdiff;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6;hp=bd93b776c1bd15e90661033c918cdeb354dbcc38 + +From: Lasse Collin <lasse.collin@tukaani.org> +Date: Tue, 29 Mar 2022 19:19:12 +0300 +Subject: [PATCH 1/1] xzgrep: Fix escaping of malicious filenames + (ZDI-CAN-16587). + +Malicious filenames can make xzgrep to write to arbitrary files +or (with a GNU sed extension) lead to arbitrary code execution. + +xzgrep from XZ Utils versions up to and including 5.2.5 are +affected. 5.3.1alpha and 5.3.2alpha are affected as well. +This patch works for all of them. + +This bug was inherited from gzip's zgrep. gzip 1.12 includes +a fix for zgrep. + +The issue with the old sed script is that with multiple newlines, +the N-command will read the second line of input, then the +s-commands will be skipped because it's not the end of the +file yet, then a new sed cycle starts and the pattern space +is printed and emptied. So only the last line or two get escaped. + +One way to fix this would be to read all lines into the pattern +space first. However, the included fix is even simpler: All lines +except the last line get a backslash appended at the end. To ensure +that shell command substitution doesn't eat a possible trailing +newline, a colon is appended to the filename before escaping. +The colon is later used to separate the filename from the grep +output so it is fine to add it here instead of a few lines later. + +The old code also wasn't POSIX compliant as it used \n in the +replacement section of the s-command. Using \<newline> is the +POSIX compatible method. + +LC_ALL=C was added to the two critical sed commands. POSIX sed +manual recommends it when using sed to manipulate pathnames +because in other locales invalid multibyte sequences might +cause issues with some sed implementations. In case of GNU sed, +these particular sed scripts wouldn't have such problems but some +other scripts could have, see: + + info '(sed)Locale Considerations' + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Thanks to Jim Meyering and Paul Eggert discussing the different +ways to fix this and for coordinating the patch release schedule +with gzip. +--- a/src/scripts/xzgrep.in ++++ b/src/scripts/xzgrep.in +@@ -180,22 +180,26 @@ for i; do + { test $# -eq 1 || test $no_filename -eq 1; }; then + eval "$grep" + else ++ # Append a colon so that the last character will never be a newline ++ # which would otherwise get lost in shell command substitution. ++ i="$i:" ++ ++ # Escape & \ | and newlines only if such characters are present ++ # (speed optimization). + case $i in + (*' + '* | *'&'* | *'\'* | *'|'*) +- i=$(printf '%s\n' "$i" | +- sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g +- ');; ++ i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');; + esac +- sed_script="s|^|$i:|" ++ ++ # $i already ends with a colon so don't add it here. ++ sed_script="s|^|$i|" + + # Fail if grep or sed fails. + r=$( + exec 4>&1 +- (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- ++ (eval "$grep" 4>&-; echo $? >&4) 3>&- | ++ LC_ALL=C sed "$sed_script" >&3 4>&- + ) || r=2 + exit $r + fi >&3 5>&- diff --git a/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild b/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild new file mode 100644 index 000000000000..7edf1c42498f --- /dev/null +++ b/app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild @@ -0,0 +1,118 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# Remember: we cannot leverage autotools in this ebuild in order +# to avoid circular deps with autotools + +EAPI=7 + +inherit libtool multilib multilib-minimal preserve-libs usr-ldscript + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://git.tukaani.org/xz.git" + inherit git-r3 autotools + + # bug #272880 and bug #286068 + BDEPEND="sys-devel/gettext >=sys-devel/libtool-2" +else + VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/lassecollin.asc + inherit verify-sig + + MY_P="${PN/-utils}-${PV/_}" + SRC_URI="https://tukaani.org/xz/${MY_P}.tar.gz" + SRC_URI+=" verify-sig? ( https://tukaani.org/xz/${MY_P}.tar.gz.sig )" + + if [[ ${PV} != *_alpha* ]] && [[ ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" + fi + S="${WORKDIR}/${MY_P}" +fi + +DESCRIPTION="Utils for managing LZMA compressed files" +HOMEPAGE="https://tukaani.org/xz/" + +# See top-level COPYING file as it outlines the various pieces and their licenses. +LICENSE="public-domain LGPL-2.1+ GPL-2+" +SLOT="0" +IUSE="+extra-filters nls static-libs" + +RDEPEND="!<app-arch/lzma-4.63 + !<app-arch/p7zip-4.57 + !<app-i18n/man-pages-de-2.16" +DEPEND="${RDEPEND}" +BDEPEND="verify-sig? ( sec-keys/openpgp-keys-lassecollin )" + +# Tests currently do not account for smaller feature set +RESTRICT="!extra-filters? ( test )" + +PATCHES=( + "${FILESDIR}"/${P}-xzgrep-ZDI-CAN-16587.patch +) + +src_prepare() { + default + + if [[ ${PV} == 9999 ]] ; then + eautopoint + eautoreconf + else + # Allow building shared libs on Solaris/x64 + elibtoolize + fi +} + +multilib_src_configure() { + local myconf=( + --enable-threads + $(use_enable nls) + $(use_enable static-libs static) + ) + + if ! multilib_is_native_abi ; then + myconf+=( + --disable-{xz,xzdec,lzmadec,lzmainfo,lzma-links,scripts} + ) + fi + + if ! use extra-filters ; then + myconf+=( + # LZMA1 + LZMA2 for standard .lzma & .xz files + --enable-encoders=lzma1,lzma2 + --enable-decoders=lzma1,lzma2 + + # those are used by default, depending on preset + --enable-match-finders=hc3,hc4,bt4 + + # CRC64 is used by default, though some (old?) files use CRC32 + --enable-checks=crc32,crc64 + ) + fi + + if [[ ${CHOST} == *-solaris* ]] ; then + export gl_cv_posix_shell="${EPREFIX}"/bin/sh + + # Undo Solaris-based defaults pointing to /usr/xpg5/bin + myconf+=( --disable-path-for-script ) + fi + + ECONF_SOURCE="${S}" econf "${myconf[@]}" +} + +multilib_src_install() { + default + + gen_usr_ldscript -a lzma +} + +multilib_src_install_all() { + find "${ED}" -type f -name '*.la' -delete || die + rm "${ED}"/usr/share/doc/${PF}/COPYING* || die +} + +pkg_preinst() { + preserve_old_lib /usr/$(get_libdir)/liblzma$(get_libname 0) +} + +pkg_postinst() { + preserve_old_lib_notify /usr/$(get_libdir)/liblzma$(get_libname 0) +} |