patch: CVE-2015-1396: another directory traversal via symlinks

Debian Bug report logs - #775901
patch: CVE-2015-1396: another directory traversal via symlinks

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: patch: another directory traversal via symlinks

Date: Wed, 21 Jan 2015 11:39:30 +0100

[Message part 1 (text/plain, inline)]

Package: patch
Version: 2.7.1-7
Tags: security

Unfortunately the fix for CVE-2015-1196 (bug #775227) is not complete. 
It is still possible to abuse symlinks for directory traversal:

$ ls /tmp/moo
/bin/ls: cannot access /tmp/moo: No such file or directory

$ mkdir empty && cd empty

$ patch -p1 < ~/traversal3.diff
patching symbolic link tmp
patching symbolic link cwd
patching file tmp/moo

$ ls -l
total 4
lrwxrwxrwx 1 jwilk users   1 Jan 21 11:34 cwd -> .
lrwxrwxrwx 1 jwilk users 262 Jan 21 11:34 tmp -> cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/cwd/../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp

$ ls /tmp/moo
/tmp/moo


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages patch depends on:
ii  libc6  2.19-13

-- 
Jakub Wilk

[traversal3.diff (text/x-diff, attachment)]

Message #8 received at 775901@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: 775901@bugs.debian.org

Date: Wed, 21 Jan 2015 15:34:07 +0100

Before git-style patches, patch could assume that symlinks in the
working directory are safe to traverse; it only needed to ensure that
pathnames of files it creates weren't absolute and didn't contain '..'
pathname components.

Patch now creates symlinks. Forbidding absolute symlinks and '.' and
'..' pathname components in symlinks entirely seems too much of a
restriction to me; on the other hand, I don't see how to make things
safe again by just checking where new symlinks point.

It might be necessary to use openat() for resolving pathname
components without traversing symlinks; that's very ugly, though.

Any other ideas?

Message #13 received at 775901@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: 775901@bugs.debian.org

Date: Thu, 22 Jan 2015 22:00:03 +0100

I've pushed code to forbid symlinks with ".." components. That's the
best we can do for now I believe. Implementing path traversal in user
space, making sure it is used everywhere, and making it reasonably
fast and portable seems too much in short term.

Message #18 received at 775901-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 775901-close@bugs.debian.org

Subject: Bug#775901: fixed in patch 2.7.3-1

Date: Sat, 24 Jan 2015 17:18:23 +0000

Source: patch
Source-Version: 2.7.3-1

We believe that the bug you reported is fixed in the latest version of
patch, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775901@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated patch package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 23 Jan 2015 20:27:32 +0000
Source: patch
Binary: patch
Architecture: source amd64
Version: 2.7.3-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 patch      - Apply a diff file to an original
Closes: 775873 775901
Changes:
 patch (2.7.3-1) unstable; urgency=high
 .
   * New upstream release with security fixes:
     - fix all cases of CVE-2015-1196 (closes: #775873, #775901),
     - fix infinite loop while applying patch, CVE-2014-9637.
   * Remove outdated disable-update-version and add_manpage_time.patch
     Debian patches.
   * Add homepage field.
   * Add watch file.
Checksums-Sha1:
 4f268078a1fbca817718bdbdc55800dc248010c2 1795 patch_2.7.3-1.dsc
 4191a36e4733935912280650b32644d9c786dfa1 684764 patch_2.7.3.orig.tar.xz
 f55e05a44ce413bad4ec4024b1535642a32bb49e 8008 patch_2.7.3-1.debian.tar.xz
 ea9a4bac964c7597778c622a8180ead0dd14c8a3 100886 patch_2.7.3-1_amd64.deb
Checksums-Sha256:
 1995faba243dd94983feaed23d5426cbdafdeea062716d6e16d3f2293c8cecb3 1795 patch_2.7.3-1.dsc
 d09022de9d629561bf4dad44625ef4b1ead15178b210412113531730cdb6f19d 684764 patch_2.7.3.orig.tar.xz
 ec7b8b549a0ae8a00edd4655715100e22d85c3f3babc7c83ee0008cc23093632 8008 patch_2.7.3-1.debian.tar.xz
 3af466c57953e6a653d703e3f665d8e02f2a4ef862c70f8cac2033aed4dc7096 100886 patch_2.7.3-1_amd64.deb
Files:
 4911f5407afb72e201faa3ec9a8191f8 1795 vcs standard patch_2.7.3-1.dsc
 29b87be845e4662ab0ca0d48a805ecc6 684764 vcs standard patch_2.7.3.orig.tar.xz
 ce27aa99309c2c801fd6f9bcc951aa2c 8008 vcs standard patch_2.7.3-1.debian.tar.xz
 c6ce0a0e9a7793382f674a640cac50e7 100886 vcs standard patch_2.7.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUw8gPAAoJENzjEOeGTMi/zlMQAI4/qvk+rLMAlScuQLzerLL7
RGDqAH3I0bVuucHkHhVKIsHGm2AeME4NdE+HZnThrgEL94Opz3fKY8j3arPWgFkR
GQJP4jEo76LLLFfwzB5TVefqN/BviRiG4dYzCTMC5p+ojs75z7z9UX3V3+Ki2Gcr
NxXZ//i4NzaLFGXA8+djvQ2iWBgjx95K00ujxTmCyYVbdRbsQ3t5vFsuETavkzNW
DZw8qJ3rQWhye602Z5jF0Q12YEnbLLY80iOPG26i0zXU0+lNTTw6APuQAsSn+BvN
dlfzl2j9xXdOjTza9LvBhsLGNtSvQev+R8ORGYEmPINwGq/2vF2TucGWmYllS/Wl
0LOgyfXtFm9k5+dZ9jUJM9TUeQRTn6er/7aECu62CjoXIQNspV/1XP66RsH4m4Z4
f0/Z6JL+yGFHJkB8NK7mKZVLW36L8x8vhhmbx+fIE5/NSH/DWfTuUrR22VKIY3B5
o46UUYvde/dxwVK2auIs4KPIUn/YK090NU2TnVv/M2uJgGbbs3phDwCqJukJC1s9
QCeCsQ77Ctn6IHN0a7D1CbQrmYovqdEeDvNYZE7bp1Ty+JxzPl99dpbuTr1kBbYX
p/dmg4V43q2o5FZYSb7j6RnalgA14JuzUaSS/URjphJFiWLDbuba3mXmOxXJ3oHg
tEKZF2rKwjYrdkBBUDxG
=kUjt
-----END PGP SIGNATURE-----

Message #25 received at 775901@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Mon, 2 Feb 2015 14:39:26 +0100

It turned out that not allowing arbitrary symlinks causes many
git-style kernel patches to fail:
  https://lkml.org/lkml/2015/1/26/522

Therefore, patch has been changed to resove paths in user space now;
patch-2.7.4 should behave "properly" again.

Message #30 received at 775901@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Andreas Grünbacher <andreas.gruenbacher@gmail.com>, 775901@bugs.debian.org

Cc: 773591@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Mon, 2 Feb 2015 15:00:18 +0100

On Mon, Feb 2, 2015 at 2:39 PM, Andreas Grünbacher
<andreas.gruenbacher@gmail.com> wrote:
> It turned out that not allowing arbitrary symlinks causes many
> git-style kernel patches to fail:
>   https://lkml.org/lkml/2015/1/26/522
>
> Therefore, patch has been changed to resove paths in user space now;
> patch-2.7.4 should behave "properly" again.
 Yes, this is fixed in Debian now. I should check Debian #773591 [1].
On the other hand, upstream #44149 [2] will be fixed later, right? I
think the best would be to disable that test on non-Linux platforms
for now.

Thanks,
Laszlo/GCS
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773591
[2] http://savannah.gnu.org/bugs/?44149

Message #35 received at 775901@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Mon, 2 Feb 2015 15:36:32 +0100

2015-02-02 15:00 GMT+01:00 László Böszörményi (GCS) <gcs@debian.org>:
> On the other hand, upstream #44149 [2] will be fixed later, right? I
> think the best would be to disable that test on non-Linux platforms
> for now.

Well, it's a bug the test suite triggers that needs to be fixed. I'm not very
excited about the idea of disabling tests because they trigger bugs.

Message #40 received at 775901@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Mon, 2 Feb 2015 15:47:04 +0100

On Mon, Feb 2, 2015 at 3:36 PM, Andreas Grünbacher
<andreas.gruenbacher@gmail.com> wrote:
> 2015-02-02 15:00 GMT+01:00 László Böszörményi (GCS) <gcs@debian.org>:
>> On the other hand, upstream #44149 [2] will be fixed later, right? I
>> think the best would be to disable that test on non-Linux platforms
>> for now.
>
> Well, it's a bug the test suite triggers that needs to be fixed. I'm not very
> excited about the idea of disabling tests because they trigger bugs.
 I meant only that specific one and only on non-Linux architectures.
You know, until it doesn't build on all supported architectures, it
can't migrate to the soon-to-be-released version, Jessie. That means
it remains vulnerable to the the several problems you've fixed
otherwise. Is there any priority to fix the self-test bug? I can wait
for it then.

Regards,
Laszlo/GCS

Message #45 received at 775901@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Mon, 2 Feb 2015 15:52:06 +0100

This depends on try_tempname going into gnulib first which is pending;
after that, fixing the failure should be very easy.

Message #50 received at 775901@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Wed, 4 Feb 2015 11:10:50 +0100

"make check" should pass in the latest snapshot:

  ftp://alpha.gnu.org/gnu/patch/patch-2.7.4.6-7297.tar.gz

Could you give it a try?

Thanks,
Andreas

Message #55 received at 775901@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Thu, 5 Feb 2015 10:01:53 +0100

On Wed, Feb 4, 2015 at 11:10 AM, Andreas Grünbacher
<andreas.gruenbacher@gmail.com> wrote:
> "make check" should pass in the latest snapshot:
[...]
> Could you give it a try?
 Made my mistake. As I've to follow upstream development, I've tried
to build it from the Git tree. That fails, possibly due to gnulib
changes are not merged in (missing tempname() function). Will try the
snapshot this afternoon.
Any plans to merge gnulib changes into your Git repository?

Laszlo/GCS

Message #60 received at 775901@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Thu, 5 Feb 2015 10:57:57 +0100

2015-02-05 10:01 GMT+01:00 László Böszörményi (GCS) <gcs@debian.org>:
> On Wed, Feb 4, 2015 at 11:10 AM, Andreas Grünbacher
> <andreas.gruenbacher@gmail.com> wrote:
>> "make check" should pass in the latest snapshot:
> [...]
>> Could you give it a try?
>  Made my mistake. As I've to follow upstream development, I've tried
> to build it from the Git tree. That fails, possibly due to gnulib
> changes are not merged in (missing tempname() function).
> Will try the snapshot this afternoon.
> Any plans to merge gnulib changes into your Git repository?

The repositories are fine, you just need to fetch the gnulib changes.
Try running './bootstrap'.

Thanks,
Andreas

Message #65 received at 775901@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Fri, 6 Feb 2015 10:33:03 +0100

On Thu, Feb 5, 2015 at 10:57 AM, Andreas Grünbacher
<andreas.gruenbacher@gmail.com> wrote:
> 2015-02-05 10:01 GMT+01:00 László Böszörményi (GCS) <gcs@debian.org>:
>> Any plans to merge gnulib changes into your Git repository?
>
> The repositories are fine, you just need to fetch the gnulib changes.
> Try running './bootstrap'.
 I've applied three of your commits over 2.7.4 and these are:
- tempname: new try_tempname function (for gnulib)
- switch from gen_tempname() to try_tempname()
- test suite portability fixes
Then got a machine and installed kFreeBSD/x86 on it. Now patch
compiles on my Linux box, but not on the mentioned kFreeBSD one due to
failing symlink test. Will try your snapshot finally, I may missed
something important over the three patches above.

Sorry that it takes so long,
Laszlo/GCS

Message #70 received at 775901@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Tue, 10 Feb 2015 09:05:39 +0100

On Wed, Feb 4, 2015 at 11:10 AM, Andreas Grünbacher
<andreas.gruenbacher@gmail.com> wrote:
> "make check" should pass in the latest snapshot:
>
>   ftp://alpha.gnu.org/gnu/patch/patch-2.7.4.6-7297.tar.gz
>
> Could you give it a try?
 Still fails on kFreeBSD.

Laszlo/GCS

Message #75 received at 775901@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Tue, 10 Feb 2015 09:31:00 +0100

[Message part 1 (text/plain, inline)]

2015-02-10 9:05 GMT+01:00 László Böszörményi (GCS) <gcs@debian.org>:
>  Still fails on kFreeBSD.

Then I will need a little help, please: can you debug what happens
when patch tries to traverse_path() "dir/foo/bar"? It should try to
openat() subdirectory "foo" in "dir", the openat() should fail with
errno == ELOOP, and patch should terminate. But maybe FreeBSD returns
some other errno like ENOTDIR.

Maybe it's as simple as the attached patch.

Thanks,
Andreas

[enotdir.diff (text/plain, attachment)]

Message #80 received at 775901@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Tue, 10 Feb 2015 19:28:32 +0100

[Message part 1 (text/plain, inline)]

On Tue, Feb 10, 2015 at 9:31 AM, Andreas Grünbacher
<andreas.gruenbacher@gmail.com> wrote:
> 2015-02-10 9:05 GMT+01:00 László Böszörményi (GCS) <gcs@debian.org>:
>>  Still fails on kFreeBSD.
>
> Then I will need a little help, please: can you debug what happens
> when patch tries to traverse_path() "dir/foo/bar"? It should try to
> openat() subdirectory "foo" in "dir", the openat() should fail with
> errno == ELOOP, and patch should terminate. But maybe FreeBSD returns
> some other errno like ENOTDIR.
 I attach the symlink test output with 2.7.6.4 and the syscall log
when I've tried _only_ the failing test from CLI. Run on kFreeBSD/x86,
but if I can install the x64 variant as well for you.

> Maybe it's as simple as the attached patch.
 I didn't apply this, hopefully you'll get enough information anyway.

Hope this helps. Regards,
Laszlo/GCS

[symlinks.log (text/x-log, attachment)]

[patch_symlink_run.log (text/x-log, attachment)]

Message #85 received at 775901@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Tue, 10 Feb 2015 22:50:44 +0100

2015-02-10 19:28 GMT+01:00 László Böszörményi (GCS) <gcs@debian.org>:
>> Then I will need a little help, please: can you debug what happens
>> when patch tries to traverse_path() "dir/foo/bar"? It should try to
>> openat() subdirectory "foo" in "dir", the openat() should fail with
>> errno == ELOOP, and patch should terminate. But maybe FreeBSD returns
>> some other errno like ENOTDIR.

Ah, there we have it:

Portability problems not fixed by Gnulib:
@itemize
@item
@code{openat (fd, "symlink", O_NOFOLLOW ...)} fails with @code{errno}
set to @code{EMLINK} instead of the POSIX-required @code{ELOOP} on
some platforms:
FreeBSD 10.1.
@item
@code{openat (fd, "symlink", O_NOFOLLOW ...)} fails with @code{errno}
set to @code{EFTYPE} instead of the POSIX-required @code{ELOOP} on
some platforms:
NetBSD 6.1.
@end itemize

I've committed a fix and made another snapshot; could you please retry?

  ftp://alpha.gnu.org/gnu/patch/patch-2.7.4.7-8d12.tar.gz

Thanks,
Andreas

Message #90 received at 775901@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

Cc: 775901@bugs.debian.org

Subject: Re: Bug#775901: fixed in patch 2.7.3-1

Date: Tue, 10 Feb 2015 23:19:20 +0100

On Tue, Feb 10, 2015 at 10:50 PM, Andreas Grünbacher
<andreas.gruenbacher@gmail.com> wrote:
> Ah, there we have it:
>
> Portability problems not fixed by Gnulib:
> @itemize
> @item
> @code{openat (fd, "symlink", O_NOFOLLOW ...)} fails with @code{errno}
> set to @code{EMLINK} instead of the POSIX-required @code{ELOOP} on
> some platforms:
> FreeBSD 10.1.
> @item
> @code{openat (fd, "symlink", O_NOFOLLOW ...)} fails with @code{errno}
> set to @code{EFTYPE} instead of the POSIX-required @code{ELOOP} on
> some platforms:
> NetBSD 6.1.
> @end itemize
>
> I've committed a fix and made another snapshot; could you please retry?
>
>   ftp://alpha.gnu.org/gnu/patch/patch-2.7.4.7-8d12.tar.gz
 Yup, this time it built fine on Linux/amd_64 and on kFreeBSD/i386 as
well. Thanks for your time!
This summer I'm going to visit Germany. Is there any kind of wine you like?

Kind regards,
Laszlo/GCS

Send a report that this bug log contains spam.