Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

uscan: broken handling of filenames with whitespace (CVE-2013-7085)

Related Vulnerabilities: CVE-2013-7085   CVE-2013-6888  

Source

Debian Bug report logs - #732006
uscan: broken handling of filenames with whitespace (CVE-2013-7085)

version graph

Package: devscripts; Maintainer for devscripts is Devscripts Maintainers <devscripts@packages.debian.org>; Source for devscripts is src:devscripts (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Thu, 12 Dec 2013 10:21:02 UTC

Severity: grave

Tags: patch, security

Found in version devscripts/2.13.5

Fixed in version devscripts/2.13.9

Done: James McCoy <jamessan@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>:
Bug#732006; Package devscripts. (Thu, 12 Dec 2013 10:21:06 GMT) (full text, mbox, link).

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: uscan: broken handling of filenames with whitespace
Date: Thu, 12 Dec 2013 11:16:28 +0100
[Message part 1 (text/plain, inline)]
Package: devscripts
Version: 2.13.5
Severity: grave
Tags: security
Justification: user security hole

If USCAN_EXCLUSION is enabled, uscan doesn't correctly handle filenames 
containing whitespace. This can be abused my malicious upstream to 
delete files of their choice. Proof of concept (that will cause attempt 
to delete /usr) is attached.

-- 
Jakub Wilk

[foo-42.tar.gz (application/octet-stream, attachment)]
[copyright (text/plain, attachment)]

Changed Bug title to 'uscan: broken handling of filenames with whitespace (CVE-2013-7085)' from 'uscan: broken handling of filenames with whitespace' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 13 Dec 2013 05:12:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>:
Bug#732006; Package devscripts. (Sun, 22 Dec 2013 00:36:10 GMT) (full text, mbox, link).

Acknowledgement sent to Stig Sandbeck Mathisen <ssm@debian.org>:
Extra info received and forwarded to list. Copy sent to Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>. (Sun, 22 Dec 2013 00:36:10 GMT) (full text, mbox, link).

Message #10 received at 732006@bugs.debian.org (full text, mbox, reply):

From: Stig Sandbeck Mathisen <ssm@debian.org>
To: 732006@bugs.debian.org
Subject: uscan: broken handling of filenames with whitespace
Date: Sun, 22 Dec 2013 01:17:01 +0100
Control: tags -1 + patch

I've pushed a proposed fix for this security issue to the packaging
repo git://anonscm.debian.org/collab-maint/devscripts.git as the
branch CVE-2013-7085-ruin-someones-yuletide

One commit, see
http://anonscm.debian.org/gitweb/?p=collab-maint/devscripts.git;a=commit;h=f3b48a97d10fce5bb368b3af195b3c1cdb09e4b2

It's kind of a large commit for a small issue. Mostly because the
"wrap shell commands in backticks, and hope for the best" approach is
open for multiple potential issues, and I would like to remove them
all.

The change also fixes a second bug, where one could not exclude a
non-empty top level directory, but had to use "somedirectory/*".

-- 
Stig Sandbeck Mathisen

Added tag(s) patch. Request was from Stig Sandbeck Mathisen <ssm@debian.org> to 732006-submit@bugs.debian.org. (Sun, 22 Dec 2013 00:36:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>:
Bug#732006; Package devscripts. (Sun, 22 Dec 2013 02:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to James McCoy <jamessan@debian.org>:
Extra info received and forwarded to list. Copy sent to Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>. (Sun, 22 Dec 2013 02:51:05 GMT) (full text, mbox, link).

Message #17 received at 732006@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>
To: Stig Sandbeck Mathisen <ssm@debian.org>, 732006@bugs.debian.org
Subject: Re: Bug#732006: uscan: broken handling of filenames with whitespace
Date: Sat, 21 Dec 2013 21:49:15 -0500
[Message part 1 (text/plain, inline)]
Control: tag -1 pending

On Sun, Dec 22, 2013 at 01:17:01AM +0100, Stig Sandbeck Mathisen wrote:
> I've pushed a proposed fix for this security issue to the packaging
> repo git://anonscm.debian.org/collab-maint/devscripts.git as the
> branch CVE-2013-7085-ruin-someones-yuletide

Thanks for the patch.  We've addressed this by other means and are just
pending some final review before uploading.

> The change also fixes a second bug, where one could not exclude a
> non-empty top level directory, but had to use "somedirectory/*".

Thanks for noticing that.  I've made a change for this as well.

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>

[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from James McCoy <jamessan@debian.org> to 732006-submit@bugs.debian.org. (Sun, 22 Dec 2013 02:51:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>:
Bug#732006; Package devscripts. (Sun, 22 Dec 2013 10:09:05 GMT) (full text, mbox, link).

Acknowledgement sent to Stig Sandbeck Mathisen <ssm@debian.org>:
Extra info received and forwarded to list. Copy sent to Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>. (Sun, 22 Dec 2013 10:09:05 GMT) (full text, mbox, link).

Message #24 received at 732006@bugs.debian.org (full text, mbox, reply):

From: Stig Sandbeck Mathisen <ssm@debian.org>
To: James McCoy <jamessan@debian.org>
Cc: 732006@bugs.debian.org
Subject: Re: Bug#732006: uscan: broken handling of filenames with whitespace
Date: Sun, 22 Dec 2013 11:07:12 +0100
On Sat, Dec 21, 2013 at 09:49:15PM -0500, James McCoy wrote:
> Thanks for the patch.  We've addressed this by other means and are
> just pending some final review before uploading.

Ok, I've remove the pushed topic branch again.

> Thanks for noticing that.  I've made a change for this as well.

Thanks. :)

-- 
Stig

Message sent on to Jakub Wilk <jwilk@debian.org>:
Bug#732006. (Mon, 23 Dec 2013 20:51:17 GMT) (full text, mbox, link).

Message #27 received at 732006-submitter@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>
To: 732006-submitter@bugs.debian.org
Subject: Bug#732006 marked as pending
Date: Mon, 23 Dec 2013 20:46:22 +0000
tag 732006 pending
thanks

Hello,

Bug #732006 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/devscripts.git;a=commitdiff;h=2810d99

---
commit 2810d99b1aaa6445bc2ea6f3f8a33045780daa6b
Author: James McCoy <jamessan@debian.org>
Date:   Mon Dec 16 23:39:46 2013 -0500

    Document uscan security fixes, CVE-2013-6888 and CVE-2013-7085
    
    Signed-off-by: James McCoy <jamessan@debian.org>

diff --git a/debian/changelog b/debian/changelog
index 118938b..d5805a3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,16 @@
 devscripts (2.13.9) UNRELEASED; urgency=low
 
+  [ Martin Pitt ]
   * autopkgtest: Add "allow-stderr" restriction to avoid failing tests because
     of the HTTP server log on stderr.
 
+  [ James McCoy ]
+  * uscan:
+    + Repack the tarball and verify it is a compressed archive without
+      allowing arbitrary code execution.  Fixes CVE-2013-6888.
+    + Use find's -exec to call rm directly instead of piping to xargs.
+      (Closes: #732006, CVE-2013-7085)
+
  -- Martin Pitt <mpitt@debian.org>  Thu, 12 Dec 2013 11:08:27 +0100
 
 devscripts (2.13.8) unstable; urgency=medium

Reply sent to James McCoy <jamessan@debian.org>:
You have taken responsibility. (Mon, 23 Dec 2013 21:21:08 GMT) (full text, mbox, link).

Notification sent to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer. (Mon, 23 Dec 2013 21:21:08 GMT) (full text, mbox, link).

Message #32 received at 732006-close@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>
To: 732006-close@bugs.debian.org
Subject: Bug#732006: fixed in devscripts 2.13.9
Date: Mon, 23 Dec 2013 21:19:17 +0000
Source: devscripts
Source-Version: 2.13.9

We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 732006@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James McCoy <jamessan@debian.org> (supplier of updated devscripts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 23 Dec 2013 15:28:45 -0500
Source: devscripts
Binary: devscripts
Architecture: source amd64
Version: 2.13.9
Distribution: unstable
Urgency: low
Maintainer: Devscripts Devel Team <devscripts-devel@lists.alioth.debian.org>
Changed-By: James McCoy <jamessan@debian.org>
Description: 
 devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 732006 732807
Changes: 
 devscripts (2.13.9) unstable; urgency=low
 .
   [ Martin Pitt ]
   * autopkgtest: Add "allow-stderr" restriction to avoid failing tests because
     of the HTTP server log on stderr.
 .
   [ James McCoy ]
   * uscan:
     + Repack the tarball and verify it is a compressed archive without
       allowing arbitrary code execution.  Fixes CVE-2013-6888.
     + Use find's -exec to call rm directly instead of piping to xargs.
       (Closes: #732006, CVE-2013-7085)
     + Follow tar's recommended security practices
       - Use --keep-old-files --no-overwrite-dir
       - Ensure parent directory of directory used for repacking archive isn't
         accessible to other users.
     + Fix handling of 'dirname' exclusions, so 'dirname/*' isn't required.
 .
   [ Salvatore Bonaccorso ]
   * uscan: Fix unitialized value warning when copyright is not in
     copyright-format 1.0.  (Closes: #732807)
Checksums-Sha1: 
 7cf6d01aada59211f64fbe6615047455b32a20d2 2123 devscripts_2.13.9.dsc
 3441585a591f4075f7b8d7aa8bf73a88697bdd6c 578684 devscripts_2.13.9.tar.xz
 d1527931206b5be9e5ebdea815457d9e2dd120c0 863220 devscripts_2.13.9_amd64.deb
Checksums-Sha256: 
 db88d5279c8141ac79a40746c930230dfe592d101d3e9bff7bb1d9fe2125893b 2123 devscripts_2.13.9.dsc
 78e63e02ecd204ca8157693dc5969eddaf1312d26b572f5dd6ab646ef674c916 578684 devscripts_2.13.9.tar.xz
 a56ebd01870f9125fe2e2b9dcd5fef089c1569e680e7c193f6a81ec568c55726 863220 devscripts_2.13.9_amd64.deb
Files: 
 f600b7a860947ed4c62f800f4555a7b3 2123 devel optional devscripts_2.13.9.dsc
 a55e715d41cd45c465fa937683e8e5dd 578684 devel optional devscripts_2.13.9.tar.xz
 c46e70249eade032df77eb259b6161b9 863220 devel optional devscripts_2.13.9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSuKD/AAoJEN/mka4zG6Pb2nEP/1WZ2ZIMjoGBqTUcfLBOu6Bc
oxbrr8X4Lptu8/fiuamR7O6AC18PzR9DnAH5oI5f77sKuk2FzFivz5+dqXJoSz9n
7vXSTpe5wYWxdGGmRkS6xuORRBAhWrLUw+fAFQ62RKVvi/V6PMa/zS39TDlPerCc
LS2nmfYHuSQQv+mjs0wwpC9qJdm7uJhaVgefT8KX8tEgmH8WKzrnMyMmCo/nFmVj
IgZzjLKSnYmeSjuY8IkbwEv6ql8x1uPyzCrPyh4G/8RUH3uxEXspIXl0ZE6qIGMJ
kq5ntap3+CgPeEjVHtkPjLXWYMFbhWM5bL6tB43zuSKk48eyo3NNpLOoBsRKbt5y
Oj1khw9ACLfL8p3aFUjcPgF7B+Pq4FgvRGu4rOGM3ew8Cy5kCo6NaOo4zHIyNvz9
gsdQyym8K3DYHfHlNZLkSBczm+2uA4UmJCE4Z4tzyi5dmW+QMP2aylFKcPx5mNME
yVWGg0eF8XLSYmuRvHz7XYlYwEUE69RocdlLCxjvaIsW5hc6fb/SwIXU4ZKyUzyv
y/NsQytt1Q2plVEcwWudDoAwwfpas81FFQur/GmYJUNffHXBlPOrp1FFVuK2nCKK
AlgK6YrXpxzbuNUp5oSSVfrp9vPY9phDJtWkosSF9fNL3FiwZue6nXXdj/VinlTk
hpExeObUPv98TbZBYgQg
=wVIH
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 24 Jan 2014 07:26:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:18:00 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started