dulwich: CVE-2014-9706: does not prevent to write files in commits with invalid paths to working tree

Debian Bug report logs - #780989
dulwich: CVE-2014-9706: does not prevent to write files in commits with invalid paths to working tree

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dulwich: CVE-2014-9390: does not prevent to write files in commits with invalid paths to working tree

Date: Sun, 22 Mar 2015 21:53:16 +0100

Source: dulwich
Version: 0.9.8-1
Severity: grave
Tags: security upstream fixed-upstream

Hi Jelmer,

the following vulnerability got a separate CVE assigned after asking
for it on oss-security. I choose grave as severity as it allows
arbitrary code execution, if one clones from a remote git repo and
subsequently commits via dulwich. Please let me know if you don't
agree.

CVE-2014-9706[0]:
does not prevent to write files in commits with invalid paths to working tree

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9706

Please adjust the affected versions in the BTS as needed (I guess the
issue is also present in 0.8.5, but have not yet checked this).

Regards,
Salvatore

Message #12 received at 780989@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 780989@bugs.debian.org

Subject: Re: Bug#780989: dulwich: CVE-2014-9390: does not prevent to write files in commits with invalid paths to working tree

Date: Sun, 22 Mar 2015 22:00:25 +0100

Control: retitle -1 dulwich: CVE-2014-9706: does not prevent to write files in commits with invalid paths to working tree

Correcting subject for the bug, it is CVE-2014-9706.

Regards,
Salvatore

Message #21 received at 780989-close@bugs.debian.org (full text, mbox, reply):

From: Jelmer Vernooij <jelmer@debian.org>

To: 780989-close@bugs.debian.org

Subject: Bug#780989: fixed in dulwich 0.10.1-1

Date: Thu, 26 Mar 2015 12:18:45 +0000

Source: dulwich
Source-Version: 0.10.1-1

We believe that the bug you reported is fixed in the latest version of
dulwich, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jelmer Vernooij <jelmer@debian.org> (supplier of updated dulwich package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 07 Feb 2015 17:44:28 +0100
Source: dulwich
Binary: python-dulwich python-dulwich-dbg pypy-dulwich
Architecture: source amd64
Version: 0.10.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Jelmer Vernooij <jelmer@debian.org>
Description:
 pypy-dulwich - Python Git library - pypy module
 python-dulwich - Python Git library
 python-dulwich-dbg - Python Git library - Debug Extension
Closes: 780958 780989
Changes:
 dulwich (0.10.1-1) unstable; urgency=medium
 .
   * New upstream release.
    + Drop 02_unpure_pypy: applied upstream.
    + Fixes CVE-2015-0838: buffer overflow in C implementation of pack
      apply_delta(). Closes: #780958
    + Fixes CVE-2014-9706: does not prevent to write files in commits with
      invalid paths to working tree. Closes: #780989
   * Update Vcs-Git, Vcs-Browser and Maintainer fields to reflect the
     dulwich package is now maintained by the Debian Python Modules
     packaging team.
Checksums-Sha1:
 885177c9911817599c188571eb439de950b1ead8 2275 dulwich_0.10.1-1.dsc
 57f1f457be3065bac6706db2aa76d59b078597f9 272688 dulwich_0.10.1.orig.tar.gz
 88be5619497a18ba0a12b05f883bb3b1bdf61fd4 405512 dulwich_0.10.1-1.debian.tar.xz
 987d8142483ab0b4dcbd3a9f573d75889fbcacbd 202868 python-dulwich_0.10.1-1_amd64.deb
 eede404400cef3427bfbd1650d9f1a32860ad555 96880 python-dulwich-dbg_0.10.1-1_amd64.deb
 8cd1adb8c28071cd2f22059f71b2b1530a281c18 203256 pypy-dulwich_0.10.1-1_amd64.deb
Checksums-Sha256:
 0f8d7ab6b9263103ee95c3088fa8cf65eb79abd0ff377ae572e96c43dad3ac01 2275 dulwich_0.10.1-1.dsc
 666600ab5eb0b6d531879ee0f65dfefd71bce2e21ab3910c28f7789e15b6330b 272688 dulwich_0.10.1.orig.tar.gz
 9c27f5ec25f0aea96f4ead69e7ba6673173132032d029f918011b2242047cfa6 405512 dulwich_0.10.1-1.debian.tar.xz
 4854789a05f856cfa94e7b1fd4e4a475a9fd37bef62d9076984838274b4fe426 202868 python-dulwich_0.10.1-1_amd64.deb
 eeb366cf32176d7e6651bb2f25ea527acd03b98e2911879a85dbab423a9919fc 96880 python-dulwich-dbg_0.10.1-1_amd64.deb
 ab84e3bd24130348fe66813c962fe2ebc9c9dfd9f0ee28a9dd48024329b861c8 203256 pypy-dulwich_0.10.1-1_amd64.deb
Files:
 0c71f3af5046ff48c763a6ecb00a83ba 2275 python optional dulwich_0.10.1-1.dsc
 93a5facd51f3d7de7224a1a832f3a3a3 272688 python optional dulwich_0.10.1.orig.tar.gz
 83538a637bf721f69f9bb9bab7186acf 405512 python optional dulwich_0.10.1-1.debian.tar.xz
 6fd5e579f38cde2b9c1914fb7e6812ac 202868 python optional python-dulwich_0.10.1-1_amd64.deb
 86804020f33e559e53cd48fad1e0ebfe 96880 debug extra python-dulwich-dbg_0.10.1-1_amd64.deb
 c2d6861cbe45153e8c81cde1d52c5d6e 203256 python optional pypy-dulwich_0.10.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVE+kIAAoJEACAbyvXKaRXzkcP/ApqyyPoz57LUz3ZySsbNOii
JpcEn/I+4y/x+n2d+0Uz4/0BBpbvsnV/WyTpZPhJv59qLJ1tJDNBuZB13sL8DXdK
iPfwyH5qQi6rRkztwd2CCUxbe7czDiKuYw724jkFG1XDICtvPsP6IG8Xn3pv1URc
zNFR1alGp/SFiAKjLI61mmmBf766dAvLDqQmYG30vsWnhwueUdSIFXSA87jdoCu2
fO8ZgMasA8B69szJ8CFCPuFAUnXILipppg5g/8Y15iRwx3r0mvYWJclGv/Qi7tNP
kpZTrgIE7hCuZ1jagA0JgS5+Z1+Bc2wjBmOTAeZRzDRKxqTN/6pymGuEOdyTo5Gv
kgtx1R1hu6KH7nJFzgNJBgZ+5M0WJQa/RoizE1IGdDlnyIkPKajvY9WLIb5q/Q4T
Cjm0CwmERXjeY8QYZ4ELdL6KnmXt2GlOlkce6m8c9P6xAkg7o0c9OmrTxV2OKVTy
opxshJxVVxhYMMetPYbMLlObyWQvPwq5wQFuyLCqwjZbnlMVIZQhQebqhPyAYP+Z
7qwzQchSgTWub0OnUue0V4oCGOihtqqr4qKqXBokX7i955zLSgx9vVOJeq/PFLG6
Dh/N88FInvw7NiNE9xZmwswkebas6hetriUgNIt8mRZsqBo74ea8TT9JNM9RVnU0
18S5e25KJ2k8x74jpsAc
=Kt1n
-----END PGP SIGNATURE-----

Message #30 received at 780989-close@bugs.debian.org (full text, mbox, reply):

From: Jelmer Vernooij <jelmer@debian.org>

To: 780989-close@bugs.debian.org

Subject: Bug#780989: fixed in dulwich 0.9.7-3

Date: Thu, 26 Mar 2015 21:19:24 +0000

Source: dulwich
Source-Version: 0.9.7-3

We believe that the bug you reported is fixed in the latest version of
dulwich, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jelmer Vernooij <jelmer@debian.org> (supplier of updated dulwich package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Mar 2015 22:34:34 +0000
Source: dulwich
Binary: python-dulwich python-dulwich-dbg
Architecture: source amd64
Version: 0.9.7-3
Distribution: jessie
Urgency: medium
Maintainer: Jelmer Vernooij <jelmer@debian.org>
Changed-By: Jelmer Vernooij <jelmer@debian.org>
Description:
 python-dulwich - Python Git library
 python-dulwich-dbg - Python Git library - Debug Extension
Closes: 780958 780989
Changes:
 dulwich (0.9.7-3) testing-proposed-updates; urgency=medium
 .
   * Add 02_cve_2015-0838: Fix buffer overflow in C implementation of
     apply_delta (CVE-2015-0838). Closes: #780958
   * Add 03_cve_2014-9706: Don't allow writing to files under .git/ when
     checking out working trees (CVE-2014-9706). Closes: #780989
Checksums-Sha1:
 df95be1d3a9f9f0e0efad54d6cee1032e250d780 2084 dulwich_0.9.7-3.dsc
 7c7362c1afb76a87ab6e6ead6e78a465bc2eee2e 407536 dulwich_0.9.7-3.debian.tar.xz
 5d7b2ea3b0d894dce544429ea3795497c824b177 192144 python-dulwich_0.9.7-3_amd64.deb
 0897ca2853620f697e93156d7a8e5dc1e4e075c4 68930 python-dulwich-dbg_0.9.7-3_amd64.deb
Checksums-Sha256:
 2ed1f4b70a46401dd86d119c11caa694e1f592734c7ab2a5e39b87a4de00d0bb 2084 dulwich_0.9.7-3.dsc
 1f4b1095e39077e51919c7cd6a43bd667790aee3227c3ae3d39cf150b9ce4a1c 407536 dulwich_0.9.7-3.debian.tar.xz
 df53edc4554cf8d9c6557d262fc9e988a250ae09addf555b3415865b9ed2c4d8 192144 python-dulwich_0.9.7-3_amd64.deb
 5d383f70892b9e7697541986127aadbf5526cbb440082b88928c2c0cf1a70d30 68930 python-dulwich-dbg_0.9.7-3_amd64.deb
Files:
 ff5dcc3118fc447178983bbb2e71f7cf 2084 python optional dulwich_0.9.7-3.dsc
 373fa036faa90ad153b572910b93d8ab 407536 python optional dulwich_0.9.7-3.debian.tar.xz
 4c34ece84548ab183ae5a7927800fd2e 192144 python optional python-dulwich_0.9.7-3_amd64.deb
 05c1349c47b67ab45f5612b54a61b616 68930 debug extra python-dulwich-dbg_0.9.7-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVFHXOAAoJEACAbyvXKaRXzosP/RqjYIrEpsRCBnoA2xEOsze3
SN2MO+oTTPfulKNEIqkWfz6VxfagQPl2C+0g7yLs7DztHz7R/9LRpVV0f8sPUBnb
7avw5SV4pTANwsYnTRHuHrxCmO/FywfpArnZJW7j1vvwyxG3H3153vou/TaXKQuS
9YuRjMHPU/of8+twbSqwxk6sadxfLsHo21ANf4D7h5vkrSoqQy6j+eDIgRUOMgNq
lI9PZb7ixMZ+6d3gnyFrcOgBLtgpX3cowQ6+ApWuQFQUwWk1gk4Rwyp6rMrcgM4J
lxufTxqvTjJ5b1gQ8yMQyBfEmsJslv5e6v+BTei1sKB9kA7jTFGzHZtRxNIjS6Sm
WDZWG1I8AWGmWuarnt69EiYbNj8HaT6lQlVAinki8yfCwpMhC3XBNYvOuBSH0A5f
OMmb6zcse2Ak+WGcJhvcO3clTE1tE8D5FzXlVVI7cFes3n279XHwglRBQ0PiSYn4
1Or+RHsLZp+yWGqqmQlINhhzQV9itmQq6DFBsKjAgFJJUm4CYNNNsgJ5GsO7cTI4
2K/4PsIzDpvtKYVJ0c8PDoBzNxn/23aCytzHwr5JXETXuKEy0wYMQUAkZqtGV3+y
ONLiqmgVC4kEVlEv8WNBNqUyshblSwWk9kGVJcji5UvcOT9jqXhcgQOsSona8vgv
1jxajMogRh5BLbyvGoJG
=mG6q
-----END PGP SIGNATURE-----

Message #41 received at 780989-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 780989-close@bugs.debian.org

Subject: Bug#780989: fixed in dulwich 0.8.5-2+deb7u2

Date: Sun, 29 Mar 2015 15:47:10 +0000

Source: dulwich
Source-Version: 0.8.5-2+deb7u2

We believe that the bug you reported is fixed in the latest version of
dulwich, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780989@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated dulwich package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 27 Mar 2015 13:18:17 +0100
Source: dulwich
Binary: python-dulwich python-dulwich-dbg
Architecture: source amd64
Version: 0.8.5-2+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Jelmer Vernooij <jelmer@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 python-dulwich - Python Git library
 python-dulwich-dbg - Python Git library - Debug Extension
Closes: 780989
Changes: 
 dulwich (0.8.5-2+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 03_CVE-2014-9706 patch.
     CVE-2014-9706: Don't allow writing to files under .git/ when checking
     out working trees. (Closes: #780989)
Checksums-Sha1: 
 4bc0f7ba75029a7fe240e142c94c30b6aa972ce0 1993 dulwich_0.8.5-2+deb7u2.dsc
 6517746d273df7015c2a36791b8c06937e38c649 6447 dulwich_0.8.5-2+deb7u2.debian.tar.gz
 59fe584fc5e9ec2cefa2d0a622be916504cfe0db 193408 python-dulwich_0.8.5-2+deb7u2_amd64.deb
 9890ab04502db6c9a9776b150967e4c34f2acd9a 107546 python-dulwich-dbg_0.8.5-2+deb7u2_amd64.deb
Checksums-Sha256: 
 fdecc9bbb327615594f2850a0ebd09c25a2238c51fcac1d4eff47e52e628945c 1993 dulwich_0.8.5-2+deb7u2.dsc
 a438a3d06f90698dba5737b8589652ada3723065aafbf0b55132ac3015a939f3 6447 dulwich_0.8.5-2+deb7u2.debian.tar.gz
 feb4b1c846e34bd754c3d1ba6d2859647b45e224364333217698a2c53bce2ee4 193408 python-dulwich_0.8.5-2+deb7u2_amd64.deb
 983494cb26d73bb806e058fe55e22420a7872928d02aa2fc41f4b896ad240e11 107546 python-dulwich-dbg_0.8.5-2+deb7u2_amd64.deb
Files: 
 f961fea575c4d7d1225bfa1ce133c0ed 1993 python optional dulwich_0.8.5-2+deb7u2.dsc
 920fc0d103d20f3f96232fa859603fb7 6447 python optional dulwich_0.8.5-2+deb7u2.debian.tar.gz
 317e8c63f635c607ee8243ea6ed25630 193408 python optional python-dulwich_0.8.5-2+deb7u2_amd64.deb
 e49247ae3a72bcbea4eb262e2f3fa5c2 107546 debug extra python-dulwich-dbg_0.8.5-2+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVFUt0AAoJEAVMuPMTQ89EZuwQAIZ2ORbeJKpQCiE6LOsRZG9V
AZWIvjpWLzU0QGKUSh4sDHgyPA9n64DBXHJB1eKiVLHchnzbqctvu+RBiNywY6i1
ObPWTVFkJidg/JZStsQYqMcg+J+2Ra8h6adu6KLx2+DC9oWcyhmYFkaVBTGQx2ux
Vn72+NJRlFBr3KRKkLl1lHtrtjf6X9EhLYq+DMd2yRGGwFasojBF7pbh41xQcTss
3Kpf3QHlOYy1hv38KmERCEJNXhh5h5j0njC8bRQWPE9wdZSMcr2Mj5tiUjvqfM9f
hP/m+xZsWlB11aYjFZ4Yj5c7YgGn2uW6CsKsiXtqMx6bcRGhcaPzlvkDBwhgTfV7
SttezujOvdm9DpdDbpzRLzoRotP4AFF3mNJMzEWHhHVKEOvniTi4r124mVn9hTQG
yTv8R4R0sJDFh0VAAMSjzFOA6cKW5I8nLPluQm8JsL3lpOarXRE0Cv9mW2nWdW7B
nCC+k18KUtUkER36tDeF7y01gebf3Wbbqcv4U8t3IUV1E6vomy6g4huqU6Y5qeHO
jxx2rmCglJgn9zsSfv/cG2qLLrgy8/r25OMnQp8nTMjfiMyki69Pni+ZmX0uu8xU
uA3NEkOsYOcCXd/8b6tAWx0bynfPKh0PInENDKgkHWzoJnxCdbJL2dJL5Kuyc497
SSPO/y4gcM7OHNgsNohO
=WGJh
-----END PGP SIGNATURE-----

Message #50 received at 780989@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Jelmer Vernooij <jelmer@debian.org>

Cc: debian-lts@lists.debian.org, 780958@bugs.debian.org, 780989@bugs.debian.org

Subject: squeeze update of dulwich?

Date: Fri, 10 Apr 2015 23:24:51 +0200

Hello Jelmer,

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of dulwich:
https://security-tracker.debian.org/tracker/CVE-2014-9706
https://security-tracker.debian.org/tracker/CVE-2015-0838
(CVE-2014-9390 is also open but it's lower priority and can be ignored)

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #55 received at 780989@bugs.debian.org (full text, mbox, reply):

From: Jelmer Vernooij <jelmer@debian.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: debian-lts@lists.debian.org, 780958@bugs.debian.org, 780989@bugs.debian.org

Subject: Re: squeeze update of dulwich?

Date: Sat, 11 Apr 2015 14:10:15 +0000

[Message part 1 (text/plain, inline)]

Hi Raphael,

I'd prefer if somebody from the lts team could look at this. If you
prefer, I'm happy to review a debdiff but feel free to upload without
my review. Dulwich has an extensive testsuite, and the fixes for these
bugs include tests to verify they are fixed.

Thanks for your work on Debian LTS! 

Cheers,

Jelmer

On Fri, Apr 10, 2015 at 11:24:51PM +0200, Raphael Hertzog wrote:
> Hello Jelmer,
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of dulwich:
> https://security-tracker.debian.org/tracker/CVE-2014-9706
> https://security-tracker.debian.org/tracker/CVE-2015-0838
> (CVE-2014-9390 is also open but it's lower priority and can be ignored)
> 
> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated.
> 
> If yes, please follow the workflow we have defined here:
> http://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> 
> Thank you very much.
> 
> Raphaël Hertzog,
>   on behalf of the Debian LTS team.
> 
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
> -- 
> Raphaël Hertzog ◈ Debian Developer
> 
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/

-- 
Jelmer Vernooij <jelmer@debian.org>
Debian Developer                           https://jelmer.uk/

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.