Package: diffoscope Version: 67 Severity: grave Tags: patch security Justification: user security hole
Dear Maintainer, 5fdfe91e71f1c520d902350b18f793b8c69d9118 introduced a security hole where diffoscope may write to arbitrary locations on disk depending on the contents of an untrusted archive. For example, comparing the following two files: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=843811;filename=libBrokenLocale.a.0;msg=5 https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=843811;filename=libBrokenLocale.a.1;msg=5 Traceback (most recent call last): File "/home/infinity0/xx/diffoscope/diffoscope/main.py", line 281, in main sys.exit(run_diffoscope(parsed_args)) [..] File "/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", line 174, in extract self.ensure_unpacked() File "/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", line 219, in ensure_unpacked os.makedirs(os.path.dirname(dst), exist_ok=True) File "/usr/lib/python3.5/os.py", line 241, in makedirs mkdir(name, mode) PermissionError: [Errno 13] Permission denied: '/SYM64' Note that this could easily have been something like /home/infinity0/.profile. I have pushed a nearly-complete fix to git (after version 75 was just released) which prevents the writes. However reads are still done using the uncleaned names, but this is a much less severe issue. So, if I don't supply a fix for the second lesser issue soon, the existing fix should be released ASAP. X -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (200, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages diffoscope depends on: ii python3-libarchive-c 2.1-3.1 ii python3-magic 1:5.29-3 ii python3-pkg-resources 33.1.1-1 pn python3:any <none> Versions of packages diffoscope recommends: ii acl 2.2.52-3 ii apktool 2.2.1+dfsg-2 ii binutils-multiarch 2.27.90.20170124-2 ii bzip2 1.0.6-8.1 ii caca-utils 0.99.beta19-2+b1 ii colord 1.3.3-2 ii cpio 2.11+dfsg-6 ii default-jdk [java-sdk] 2:1.8-58 ii default-jdk-headless 2:1.8-58 ii enjarify 1:1.0.3-3 ii fontforge-extras 0.3-4 ii fp-utils 3.0.0+dfsg-10 ii fp-utils-3.0.0 [fp-utils] 3.0.0+dfsg-10 ii genisoimage 9:1.1.11-3 ii gettext 0.19.8.1-2 ii ghc 8.0.1-17 ii ghostscript 9.20~dfsg-2 ii gnupg 2.1.18-3 ii jsbeautifier 1.6.4-6 ii llvm 1:3.8-34+b1 ii mono-utils 4.6.2.7+dfsg-1 ii openjdk-8-jdk [java-sdk] 8u121-b13-2 ii openssh-client 1:7.4p1-6 ii pdftk 2.02-4+b1 ii poppler-utils 0.48.0-2 ii python3-argcomplete 1.8.1-1 ii python3-debian 0.1.30 ii python3-guestfs 1:1.34.3-7 ii python3-progressbar 2.3-4 ii python3-rpm 4.12.0.2+dfsg1-1 ii python3-tlsh 3.4.4+20151206-1+b1 ii rpm2cpio 4.12.0.2+dfsg1-1 ii sng 1.1.0-1+b1 ii sqlite3 3.16.2-2 ii squashfs-tools 1:4.3-3 ii unzip 6.0-21 ii vim-common 2:8.0.0197-1 ii xxd 2:8.0.0197-1 ii xz-utils 5.2.2-1.2 Versions of packages diffoscope suggests: ii libjs-jquery 3.1.1-2 -- no debconf information
