Ubuntu
dpkg package

Arbitrary diff application hole in upload processor

Bug #532445 reported by William Grant on 2010-03-05

264

This bug affects 1 person

	Status	Importance	Assigned to
Launchpad itself	Invalid	High	Unassigned
dpkg (Ubuntu)	Fix Released	Critical	Unassigned
Dapper	Fix Released	Medium	Kees Cook
Hardy	Fix Released	Medium	Kees Cook
Intrepid	Fix Released	Medium	Kees Cook
Jaunty	Fix Released	Medium	Kees Cook
Karmic	Fix Released	Medium	Kees Cook
Lucid	Fix Released	Critical	Unassigned

Bug Description

A malicious v1.0 source package can apply diffs to arbitrary files on LP upload machines through a directory traversal vulnerability. When dpkg-source runs, paths containing '..' in the diff.gz are followed. This trivially allows appending or prepending to any file writable by the user running process-upload.py, or creation of new files. More creative mutation is likely possible.

This could probably be considered to be a bug in dpkg-source.

Tags:

Related branches

lp:ubuntu/lucid/dpkg

CVE References

2010-0396

Revision history for this message

William Grant (wgrant) wrote on 2010-03-05:

example orig.tar.gz Edit (487.9 KiB, application/x-tar)

Revision history for this message

William Grant (wgrant) wrote on 2010-03-05:

example diff.gz Edit (5.4 KiB, text/plain)

Revision history for this message

William Grant (wgrant) wrote on 2010-03-05:

example dsc Edit (521 bytes, text/plain)

Revision history for this message

William Grant (wgrant) wrote on 2010-03-05:

This one just prepends a couple of lines to /tmp/i-append-to-you.

Also note that one can upload PPA packages to cocoplum, so anybody can exploit it there too, not just on germanium.

Revision history for this message

Colin Watson (cjwatson) wrote on 2010-03-05:

I've raised this with Raphaël Hertzog (upstream dpkg-dev maintainer) on IRC; awaiting a response.

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2010-03-05:

Soyuz will wait for a fix in dpkg.

Changed in soyuz:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Raphaël Hertzog (hertzog) wrote on 2010-03-05:

first version of the patch Edit (3.2 KiB, text/plain)

Here's a preliminary patch that I consider using. Before uploading this I want to check it doesn't cause too many regressions in lenny and sid.

Revision history for this message

Raphaël Hertzog (hertzog) wrote on 2010-03-05:

patch Edit (4.1 KiB, text/plain)

An updated patch also fixing a similar issue this time related to insecure paths in the series file for 3.0 (quilt) source packages. This patch should also apply on version 1.15 (except for changelog stuff).

Revision history for this message

Colin Watson (cjwatson) wrote on 2010-03-05:

Thanks! I'm running out of steam for today, but will look at this ASAP ...

Revision history for this message

Raphaël Hertzog (hertzog) wrote on 2010-03-08:

#10

Third version of the patch Edit (3.0 KiB, text/plain)

Bleh, in my hurry I missed the obvious, the perl regex must be m{/\.\./} and not m{/../}. So the third and hopefully final variant of the patch is attached.

Revision history for this message

Raphaël Hertzog (hertzog) wrote on 2010-03-08:

#11

The DSA is forthcoming, it will be public either tomorrow or wednesday.

Revision history for this message

Colin Watson (cjwatson) wrote on 2010-03-09:

#12

Thanks, I've looked this over and it looks sane to me. I've asked LaMont to apply it to our production instances.

Changed in dpkg (Ubuntu):
importance:	Undecided → Critical
status:	New → In Progress

Revision history for this message

Kees Cook (kees) wrote on 2010-03-10:

#13

CVE-2010-0396

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-03-11:

#14

This bug was fixed in the package dpkg - 1.15.5.6ubuntu2

---------------
dpkg (1.15.5.6ubuntu2) lucid; urgency=high

  * Backport from upstream:
    - Use FIEMAP when available (on Linux based systems) to sort the .list
      files loading order. With a cold cache it improves up to a 70%.
      Thanks to Morten Hustveit <email address hidden>. LP: #442114
    - Call fsync(2) after writing files on disk, to get the atomicity
      guarantees when doing rename(2). Based on a patch by Jean-Baptiste
      Lallement <email address hidden>.
      Closes: #430958, LP: #512096
  * Security fixes by Raphaël Hertzog, also backported from upstream
    (CVE-2010-0396):
    - Modify dpkg-source to error out when it would apply patches containing
      insecure paths (with "/../") and also error out when it would apply a
      patch through a symlink. Those checks are required as patch will
      happily modify files outside of the target directory and unpacking a
      source package should not be able to have any side-effect outside of
      the target directory. LP: #532445
    - Also error out when the quilt series contains a path with "/../" as
      this can cause patch to create files outside of the source package due
      to the -B .pc/$path option that it gets.
-- Colin Watson <email address hidden> Thu, 11 Mar 2010 00:34:28 +0000

Changed in dpkg (Ubuntu):
status:	In Progress → Fix Released

Kees Cook (kees) on 2010-03-11

visibility:

private → public

Kees Cook (kees) on 2010-03-11

Changed in dpkg (Ubuntu Dapper):
status:	New → Fix Committed
importance:	Undecided → Medium
Changed in dpkg (Ubuntu Hardy):
status:	New → Fix Committed
importance:	Undecided → Medium
Changed in dpkg (Ubuntu Jaunty):
assignee:	nobody → Kees Cook (kees)
Changed in dpkg (Ubuntu Karmic):
assignee:	nobody → Kees Cook (kees)
Changed in dpkg (Ubuntu Intrepid):
assignee:	nobody → Kees Cook (kees)
Changed in dpkg (Ubuntu Dapper):
assignee:	nobody → Kees Cook (kees)
Changed in dpkg (Ubuntu Hardy):
assignee:	nobody → Kees Cook (kees)
Changed in dpkg (Ubuntu Intrepid):
status:	New → Fix Committed
importance:	Undecided → Medium
Changed in dpkg (Ubuntu Jaunty):
status:	New → Fix Committed
importance:	Undecided → Medium
Changed in dpkg (Ubuntu Karmic):
status:	New → Fix Committed
importance:	Undecided → Medium

Revision history for this message

Kees Cook (kees) wrote on 2010-03-11:

#15

http://www.ubuntu.com/usn/USN-909-1

Changed in dpkg (Ubuntu Dapper):
status:	Fix Committed → Fix Released
Changed in dpkg (Ubuntu Hardy):
status:	Fix Committed → Fix Released
Changed in dpkg (Ubuntu Intrepid):
status:	Fix Committed → Fix Released
Changed in dpkg (Ubuntu Jaunty):
status:	Fix Committed → Fix Released
Changed in dpkg (Ubuntu Karmic):
status:	Fix Committed → Fix Released

Julian Edwards (julian-edwards) on 2010-03-11

Changed in soyuz:
status:	Triaged → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntudpkg package

Arbitrary diff application hole in upload processor

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
dpkg package