78 lines
2.6 KiB
Diff
78 lines
2.6 KiB
Diff
From 98c623c8d6814ae46a3b30ca22e584c77d47d86b Mon Sep 17 00:00:00 2001
|
|
From: Guillem Jover <guillem@debian.org>
|
|
Date: Sat, 7 Jun 2025 14:17:07 +0200
|
|
Subject: [PATCH] dpkg-deb: Fix cleanup for control member with restricted
|
|
directories
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
When extracting a control member into a temporary directory, which is
|
|
documented as being a safe operation even on untrusted data, the code
|
|
in charge of the temporary directory cleanup does not sanitize the
|
|
directory permissions, which is then unable to perform the «rm -rf»
|
|
when running as a non-root user, leaving temporary files behind.
|
|
|
|
Given automated and repeated execution of dpkg-deb commands on
|
|
adversarial .deb packages or with well compressible files, placed
|
|
inside a directory with permissions not allowing removal by a non-root
|
|
user, this can end up with a DoS scenario due to causing disk quota
|
|
exhaustion or disk full conditions.
|
|
|
|
This is considered a minor issue, given the required conditions to
|
|
trigger a problem with it, but an issue non the less given the
|
|
documented security guarantees of the command. This has been an
|
|
issue since the initial commit introducing dpkg-deb in C.
|
|
|
|
We use an existing string for the error message to avoid new strings
|
|
needing translation for stable branches, which make the error message
|
|
less descriptive than what would be ideal. This will be improved in
|
|
git HEAD.
|
|
|
|
Reported-by: zhutyra on HackerOne
|
|
Fixes: CVE-2025-6297
|
|
Stable-Candidate: 1.20.x 1.21.x 1.22.x
|
|
(cherry picked from commit ed6bbd445dd8800308c67236ba35d08004c98e82)
|
|
(cherry picked from commit 02ad0532bd490cbc95b344f670e622a38eecfbf6)
|
|
(cherry picked from commit d8a76551e22abe76eefd7fef5c7f51f4118eb40e)
|
|
---
|
|
diff --git a/src/deb/info.c b/src/deb/info.c
|
|
index f3d57e2ce..396ea4d14 100644
|
|
--- a/src/deb/info.c
|
|
+++ b/src/deb/info.c
|
|
@@ -45,14 +45,34 @@
|
|
#include <dpkg/pkg-format.h>
|
|
#include <dpkg/buffer.h>
|
|
#include <dpkg/path.h>
|
|
+#include <dpkg/treewalk.h>
|
|
#include <dpkg/options.h>
|
|
|
|
#include "dpkg-deb.h"
|
|
|
|
+static int
|
|
+cu_info_treewalk_fixup_dir(struct treenode *node)
|
|
+{
|
|
+ const char *nodename;
|
|
+
|
|
+ if (!S_ISDIR(treenode_get_mode(node)))
|
|
+ return 0;
|
|
+
|
|
+ nodename = treenode_get_pathname(node);
|
|
+ if (chmod(nodename, 0755) < 0)
|
|
+ ohshite(_("error setting permissions of '%.255s'"), nodename);
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
static void cu_info_prepare(int argc, void **argv) {
|
|
char *dir;
|
|
+ struct treewalk_funcs cu_info_treewalk_funcs = {
|
|
+ .visit = cu_info_treewalk_fixup_dir,
|
|
+ };
|
|
|
|
dir = argv[0];
|
|
+ treewalk(dir, TREEWALK_NONE, &cu_info_treewalk_funcs);
|
|
path_remove_tree(dir);
|
|
free(dir);
|
|
}
|