summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <julian.klode@canonical.com>2019-01-18 09:13:52 +0100
committerJulian Andres Klode <julian.klode@canonical.com>2019-01-18 16:38:03 +0100
commitdbbed1523925d5b7ff8325064ba0ae4ba2def541 (patch)
tree48e3244a1993a98a021d0620521ac829bab8983a
parent03af77d4ca60a21f3dca1ab10ef2ba17ec2f96c9 (diff)
SECURITY UPDATE: content injection in http method (CVE-2019-3462)
This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n <headers> into its output (3) apt then uses the headers injected for validation purposes. Our test webserver does not support the necessary bits in this version that we used in newer versions, so no testing script is provided. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353
-rw-r--r--apt-pkg/acquire-method.cc6
1 files changed, 6 insertions, 0 deletions
diff --git a/apt-pkg/acquire-method.cc b/apt-pkg/acquire-method.cc
index 746c553f1..d665844a3 100644
--- a/apt-pkg/acquire-method.cc
+++ b/apt-pkg/acquire-method.cc
@@ -424,6 +424,12 @@ void pkgAcqMethod::Status(const char *Format,...)
* the worker will enqueue again later on to the right queue */
void pkgAcqMethod::Redirect(const string &NewURI)
{
+ if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos)
+ {
+ _error->Error("SECURITY: URL redirect target contains control characters, rejecting.");
+ Fail();
+ return;
+ }
std::cout << "103 Redirect\nURI: " << Queue->Uri << "\n"
<< "New-URI: " << NewURI << "\n"
<< "\n" << std::flush;