summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CMakeLists.txt2
-rw-r--r--apt-pkg/acquire-method.cc6
-rw-r--r--debian/changelog7
-rw-r--r--doc/apt-verbatim.ent2
-rwxr-xr-xtest/integration/test-cve-2019-3462-dequote-injection66
5 files changed, 81 insertions, 2 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 3d257ceb1..55048698e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -175,7 +175,7 @@ endif()
# Configure some variables like package, version and architecture.
set(PACKAGE ${PROJECT_NAME})
set(PACKAGE_MAIL "APT Development Team <deity@lists.debian.org>")
-set(PACKAGE_VERSION "1.4.8")
+set(PACKAGE_VERSION "1.4.9")
if (NOT DEFINED DPKG_DATADIR)
execute_process(COMMAND ${PERL_EXECUTABLE} -MDpkg -e "print $Dpkg::DATADIR;"
diff --git a/apt-pkg/acquire-method.cc b/apt-pkg/acquire-method.cc
index ab0908014..bd947209b 100644
--- a/apt-pkg/acquire-method.cc
+++ b/apt-pkg/acquire-method.cc
@@ -458,6 +458,12 @@ void pkgAcqMethod::Status(const char *Format,...)
* the worker will enqueue again later on to the right queue */
void pkgAcqMethod::Redirect(const string &NewURI)
{
+ if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos)
+ {
+ _error->Error("SECURITY: URL redirect target contains control characters, rejecting.");
+ Fail();
+ return;
+ }
std::cout << "103 Redirect\nURI: " << Queue->Uri << "\n"
<< "New-URI: " << NewURI << "\n"
<< "\n" << std::flush;
diff --git a/debian/changelog b/debian/changelog
index b43c8f1bd..cc9f1b722 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apt (1.4.9) stretch-security; urgency=medium
+
+ * SECURITY UPDATE: content injection in http method (CVE-2019-3462)
+ (LP: #1812353)
+
+ -- Julian Andres Klode <jak@debian.org> Fri, 18 Jan 2019 11:42:07 +0100
+
apt (1.4.8) stretch; urgency=medium
[ Balint Reczey ]
diff --git a/doc/apt-verbatim.ent b/doc/apt-verbatim.ent
index 84b314c9c..20f2162bb 100644
--- a/doc/apt-verbatim.ent
+++ b/doc/apt-verbatim.ent
@@ -239,7 +239,7 @@
">
<!-- this will be updated by 'prepare-release' -->
-<!ENTITY apt-product-version "1.4.8">
+<!ENTITY apt-product-version "1.4.9">
<!-- (Code)names for various things used all over the place -->
<!ENTITY debian-oldstable-codename "jessie">
diff --git a/test/integration/test-cve-2019-3462-dequote-injection b/test/integration/test-cve-2019-3462-dequote-injection
new file mode 100755
index 000000000..a1adec6de
--- /dev/null
+++ b/test/integration/test-cve-2019-3462-dequote-injection
@@ -0,0 +1,66 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+setupenvironment
+configarchitecture 'amd64'
+
+# build two uncompressed packages
+buildsimplenativepackage 'alpha' 'all' '1' 'unstable' '' '' 'section' 'optional' '' 'none'
+
+setupaptarchive --no-update
+ORIGINAL_SHA256=$(sha256sum aptarchive/pool/alpha_1_all.deb | awk '{print $1}')
+ORIGINAL_SIZE=$(wc -c aptarchive/pool/alpha_1_all.deb | awk '{print $1}')
+SHA256="DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF"
+changetowebserver
+
+webserverconfig aptwebserver::redirect::replace::alpha_1_all.deb "beeta_1_all.deb%250a%250a201%2520URI%2520Done%250aURI:%2520http://localhost:${APTHTTPPORT}/pool/beeta_1_all.deb%250aFilename:%2520${TMPWORKINGDIRECTORY}/rootdir/var/cache/apt/archives/partial/alpha_1_all.deb%250aSize:%252020672%250aLast-Modified:%2520Fri,%252018%2520Jan%25202019%252009:52:02%2520+0000%250aSHA256-Hash:%2520${SHA256}%250aChecksum-FileSize-Hash:%252012345%250a%250a%0a"
+
+
+testsuccess apt update -o debug::http=1 -o debug::pkgacquire::worker=1
+
+
+testfailureequal "Reading package lists...
+Building dependency tree...
+The following NEW packages will be installed:
+ alpha
+0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
+Need to get 20.7 kB of archives.
+After this operation, 11.3 kB of additional disk space will be used.
+Err:1 http://localhost:${APTHTTPPORT} unstable/main all alpha all 1
+ SECURITY: URL redirect target contains control characters, rejecting.
+E: Failed to fetch http://localhost:${APTHTTPPORT}/pool/alpha_1_all.deb SECURITY: URL redirect target contains control characters, rejecting.
+E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?" aptget install alpha
+
+
+
+# For reference, the following is the original reproducer/bug. It has
+# been disabled using exit 0, as it will fail in fixed versions.
+exit 0
+
+testfailureequal "Reading package lists...
+Building dependency tree...
+The following NEW packages will be installed:
+ alpha
+0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
+Need to get 20.7 kB of archives.
+After this operation, 11.3 kB of additional disk space will be used.
+Err:1 http://localhost:${APTHTTPPORT} unstable/main all alpha all 1
+ Hash Sum mismatch
+ Hashes of expected file:
+ - SHA256:$ORIGINAL_SHA256
+ - Filesize:$ORIGINAL_SIZE [weak]
+ Hashes of received file:
+ - SHA256:DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
+ - Filesize:12345 [weak]
+ Last modification reported: Fri, 18 Jan 2019 09:52:02 +0000
+E: Failed to fetch http://localhost:${APTHTTPPORT}/pool/beeta_1_all.deb Hash Sum mismatch
+ Hashes of expected file:
+ - SHA256:$ORIGINAL_SHA256
+ - Filesize:$ORIGINAL_SIZE [weak]
+ Hashes of received file:
+ - SHA256:DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
+ - Filesize:12345 [weak]
+ Last modification reported: Fri, 18 Jan 2019 09:52:02 +0000
+E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?" aptget install alpha