diff options
-rw-r--r-- | CMakeLists.txt | 2 | ||||
-rw-r--r-- | apt-pkg/acquire-method.cc | 6 | ||||
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | doc/apt-verbatim.ent | 2 | ||||
-rwxr-xr-x | test/integration/test-cve-2019-3462-dequote-injection | 66 |
5 files changed, 81 insertions, 2 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 3d257ceb1..55048698e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -175,7 +175,7 @@ endif() # Configure some variables like package, version and architecture. set(PACKAGE ${PROJECT_NAME}) set(PACKAGE_MAIL "APT Development Team <deity@lists.debian.org>") -set(PACKAGE_VERSION "1.4.8") +set(PACKAGE_VERSION "1.4.9") if (NOT DEFINED DPKG_DATADIR) execute_process(COMMAND ${PERL_EXECUTABLE} -MDpkg -e "print $Dpkg::DATADIR;" diff --git a/apt-pkg/acquire-method.cc b/apt-pkg/acquire-method.cc index ab0908014..bd947209b 100644 --- a/apt-pkg/acquire-method.cc +++ b/apt-pkg/acquire-method.cc @@ -458,6 +458,12 @@ void pkgAcqMethod::Status(const char *Format,...) * the worker will enqueue again later on to the right queue */ void pkgAcqMethod::Redirect(const string &NewURI) { + if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos) + { + _error->Error("SECURITY: URL redirect target contains control characters, rejecting."); + Fail(); + return; + } std::cout << "103 Redirect\nURI: " << Queue->Uri << "\n" << "New-URI: " << NewURI << "\n" << "\n" << std::flush; diff --git a/debian/changelog b/debian/changelog index b43c8f1bd..cc9f1b722 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +apt (1.4.9) stretch-security; urgency=medium + + * SECURITY UPDATE: content injection in http method (CVE-2019-3462) + (LP: #1812353) + + -- Julian Andres Klode <jak@debian.org> Fri, 18 Jan 2019 11:42:07 +0100 + apt (1.4.8) stretch; urgency=medium [ Balint Reczey ] diff --git a/doc/apt-verbatim.ent b/doc/apt-verbatim.ent index 84b314c9c..20f2162bb 100644 --- a/doc/apt-verbatim.ent +++ b/doc/apt-verbatim.ent @@ -239,7 +239,7 @@ "> <!-- this will be updated by 'prepare-release' --> -<!ENTITY apt-product-version "1.4.8"> +<!ENTITY apt-product-version "1.4.9"> <!-- (Code)names for various things used all over the place --> <!ENTITY debian-oldstable-codename "jessie"> diff --git a/test/integration/test-cve-2019-3462-dequote-injection b/test/integration/test-cve-2019-3462-dequote-injection new file mode 100755 index 000000000..a1adec6de --- /dev/null +++ b/test/integration/test-cve-2019-3462-dequote-injection @@ -0,0 +1,66 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' + +# build two uncompressed packages +buildsimplenativepackage 'alpha' 'all' '1' 'unstable' '' '' 'section' 'optional' '' 'none' + +setupaptarchive --no-update +ORIGINAL_SHA256=$(sha256sum aptarchive/pool/alpha_1_all.deb | awk '{print $1}') +ORIGINAL_SIZE=$(wc -c aptarchive/pool/alpha_1_all.deb | awk '{print $1}') +SHA256="DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF" +changetowebserver + +webserverconfig aptwebserver::redirect::replace::alpha_1_all.deb "beeta_1_all.deb%250a%250a201%2520URI%2520Done%250aURI:%2520http://localhost:${APTHTTPPORT}/pool/beeta_1_all.deb%250aFilename:%2520${TMPWORKINGDIRECTORY}/rootdir/var/cache/apt/archives/partial/alpha_1_all.deb%250aSize:%252020672%250aLast-Modified:%2520Fri,%252018%2520Jan%25202019%252009:52:02%2520+0000%250aSHA256-Hash:%2520${SHA256}%250aChecksum-FileSize-Hash:%252012345%250a%250a%0a" + + +testsuccess apt update -o debug::http=1 -o debug::pkgacquire::worker=1 + + +testfailureequal "Reading package lists... +Building dependency tree... +The following NEW packages will be installed: + alpha +0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. +Need to get 20.7 kB of archives. +After this operation, 11.3 kB of additional disk space will be used. +Err:1 http://localhost:${APTHTTPPORT} unstable/main all alpha all 1 + SECURITY: URL redirect target contains control characters, rejecting. +E: Failed to fetch http://localhost:${APTHTTPPORT}/pool/alpha_1_all.deb SECURITY: URL redirect target contains control characters, rejecting. +E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?" aptget install alpha + + + +# For reference, the following is the original reproducer/bug. It has +# been disabled using exit 0, as it will fail in fixed versions. +exit 0 + +testfailureequal "Reading package lists... +Building dependency tree... +The following NEW packages will be installed: + alpha +0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. +Need to get 20.7 kB of archives. +After this operation, 11.3 kB of additional disk space will be used. +Err:1 http://localhost:${APTHTTPPORT} unstable/main all alpha all 1 + Hash Sum mismatch + Hashes of expected file: + - SHA256:$ORIGINAL_SHA256 + - Filesize:$ORIGINAL_SIZE [weak] + Hashes of received file: + - SHA256:DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF + - Filesize:12345 [weak] + Last modification reported: Fri, 18 Jan 2019 09:52:02 +0000 +E: Failed to fetch http://localhost:${APTHTTPPORT}/pool/beeta_1_all.deb Hash Sum mismatch + Hashes of expected file: + - SHA256:$ORIGINAL_SHA256 + - Filesize:$ORIGINAL_SIZE [weak] + Hashes of received file: + - SHA256:DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF + - Filesize:12345 [weak] + Last modification reported: Fri, 18 Jan 2019 09:52:02 +0000 +E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?" aptget install alpha |