From c31d65e76810f72c356e381818174bf100605de7 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 18 Jan 2019 09:13:52 +0100 Subject: SECURITY UPDATE: content injection in http method (CVE-2019-3462) This fixes a security issue that can be exploited to inject arbritrary debs or other files into a signed repository as followed: (1) Server sends a redirect to somewhere%0a (where %0a is \n encoded) (2) apt method decodes the redirect (because the method encodes the URLs before sending them out), writting something like somewhere\n into its output (3) apt then uses the headers injected for validation purposes. Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec LP: #1812353 (cherry picked from commit 5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b) --- apt-pkg/acquire-method.cc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'apt-pkg') diff --git a/apt-pkg/acquire-method.cc b/apt-pkg/acquire-method.cc index c9cd48bb6..c67c47ab8 100644 --- a/apt-pkg/acquire-method.cc +++ b/apt-pkg/acquire-method.cc @@ -470,6 +470,12 @@ void pkgAcqMethod::Status(const char *Format,...) * the worker will enqueue again later on to the right queue */ void pkgAcqMethod::Redirect(const string &NewURI) { + if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos) + { + _error->Error("SECURITY: URL redirect target contains control characters, rejecting."); + Fail(); + return; + } std::unordered_map fields; try_emplace(fields, "URI", Queue->Uri); try_emplace(fields, "New-URI", NewURI); -- cgit v1.2.3