Commit d436b01c authored by Héctor Orón Martínez's avatar Héctor Orón Martínez
Browse files

Merge branch 'fix-CVE-2017-5188' into 'debian/master'

CVE-2017-5188.patch: Apply upstream fixes for CVE-2017-5188.(Closes:#900133)

See merge request ruby-team/open-build-service!3
parents dc0abbc9 b35761a9
Author: Michael Schroeder <mls@suse.de>
Date: Mon Mar 20 10:28:41 2017 +0100
[backend] ignore symlinks in build result
[backend] only allow plain files in cpio_sender
No devices, sockets, directories, symlinks please...
Origin: upstream, https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661, https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Bug: https://bugzilla.suse.com/show_bug.cgi?id=1029824
Bug-Debian: https://bugs.debian.org/900133
--- a/src/backend/bs_worker
+++ b/src/backend/bs_worker
@@ -3394,7 +3394,7 @@ if ($ex == 0) {
undef $kiwitree unless @$kiwitree;
undef $kiwitree if defined($BSConfig::nokiwitree) && $BSConfig::nokiwitree;
}
- @files = grep {-f "$buildroot/.build.packages/$d/$_"} @files;
+ @files = grep {! -l "$buildroot/.build.packages/$d/$_" && -f _} @files;
push @send, map {"$buildroot/.build.packages/$d/$_"} @files;
}
@send = map {{name => (split('/', $_))[-1], filename => $_}} @send;
--- a/src/backend/BSHTTP.pm
+++ b/src/backend/BSHTTP.pm
@@ -357,13 +357,24 @@ sub cpio_sender {
my $filename = $file->{'filename'};
if (ref($filename)) {
*F = $filename;
- } elsif (!open(F, '<', $filename)) {
- $errors->{'data'} .= "$file->{'name'}: $filename: $!\n";
- next;
+ } else {
+ @s = lstat($filename);
+ if (!@s) {
+ $errors->{'data'} .= "$file->{'name'}: $filename: $!\n";
+ next;
+ }
+ if (-l _ || ! -f _) {
+ $errors->{'data'} .= "$file->{'name'}: $filename: not a plain file\n";
+ next;
+ }
+ if (!open(F, '<', $filename)) {
+ $errors->{'data'} .= "$file->{'name'}: $filename: $!\n";
+ next;
+ }
}
@s = stat(F);
if (!@s) {
- $errors->{'data'} .= "$file->{'name'}: stat: $!\n";
+ $errors->{'data'} .= "$file->{'name'}: fstat: $!\n";
close F unless ref $filename;
next;
}
......@@ -15,3 +15,4 @@ missing-codemirror-js.patch
Do-not-ship-database.yml.patch
localgem.patch
disable-slp.patch
CVE-2017-5188.patch
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment