Date: Wed, 16 Sep 2015 20:30:19 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r397083 - in branches/2015Q3/archivers/p7zip: . files Message-ID: <201509162030.t8GKUJt3079240@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Wed Sep 16 20:30:18 2015 New Revision: 397083 URL: https://svnweb.freebsd.org/changeset/ports/397083 Log: MFH: r397079 Apply patch to fix directory traversal vulnerability Submitted by: ohauer Security: CVE-2015-1038 Security: 8f5c9dd6-5cac-11e5-9ad8-14dae9d210b8 Approved by: ports-secteam (with hat) Added: branches/2015Q3/archivers/p7zip/files/patch-CVE-2015-1038 - copied unchanged from r397079, head/archivers/p7zip/files/patch-CVE-2015-1038 Modified: branches/2015Q3/archivers/p7zip/Makefile Directory Properties: branches/2015Q3/ (props changed) Modified: branches/2015Q3/archivers/p7zip/Makefile ============================================================================== --- branches/2015Q3/archivers/p7zip/Makefile Wed Sep 16 20:29:39 2015 (r397082) +++ branches/2015Q3/archivers/p7zip/Makefile Wed Sep 16 20:30:18 2015 (r397083) @@ -3,7 +3,7 @@ PORTNAME= p7zip PORTVERSION= 9.38.1 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= archivers MASTER_SITES= SF DISTNAME= ${PORTNAME}_${DISTVERSION}_src_all Copied: branches/2015Q3/archivers/p7zip/files/patch-CVE-2015-1038 (from r397079, head/archivers/p7zip/files/patch-CVE-2015-1038) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q3/archivers/p7zip/files/patch-CVE-2015-1038 Wed Sep 16 20:30:18 2015 (r397083, copy of r397079, head/archivers/p7zip/files/patch-CVE-2015-1038) @@ -0,0 +1,283 @@ +Author: Ben Hutchings <ben@decadent.org.uk> +Date: Tue, 19 May 2015 02:38:40 +0100 +Description: Delay creation of symlinks to prevent arbitrary file writes (CVE-2015-1038) +Bug: http://sourceforge.net/p/p7zip/bugs/147/ +Bug-Debian: https://bugs.debian.org/774660 + +Alexander Cherepanov discovered that 7zip is susceptible to a +directory traversal vulnerability. While extracting an archive, it +will extract symlinks and then follow them if they are referenced in +further entries. This can be exploited by a rogue archive to write +files outside the current directory. + +We have to create placeholder files (which we already do) and delay +creating symlinks until the end of extraction. + +Due to the possibility of anti-items (deletions) in the archive, it is +possible for placeholders to be deleted and replaced before we create +the symlinks. It's not clear that this can be used for mischief, but +GNU tar guards against similar problems by checking that the placeholder +still exists and is the same inode. XXX It also checks 'birth time' but +this isn't portable. We can probably get away with comparing ctime +since we don't support hard links. + +--- CPP/7zip/UI/Agent/Agent.cpp ++++ CPP/7zip/UI/Agent/Agent.cpp +@@ -1215,7 +1215,7 @@ STDMETHODIMP CAgentFolder::Extract(const + HRESULT result = _agentSpec->GetArchive()->Extract(&realIndices.Front(), + realIndices.Size(), testMode, extractCallback); + if (result == S_OK) +- result = extractCallbackSpec->SetDirsTimes(); ++ result = extractCallbackSpec->SetFinalAttribs(); + return result; + COM_TRY_END + } +--- CPP/7zip/UI/Client7z/Client7z.cpp ++++ CPP/7zip/UI/Client7z/Client7z.cpp +@@ -222,8 +222,11 @@ private: + COutFileStream *_outFileStreamSpec; + CMyComPtr<ISequentialOutStream> _outFileStream; + ++ CObjectVector<NWindows::NFile::NDir::CDelayedSymLink> _delayedSymLinks; ++ + public: + void Init(IInArchive *archiveHandler, const FString &directoryPath); ++ HRESULT SetFinalAttribs(); + + UInt64 NumErrors; + bool PasswordIsDefined; +@@ -441,11 +444,23 @@ STDMETHODIMP CArchiveExtractCallback::Se + } + _outFileStream.Release(); + if (_extractMode && _processedFileInfo.AttribDefined) +- SetFileAttrib(_diskFilePath, _processedFileInfo.Attrib); ++ SetFileAttrib(_diskFilePath, _processedFileInfo.Attrib, &_delayedSymLinks); + PrintNewLine(); + return S_OK; + } + ++HRESULT CArchiveExtractCallback::SetFinalAttribs() ++{ ++ HRESULT result = S_OK; ++ ++ for (int i = 0; i != _delayedSymLinks.Size(); ++i) ++ if (!_delayedSymLinks[i].Create()) ++ result = E_FAIL; ++ ++ _delayedSymLinks.Clear(); ++ ++ return result; ++} + + STDMETHODIMP CArchiveExtractCallback::CryptoGetTextPassword(BSTR *password) + { +@@ -912,6 +927,8 @@ int MY_CDECL main(int numArgs, const cha + // extractCallbackSpec->PasswordIsDefined = true; + // extractCallbackSpec->Password = L"1"; + HRESULT result = archive->Extract(NULL, (UInt32)(Int32)(-1), false, extractCallback); ++ if (result == S_OK) ++ result = extractCallbackSpec->SetFinalAttribs(); + if (result != S_OK) + { + PrintError("Extract Error"); +--- CPP/7zip/UI/Common/ArchiveExtractCallback.cpp ++++ CPP/7zip/UI/Common/ArchiveExtractCallback.cpp +@@ -1083,7 +1083,7 @@ STDMETHODIMP CArchiveExtractCallback::Se + NumFiles++; + + if (_extractMode && _fi.AttribDefined) +- SetFileAttrib(_diskFilePath, _fi.Attrib); ++ SetFileAttrib(_diskFilePath, _fi.Attrib, &_delayedSymLinks); + RINOK(_extractCallback2->SetOperationResult(operationResult, _encrypted)); + return S_OK; + COM_TRY_END +@@ -1149,8 +1149,9 @@ static int GetNumSlashes(const FChar *s) + } + } + +-HRESULT CArchiveExtractCallback::SetDirsTimes() ++HRESULT CArchiveExtractCallback::SetFinalAttribs() + { ++ HRESULT result = S_OK; + CRecordVector<CExtrRefSortPair> pairs; + pairs.ClearAndSetSize(_extractedFolderPaths.Size()); + unsigned i; +@@ -1187,5 +1188,12 @@ HRESULT CArchiveExtractCallback::SetDirs + (WriteATime && ATimeDefined) ? &ATime : NULL, + (WriteMTime && MTimeDefined) ? &MTime : (_arc->MTimeDefined ? &_arc->MTime : NULL)); + } +- return S_OK; ++ ++ for (int i = 0; i != _delayedSymLinks.Size(); ++i) ++ if (!_delayedSymLinks[i].Create()) ++ result = E_FAIL; ++ ++ _delayedSymLinks.Clear(); ++ ++ return result; + } +--- CPP/7zip/UI/Common/ArchiveExtractCallback.h ++++ CPP/7zip/UI/Common/ArchiveExtractCallback.h +@@ -6,6 +6,8 @@ + #include "../../../Common/MyCom.h" + #include "../../../Common/Wildcard.h" + ++#include "../../../Windows/FileDir.h" ++ + #include "../../IPassword.h" + + #include "../../Common/FileStreams.h" +@@ -213,6 +215,8 @@ class CArchiveExtractCallback: + bool _saclEnabled; + #endif + ++ CObjectVector<NWindows::NFile::NDir::CDelayedSymLink> _delayedSymLinks; ++ + void CreateComplexDirectory(const UStringVector &dirPathParts, FString &fullPath); + HRESULT GetTime(int index, PROPID propID, FILETIME &filetime, bool &filetimeIsDefined); + HRESULT GetUnpackSize(); +@@ -293,7 +297,7 @@ public: + _baseParentFolder = indexInArc; + } + +- HRESULT SetDirsTimes(); ++ HRESULT SetFinalAttribs(); + }; + + #endif +--- CPP/7zip/UI/Common/Extract.cpp ++++ CPP/7zip/UI/Common/Extract.cpp +@@ -170,7 +170,7 @@ static HRESULT DecompressArchive( + else + result = archive->Extract(&realIndices.Front(), realIndices.Size(), testMode, ecs); + if (result == S_OK && !options.StdInMode) +- result = ecs->SetDirsTimes(); ++ result = ecs->SetFinalAttribs(); + return callback->ExtractResult(result); + } + +--- CPP/Windows/FileDir.cpp ++++ CPP/Windows/FileDir.cpp +@@ -343,7 +343,8 @@ static int convert_to_symlink(const char + return -1; + } + +-bool SetFileAttrib(CFSTR fileName, DWORD fileAttributes) ++bool SetFileAttrib(CFSTR fileName, DWORD fileAttributes, ++ CObjectVector<CDelayedSymLink> *delayedSymLinks) + { + if (!fileName) { + SetLastError(ERROR_PATH_NOT_FOUND); +@@ -375,7 +376,9 @@ bool SetFileAttrib(CFSTR fileName, DWORD + stat_info.st_mode = fileAttributes >> 16; + #ifdef ENV_HAVE_LSTAT + if (S_ISLNK(stat_info.st_mode)) { +- if ( convert_to_symlink(name) != 0) { ++ if (delayedSymLinks) ++ delayedSymLinks->Add(CDelayedSymLink(name)); ++ else if ( convert_to_symlink(name) != 0) { + TRACEN((printf("SetFileAttrib(%s,%d) : false-3\n",(const char *)name,fileAttributes))) + return false; + } +@@ -885,6 +888,43 @@ bool CTempDir::Remove() + return !_mustBeDeleted; + } + ++#ifdef ENV_UNIX ++ ++CDelayedSymLink::CDelayedSymLink(const char * source) ++ : _source(source) ++{ ++ struct stat st; ++ ++ if (lstat(_source, &st) == 0) { ++ _dev = st.st_dev; ++ _ino = st.st_ino; ++ } else { ++ _dev = 0; ++ } ++} ++ ++bool CDelayedSymLink::Create() ++{ ++ struct stat st; ++ ++ if (_dev == 0) { ++ errno = EPERM; ++ return false; ++ } ++ if (lstat(_source, &st) != 0) ++ return false; ++ if (_dev != st.st_dev || _ino != st.st_ino) { ++ // Placeholder file has been overwritten or moved by another ++ // symbolic link creation ++ errno = EPERM; ++ return false; ++ } ++ ++ return convert_to_symlink(_source) == 0; ++} ++ ++#endif // ENV_UNIX ++ + }}} + + +--- CPP/Windows/FileDir.h ++++ CPP/Windows/FileDir.h +@@ -4,6 +4,7 @@ + #define __WINDOWS_FILE_DIR_H + + #include "../Common/MyString.h" ++#include "../Common/MyVector.h" + + #include "FileIO.h" + +@@ -11,11 +12,14 @@ namespace NWindows { + namespace NFile { + namespace NDir { + ++class CDelayedSymLink; ++ + bool GetWindowsDir(FString &path); + bool GetSystemDir(FString &path); + + bool SetDirTime(CFSTR path, const FILETIME *cTime, const FILETIME *aTime, const FILETIME *mTime); +-bool SetFileAttrib(CFSTR path, DWORD attrib); ++bool SetFileAttrib(CFSTR path, DWORD attrib, ++ CObjectVector<CDelayedSymLink> *delayedSymLinks = 0); + bool MyMoveFile(CFSTR existFileName, CFSTR newFileName); + + #ifndef UNDER_CE +@@ -69,6 +73,31 @@ public: + bool Remove(); + }; + ++// Symbolic links must be created last so that they can't be used to ++// create or overwrite files above the extraction directory. ++class CDelayedSymLink ++{ ++#ifdef ENV_UNIX ++ // Where the symlink should be created. The target is specified in ++ // the placeholder file. ++ AString _source; ++ ++ // Device and inode of the placeholder file. Before creating the ++ // symlink, we must check that these haven't been changed by creation ++ // of another symlink. ++ dev_t _dev; ++ ino_t _ino; ++ ++public: ++ explicit CDelayedSymLink(const char * source); ++ bool Create(); ++#else // !ENV_UNIX ++public: ++ CDelayedSymLink(const char * source) {} ++ bool Create() { return true; } ++#endif // ENV_UNIX ++}; ++ + #if !defined(UNDER_CE) + class CCurrentDirRestorer + {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509162030.t8GKUJt3079240>