Bug 1541821 - Update debian7 docker images for CVE-2019-3462. r=tomprince

This imports the changes from wheezy-lts (http://deb.freexian.com/extended-lts/)
and creates a package we install in the debian7-based images (with a
modified version number to work around bug #1419577.

This leaves out debian7-raw and debian7-packages as unpatched, because
of the chicken-and-egg problem.

Depends on D26100

Differential Revision: https://phabricator.services.mozilla.com/D26102

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Mike Hommey 2019-04-04 16:23:58 +00:00
parent 79886b9b57
commit b22d57ac74
3 changed files with 43 additions and 0 deletions

View File

@ -0,0 +1,31 @@
diff -Nru apt-0.9.7.9+deb7u7/apt-pkg/acquire-method.cc apt-0.9.7.9+deb7u8/apt-pkg/acquire-method.cc
--- apt-0.9.7.9+deb7u7/apt-pkg/acquire-method.cc 2013-03-01 19:51:21.000000000 +0900
+++ apt-0.9.7.9+deb7u8/apt-pkg/acquire-method.cc 2019-01-23 05:51:06.000000000 +0900
@@ -416,6 +416,12 @@
* the worker will enqueue again later on to the right queue */
void pkgAcqMethod::Redirect(const string &NewURI)
{
+ if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos)
+ {
+ _error->Error("SECURITY: URL redirect target contains control characters, rejecting.");
+ Fail();
+ return;
+ }
std::cout << "103 Redirect\nURI: " << Queue->Uri << "\n"
<< "New-URI: " << NewURI << "\n"
<< "\n" << std::flush;
diff -Nru apt-0.9.7.9+deb7u7/debian/changelog apt-0.9.7.9+deb7u8/debian/changelog
--- apt-0.9.7.9+deb7u7/debian/changelog 2014-10-17 16:13:17.000000000 +0900
+++ apt-0.9.7.9+deb7u8/debian/changelog 2019-01-23 05:55:19.000000000 +0900
@@ -1,3 +1,11 @@
+apt (0.9.7.9.deb7u8) wheezy-security; urgency=high
+
+ * CVE-2019-3462: Fix a content injection vulnerability that could be
+ exploited to inject arbitrary .deb or other files into a signed
+ repository via injected redirect headers.
+
+ -- Chris Lamb <lamby@debian.org> Tue, 22 Jan 2019 20:51:26 +0000
+
apt (0.9.7.9+deb7u7) stable; urgency=medium
[ David Kalnischkies ]

View File

@ -51,6 +51,7 @@ jobs:
definition: debian-base
parent: debian7-raw
packages:
- deb7-apt
- deb7-gdb
- deb7-git
- deb7-make

View File

@ -24,6 +24,17 @@ job-defaults:
snapshot: 20171210T214726Z
jobs:
deb7-apt:
description: "Updated APT for Debian wheezy"
treeherder:
symbol: Deb7(apt)
run:
using: debian-package
dsc:
url: http://snapshot.debian.org/archive/debian/20141023T170002Z/pool/main/a/apt/apt_0.9.7.9%2Bdeb7u7.dsc
sha256: 7835d9f97acf8adcad7eee0eca2990eaef72ffe21272302d3c36d8053d6baf82
patch: apt-wheezy.diff
deb7-sqlite3:
description: "SQLite backport for Debian wheezy"
treeherder: