mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-28 07:13:20 +00:00
Bug 1541821 - Update debian7 docker images for CVE-2019-3462. r=tomprince
This imports the changes from wheezy-lts (http://deb.freexian.com/extended-lts/) and creates a package we install in the debian7-based images (with a modified version number to work around bug #1419577. This leaves out debian7-raw and debian7-packages as unpatched, because of the chicken-and-egg problem. Depends on D26100 Differential Revision: https://phabricator.services.mozilla.com/D26102 --HG-- extra : moz-landing-system : lando
This commit is contained in:
parent
79886b9b57
commit
b22d57ac74
31
build/debian-packages/apt-wheezy.diff
Normal file
31
build/debian-packages/apt-wheezy.diff
Normal file
@ -0,0 +1,31 @@
|
||||
diff -Nru apt-0.9.7.9+deb7u7/apt-pkg/acquire-method.cc apt-0.9.7.9+deb7u8/apt-pkg/acquire-method.cc
|
||||
--- apt-0.9.7.9+deb7u7/apt-pkg/acquire-method.cc 2013-03-01 19:51:21.000000000 +0900
|
||||
+++ apt-0.9.7.9+deb7u8/apt-pkg/acquire-method.cc 2019-01-23 05:51:06.000000000 +0900
|
||||
@@ -416,6 +416,12 @@
|
||||
* the worker will enqueue again later on to the right queue */
|
||||
void pkgAcqMethod::Redirect(const string &NewURI)
|
||||
{
|
||||
+ if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos)
|
||||
+ {
|
||||
+ _error->Error("SECURITY: URL redirect target contains control characters, rejecting.");
|
||||
+ Fail();
|
||||
+ return;
|
||||
+ }
|
||||
std::cout << "103 Redirect\nURI: " << Queue->Uri << "\n"
|
||||
<< "New-URI: " << NewURI << "\n"
|
||||
<< "\n" << std::flush;
|
||||
diff -Nru apt-0.9.7.9+deb7u7/debian/changelog apt-0.9.7.9+deb7u8/debian/changelog
|
||||
--- apt-0.9.7.9+deb7u7/debian/changelog 2014-10-17 16:13:17.000000000 +0900
|
||||
+++ apt-0.9.7.9+deb7u8/debian/changelog 2019-01-23 05:55:19.000000000 +0900
|
||||
@@ -1,3 +1,11 @@
|
||||
+apt (0.9.7.9.deb7u8) wheezy-security; urgency=high
|
||||
+
|
||||
+ * CVE-2019-3462: Fix a content injection vulnerability that could be
|
||||
+ exploited to inject arbitrary .deb or other files into a signed
|
||||
+ repository via injected redirect headers.
|
||||
+
|
||||
+ -- Chris Lamb <lamby@debian.org> Tue, 22 Jan 2019 20:51:26 +0000
|
||||
+
|
||||
apt (0.9.7.9+deb7u7) stable; urgency=medium
|
||||
|
||||
[ David Kalnischkies ]
|
@ -51,6 +51,7 @@ jobs:
|
||||
definition: debian-base
|
||||
parent: debian7-raw
|
||||
packages:
|
||||
- deb7-apt
|
||||
- deb7-gdb
|
||||
- deb7-git
|
||||
- deb7-make
|
||||
|
@ -24,6 +24,17 @@ job-defaults:
|
||||
snapshot: 20171210T214726Z
|
||||
|
||||
jobs:
|
||||
deb7-apt:
|
||||
description: "Updated APT for Debian wheezy"
|
||||
treeherder:
|
||||
symbol: Deb7(apt)
|
||||
run:
|
||||
using: debian-package
|
||||
dsc:
|
||||
url: http://snapshot.debian.org/archive/debian/20141023T170002Z/pool/main/a/apt/apt_0.9.7.9%2Bdeb7u7.dsc
|
||||
sha256: 7835d9f97acf8adcad7eee0eca2990eaef72ffe21272302d3c36d8053d6baf82
|
||||
patch: apt-wheezy.diff
|
||||
|
||||
deb7-sqlite3:
|
||||
description: "SQLite backport for Debian wheezy"
|
||||
treeherder:
|
||||
|
Loading…
Reference in New Issue
Block a user