Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.1.15 2020-12-18T18:31:19Z 2020-12-18T18:31:19Z David Kalnischkies david@kalnischkies.de 2020-07-09T22:02:25Z urn:sha1:97d6c3b2d05fe0d965657197adf56cc78f9edf81 Every method opts in to getting the encoded URI passed along while keeping compat in case we are operated by an older acquire system. Effectively this is just a change for the http-based methods as the others just decode the URI as they work with files directly. 2020-12-18T18:31:19Z David Kalnischkies david@kalnischkies.de 2020-07-09T14:38:49Z urn:sha1:e6c55283d235aa9404395d30f2db891f36995c49 We do not deal a lot with URIs which need encoding, but then we do it is a pain that we store it decoded in the acquire system as it means we have to decode and reencode URIs eventually which is potentially giving us slightly different URIs. We see that in our own testing framework while setting up redirects as the config options are effectively double-encoded and decoded to pass them around successfully as otherwise %2f and / in an URI are treated the same. This commit adds the infrastructure for methods to opt into getting URIs send in encoded form (and returning them to us in encoded form, too) so that we eventually do not have to touch the URIs which is how it should be. This means though that we have to deal with methods who do not support this yet (aka: all at the moment) for which we decode and encode while communicating with them. 2020-12-18T18:02:05Z David Kalnischkies david@kalnischkies.de 2020-07-08T15:51:40Z urn:sha1:97be873d782c5e9aaa8b4f4f4e6e18805d0fa51c Our http method encodes the URI again which results in the double encoding we have unwrap in the webserver (we did already, but we skip the filename handling now which does the first decode). 2020-12-15T12:20:16Z Julian Andres Klode julian.klode@canonical.com 2020-12-15T12:20:16Z urn:sha1:b6c8c5ce2b255eb03554435a620934d47a2a14d5 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-12-05T18:55:30Z urn:sha1:df81895bce764dd02fbb4d67b92d28a730b5281f The integer overflow was detected by DonKult who added a check like this: (std::numeric_limits<decltype(Itm.Size)>::max() - (2 * sizeof(Block))) Which deals with the code as is, but also still is a fairly big limit, and could become fragile if we change the code. Let's limit our file sizes to 128 GiB, which should be sufficient for everyone. Original comment by DonKult: The code assumes that it can add sizeof(Block)-1 to the size of the item later on, but if we are close to a 64bit overflow this is not possible. Fixing this seems too complex compared to just ensuring there is enough room left given that we will have a lot more problems the moment we will be acting on files that large as if the item is that large, the (valid) tar including it probably doesn't fit in 64bit either. 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-12-05T19:17:56Z urn:sha1:0444f9dd52c2bc7bec315f6f1ecad76a30713fa0 Like the code in arfile.cc, MemControlExtract also has buffer overflows, in code allocating memory for parsing control files. Specify an upper limit of 64 MiB for control files to both protect against the Size overflowing (we allocate Size + 2 bytes), and protect a bit against control files consisting only of zeroes. 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-12-04T11:37:19Z urn:sha1:822db13d68658a1a20df2d19c688c18faa331616 Tarballs have long names and long link targets structured by a special tar header with a GNU extension followed by the actual content (padded to 512 bytes). Essentially, think of a name as a special kind of file. The limit of a file size in a header is 12 bytes, aka 10**12 or 1 TB. While this works OK-ish for file content that we stream to extractors, we need to copy file names into memory, and this opens us up to an OOM DoS attack. Limit the file name size to 1 MiB, as libarchive does, to make things safer. 2020-12-09T16:30:43Z Julian Andres Klode julian.klode@canonical.com 2020-10-19T11:22:33Z urn:sha1:d10c68d628fe5342d400a999a6d10c5c7c0cef41 GHSL-2020-169: This first hunk adds a check that we have more files left to read in the file than the size of the member, ensuring that (a) the number is not negative, which caused the crash here and (b) ensures that we similarly avoid other issues with trying to read too much data. GHSL-2020-168: Long file names are encoded by a special marker in the filename and then the real filename is part of what is normally the data. We did not check that the length of the file name is within the length of the member, which means that we got a overflow later when subtracting the length from the member size to get the remaining member size. The file createdeb-lp1899193.cc was provided by GitHub Security Lab and reformatted using apt coding style for inclusion in the test case, both of these issues have an automated test case in test/integration/test-ubuntu-bug-1899193-security-issues. LP: #1899193 2020-12-02T15:41:40Z Julian Andres Klode jak@debian.org 2020-12-02T15:41:40Z urn:sha1:eefadade6e886d9423c5d3145858891047c46abc Fixes lookup in as-installed testing Gbp-Dch: ignore 2020-11-25T18:02:03Z Julian Andres Klode jak@debian.org 2020-11-25T18:02:03Z urn:sha1:6530ce64d2337ab309d6c974202243abb09d2d04 Enhance rred for possible external usage See merge request apt-team/apt!136