- Fix CVE-2010-0396

dpkg.spec

@@ -1,6 +1,6 @@
 Name:           dpkg
 Version:        1.15.5.6
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Package maintenance system for Debian Linux
 Group:          System Environment/Base
 # The entire source code is GPLv2+ with exception of the following
@@ -17,6 +17,9 @@ Source1:        dpkg.archtable
 # Fedora specific patch to store files under /usr/share/dpkg, not these are not binary
 # libs. and set user search path to /usr/local/share/dpkg
 Patch1:         dpkg-change-libdir-path.patch
+# Fixes CVE-2010-0396 bugzilla #572522
+Patch2:		fedora-fix-CVE-2010-0396-00.patch
+Patch3:		fedora-fix-CVE-2010-0396-01.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  zlib-devel, bzip2-devel, libselinux-devel, gettext, ncurses-devel
 
@@ -58,6 +61,8 @@ dselect is a high-level interface for the installation/removal of debs .
 %setup -q
 
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 # Filter unwanted Requires:
 cat << \EOF > %{name}-req
@@ -196,6 +201,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Mar 11 2010 Andrew Colin Kissa <andrew@topdog.za.net> - 1.15.5.6-4
+- Fix CVE-2010-0396
+
 * Mon Feb 15 2010 Andrew Colin Kissa <andrew@topdog.za.net> - 1.15.5.6-3
 - review changes
 

fedora-fix-CVE-2010-0396-00.patch

@@ -0,0 +1,43 @@
+diff --git a/scripts/Dpkg/Source/Patch.pm b/scripts/Dpkg/Source/Patch.pm
+--- a/scripts/Dpkg/Source/Patch.pm
++++ b/scripts/Dpkg/Source/Patch.pm
+@@ -322,8 +322,9 @@ sub analyze {
+ 	    error(_g("expected ^--- in line %d of diff `%s'"), $., $diff);
+ 	}
+         $_ = strip_ts($_);
+-        if ($_ eq '/dev/null' or s{^(\./)?[^/]+/}{$destdir/}) {
++        if ($_ eq '/dev/null' or s{^[^/]+/}{$destdir/}) {
+             $fn = $_;
++	    error(_g("%s contains an insecure path: %s"), $diff, $_) if m{/\.\./};
+         }
+ 	if (/\.dpkg-orig$/) {
+ 	    error(_g("diff `%s' patches file with name ending .dpkg-orig"), $diff);
+@@ -336,8 +337,9 @@ sub analyze {
+ 	    error(_g("line after --- isn't as expected in diff `%s' (line %d)"), $diff, $.);
+ 	}
+         $_ = strip_ts($_);
+-        if ($_ eq '/dev/null' or s{^(\./)?[^/]+/}{$destdir/}) {
++        if ($_ eq '/dev/null' or s{^[^/]+/}{$destdir/}) {
+             $fn2 = $_;
++	    error(_g("%s contains an insecure path: %s"), $diff, $_) if m{/\.\./};
+         } else {
+             unless (defined $fn) {
+                 error(_g("none of the filenames in ---/+++ are relative in diff `%s' (line %d)"),
+@@ -363,6 +365,17 @@ sub analyze {
+ 	if ($dirname =~ s{/[^/]+$}{} && not -d $dirname) {
+ 	    $dirtocreate{$dirname} = 1;
+ 	}
++
++	# Sanity check, refuse to patch through a symlink
++	$dirname = $fn;
++	while (1) {
++	    if (-l $dirname) {
++		error(_g("diff %s modifies file %s through a symlink: %s"),
++		      $diff, $fn, $dirname);
++	    }
++	    last unless $dirname =~ s{/[^/]+$}{};
++	}
++
+ 	if (-e $fn and not -f _) {
+ 	    error(_g("diff `%s' patches something which is not a plain file"), $diff);
+ 	}

fedora-fix-CVE-2010-0396-01.patch

@@ -0,0 +1,11 @@
+diff --git a/scripts/Dpkg/Source/Package/V3/quilt.pm b/scripts/Dpkg/Source/Package/V3/quilt.pm
+--- a/scripts/Dpkg/Source/Package/V3/quilt.pm
++++ b/scripts/Dpkg/Source/Package/V3/quilt.pm
+@@ -123,6 +123,7 @@ sub read_patch_list {
+             }
+         }
+         next if $opts{"skip_auto"} and $_ eq $auto_patch;
++        error(_g("%s contains an insecure path: %s"), $file, $_) if m{(^|/)\.\./};
+         push @patches, $_;
+     }
+     close(SERIES);