community/bzr: security fix (CVE-2017-14176)

Fixes #8297
2025-08-06 05:47:13 +02:00 · 2017-12-29 10:50:22 +00:00 · 2017-12-29 10:50:22 +00:00 · 16bd40a6c3
commit 16bd40a6c3
parent fdcd6d1c87
2 changed files with 177 additions and 10 deletions
--- a/community/bzr/APKBUILD
+++ b/community/bzr/APKBUILD
@ -1,7 +1,7 @@
 # Maintainer: William Pitcock <nenolod@dereferenced.org>
 pkgname=bzr
 pkgver=2.7.0
-pkgrel=0
+pkgrel=1
 pkgdesc="A scalable distributed SCM tool"
 url="http://bazaar.canonical.com/"
 arch="all"
@ -9,17 +9,19 @@ license="GPL2+"
 depends="python2"
 makedepends="python2-dev"
 subpackages="$pkgname-doc"
-source="http://launchpad.net/${pkgname}/${pkgver%.*}/${pkgver}/+download/${pkgname}-${pkgver}.tar.gz"
+source="http://launchpad.net/${pkgname}/${pkgver%.*}/${pkgver}/+download/${pkgname}-${pkgver}.tar.gz
 	CVE-2017-14176.patch
 	"
 builddir="$srcdir"/$pkgname-$pkgver
 _builddir="$srcdir"/$pkgname-$pkgver
 build() {
-	cd "$_builddir"
+	cd "$builddir"
-	python2 setup.py build || return 1
+	python2 setup.py build
 }
 package() {
-	cd "$_builddir"
+	cd "$builddir"
-	python2 setup.py install --root="$pkgdir" || return 1
+	python2 setup.py install --root="$pkgdir"
 }
 doc() {
@ -28,6 +30,5 @@ doc() {
 	default_doc
 }
-md5sums="8e5020502efd54f5925a14a456b88b89  bzr-2.7.0.tar.gz"
+sha512sums="c39ad3715d865788da74d8de8b469e1dc93d18b6cbcbc569464cdeb9bb2173bf8d7f4f8ee8f7599fbcbbe322817a4c72e785d544e622753699c425c32597d9aa  bzr-2.7.0.tar.gz
-sha256sums="0d451227b705a0dd21d8408353fe7e44d3a5069e6c4c26e5f146f1314b8fdab3  bzr-2.7.0.tar.gz"
+fd3027d859e6b2b07d3f408d9f0c2b5d9a66f83aae9dfdee9ca0c47a1b5969109418a73e9801da29b2179190c801f6cadde4f1e3fc80ed09650dd1e7fe4e2f5d  CVE-2017-14176.patch"
 sha512sums="c39ad3715d865788da74d8de8b469e1dc93d18b6cbcbc569464cdeb9bb2173bf8d7f4f8ee8f7599fbcbbe322817a4c72e785d544e622753699c425c32597d9aa  bzr-2.7.0.tar.gz"
--- a/community/bzr/CVE-2017-14176.patch
+++ b/community/bzr/CVE-2017-14176.patch
@ -0,0 +1,166 @@
 Fix CVE-2017-14176:
 https://bugs.launchpad.net/bzr/+bug/1710979
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176
 Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1:
 https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204
 Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs
 Bug: https://bugs.launchpad.net/brz/+bug/1710979
 Bug-Debian: https://bugs.debian.org/874429
 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176
 Forwarded: no
 Author: Jelmer Vernooĳ <address@hidden>
 Last-Update: 2017-11-26
 === modified file 'bzrlib/tests/test_ssh_transport.py'
 --- old/bzrlib/tests/test_ssh_transport.py     2010-10-07 12:45:51 +0000
 +++ new/bzrlib/tests/test_ssh_transport.py     2017-08-20 01:59:20 +0000
@@ -22,6 +22,7 @@
     SSHCorpSubprocessVendor,
     LSHSubprocessVendor,
     SSHVendorManager,
 +    StrangeHostname,
     )
@@ -161,6 +162,19 @@
 class SubprocessVendorsTests(TestCase):
 +    def test_openssh_command_tricked(self):
 +        vendor = OpenSSHSubprocessVendor()
 +        self.assertEqual(
 +            vendor._get_vendor_specific_argv(
 +                "user", "-oProxyCommand=blah", 100, command=["bzr"]),
 +            ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
 +                "-oClearAllForwardings=yes",
 +                "-oNoHostAuthenticationForLocalhost=yes",
 +                "-p", "100",
 +                "-l", "user",
 +                "--",
 +                "-oProxyCommand=blah", "bzr"])
 +
     def test_openssh_command_arguments(self):
         vendor = OpenSSHSubprocessVendor()
         self.assertEqual(
@@ -171,6 +185,7 @@
                 "-oNoHostAuthenticationForLocalhost=yes",
                 "-p", "100",
                 "-l", "user",
 +                "--",
                 "host", "bzr"]
             )
@@ -184,9 +199,16 @@
                 "-oNoHostAuthenticationForLocalhost=yes",
                 "-p", "100",
                 "-l", "user",
 -                "-s", "host", "sftp"]
 +                "-s", "--", "host", "sftp"]
             )
 +    def test_openssh_command_tricked(self):
 +        vendor = SSHCorpSubprocessVendor()
 +        self.assertRaises(
 +            StrangeHostname,
 +            vendor._get_vendor_specific_argv,
 +                "user", "-oProxyCommand=host", 100, command=["bzr"])
 +
     def test_sshcorp_command_arguments(self):
         vendor = SSHCorpSubprocessVendor()
         self.assertEqual(
@@ -209,6 +231,13 @@
                 "-s", "sftp", "host"]
             )
 +    def test_lsh_command_tricked(self):
 +        vendor = LSHSubprocessVendor()
 +        self.assertRaises(
 +            StrangeHostname,
 +            vendor._get_vendor_specific_argv,
 +                "user", "-oProxyCommand=host", 100, command=["bzr"])
 +
     def test_lsh_command_arguments(self):
         vendor = LSHSubprocessVendor()
         self.assertEqual(
@@ -231,6 +260,13 @@
                 "--subsystem", "sftp", "host"]
             )
 +    def test_plink_command_tricked(self):
 +        vendor = PLinkSubprocessVendor()
 +        self.assertRaises(
 +            StrangeHostname,
 +            vendor._get_vendor_specific_argv,
 +                "user", "-oProxyCommand=host", 100, command=["bzr"])
 +
     def test_plink_command_arguments(self):
         vendor = PLinkSubprocessVendor()
         self.assertEqual(
 === modified file 'bzrlib/transport/ssh.py'
 --- old/bzrlib/transport/ssh.py        2015-07-31 01:04:41 +0000
 +++ new/bzrlib/transport/ssh.py        2017-08-20 01:59:20 +0000
@@ -46,6 +46,10 @@
     from paramiko.sftp_client import SFTPClient
 +class StrangeHostname(errors.BzrError):
 +    _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
 +
 +
 SYSTEM_HOSTKEYS = {}
 BZR_HOSTKEYS = {}
@@ -360,6 +364,11 @@
     # tests, but beware of using PIPE which may hang due to not being read.
     _stderr_target = None
 +    @staticmethod
 +    def _check_hostname(arg):
 +        if arg.startswith('-'):
 +            raise StrangeHostname(hostname=arg)
 +
     def _connect(self, argv):
         # Attempt to make a socketpair to use as stdin/stdout for the SSH
         # subprocess.  We prefer sockets to pipes because they support
@@ -424,9 +433,9 @@
         if username is not None:
             args.extend(['-l', username])
         if subsystem is not None:
 -            args.extend(['-s', host, subsystem])
 +            args.extend(['-s', '--', host, subsystem])
         else:
 -            args.extend([host] + command)
 +            args.extend(['--', host] + command)
         return args
 register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
@@ -439,6 +448,7 @@
     def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
                                   command=None):
 +        self._check_hostname(host)
         args = [self.executable_path, '-x']
         if port is not None:
             args.extend(['-p', str(port)])
@@ -460,6 +470,7 @@
     def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
                                   command=None):
 +        self._check_hostname(host)
         args = [self.executable_path]
         if port is not None:
             args.extend(['-p', str(port)])
@@ -481,6 +492,7 @@
     def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
                                   command=None):
 +        self._check_hostname(host)
         args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
         if port is not None:
             args.extend(['-P', str(port)])