Bug 1541821 - Update debian7 docker images for CVE-2019-3462. r=tomprince
authorMike Hommey <mh+mozilla@glandium.org>
Thu, 04 Apr 2019 16:23:58 +0000
changeset 468306 7d60a7fd2fac0ac7427666f2d857aeba128cc6d0
parent 468305 97fa367562a0f8faa9a3413f24a6542b16407c5d
child 468316 58b4488b771ae6b8f29f25bfb23eec1777f4ecf4
push id82498
push usermh@glandium.org
push dateSat, 06 Apr 2019 21:56:40 +0000
treeherderautoland@7d60a7fd2fac [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstomprince
bugs1541821, 1419577
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1541821 - Update debian7 docker images for CVE-2019-3462. r=tomprince This imports the changes from wheezy-lts (http://deb.freexian.com/extended-lts/) and creates a package we install in the debian7-based images (with a modified version number to work around bug #1419577. This leaves out debian7-raw and debian7-packages as unpatched, because of the chicken-and-egg problem. Depends on D26100 Differential Revision: https://phabricator.services.mozilla.com/D26102
build/debian-packages/apt-wheezy.diff
taskcluster/ci/docker-image/kind.yml
taskcluster/ci/packages/kind.yml
new file mode 100644
--- /dev/null
+++ b/build/debian-packages/apt-wheezy.diff
@@ -0,0 +1,31 @@
+diff -Nru apt-0.9.7.9+deb7u7/apt-pkg/acquire-method.cc apt-0.9.7.9+deb7u8/apt-pkg/acquire-method.cc
+--- apt-0.9.7.9+deb7u7/apt-pkg/acquire-method.cc	2013-03-01 19:51:21.000000000 +0900
++++ apt-0.9.7.9+deb7u8/apt-pkg/acquire-method.cc	2019-01-23 05:51:06.000000000 +0900
+@@ -416,6 +416,12 @@
+  * the worker will enqueue again later on to the right queue */
+ void pkgAcqMethod::Redirect(const string &NewURI)
+ {
++   if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos)
++   {
++      _error->Error("SECURITY: URL redirect target contains control characters, rejecting.");
++      Fail();
++      return;
++   }
+    std::cout << "103 Redirect\nURI: " << Queue->Uri << "\n"
+ 	     << "New-URI: " << NewURI << "\n"
+ 	     << "\n" << std::flush;
+diff -Nru apt-0.9.7.9+deb7u7/debian/changelog apt-0.9.7.9+deb7u8/debian/changelog
+--- apt-0.9.7.9+deb7u7/debian/changelog	2014-10-17 16:13:17.000000000 +0900
++++ apt-0.9.7.9+deb7u8/debian/changelog	2019-01-23 05:55:19.000000000 +0900
+@@ -1,3 +1,11 @@
++apt (0.9.7.9.deb7u8) wheezy-security; urgency=high
++
++  * CVE-2019-3462: Fix a content injection vulnerability that could be
++    exploited to inject arbitrary .deb or other files into a signed
++    repository via injected redirect headers.
++
++ -- Chris Lamb <lamby@debian.org>  Tue, 22 Jan 2019 20:51:26 +0000
++
+ apt (0.9.7.9+deb7u7) stable; urgency=medium
+ 
+   [ David Kalnischkies ]
--- a/taskcluster/ci/docker-image/kind.yml
+++ b/taskcluster/ci/docker-image/kind.yml
@@ -46,16 +46,17 @@ jobs:
     symbol: I(deb7-32-pkg)
     definition: debian-packages
     parent: debian7-i386-raw
   debian7-base:
     symbol: I(deb7-base)
     definition: debian-base
     parent: debian7-raw
     packages:
+      - deb7-apt
       - deb7-gdb
       - deb7-git
       - deb7-make
       - deb7-mercurial
       - deb7-python
       - deb7-python3.5
       - deb7-python3-defaults
       - deb7-python-zstandard
--- a/taskcluster/ci/packages/kind.yml
+++ b/taskcluster/ci/packages/kind.yml
@@ -19,16 +19,27 @@ job-defaults:
   worker:
     max-run-time: 1800
   run-on-projects: []
   run:
     dist: wheezy
     snapshot: 20171210T214726Z
 
 jobs:
+  deb7-apt:
+    description: "Updated APT for Debian wheezy"
+    treeherder:
+      symbol: Deb7(apt)
+    run:
+      using: debian-package
+      dsc:
+        url: http://snapshot.debian.org/archive/debian/20141023T170002Z/pool/main/a/apt/apt_0.9.7.9%2Bdeb7u7.dsc
+        sha256: 7835d9f97acf8adcad7eee0eca2990eaef72ffe21272302d3c36d8053d6baf82
+      patch: apt-wheezy.diff
+
   deb7-sqlite3:
     description: "SQLite backport for Debian wheezy"
     treeherder:
       symbol: Deb7(sqlite3)
     run:
       using: debian-package
       dsc:
         url: http://snapshot.debian.org/archive/debian/20171003T220520Z/pool/main/s/sqlite3/sqlite3_3.16.2-5.dsc