diff -Nru ant-1.9.3/debian/changelog ant-1.9.3/debian/changelog
--- ant-1.9.3/debian/changelog 2014-04-07 23:44:37.000000000 +0000
+++ ant-1.9.3/debian/changelog 2018-07-23 14:35:01.000000000 +0000
@@ -1,3 +1,29 @@
+ant (1.9.3-2ubuntu0.1) trusty-security; urgency=medium
+
+ * SECURITY UPDATE: Fix ZipSlip vulnerability
+ - debian/patches/CVE-2018-10886-1.patch: don't extract entires outside of
+ the destination directory in
+ src/main/org/apache/tools/ant/taskdefs/Expand.java,
+ src/tests/antunit/taskdefs/unzip-test.xml
+ - debian/patches/CVE-2018-10886-2.patch: Update the manual
+ manual/Tasks/unzip.html
+ - debian/patches/CVE-2018-10886-3.patch: Small update to the manual entry
+ manual/Tasks/unzip.html
+ - debian/patches/CVE-2018-10886-4.patch: Change stripAbsolutePathSpec's
+ default value
+ manual/Tasks/unzip.html
+ src/main/org/apache/tools/ant/taskdefs/Expand.java
+ - debian/patches/CVE-2018-10886-5.patch: add additional isLeadingPath
+ method that resolves symlinks
+ src/main/org/apache/tools/ant/util/FileUtils.java
+ src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
+ - debian/patches/CVE-2018-10886-6.patch: take symlinks into account when
+ expanding archives and checking entries
+ src/main/org/apache/tools/ant/taskdefs/Expand.java
+ - CVE-2018-10886
+
+ -- Mike Salvatore
diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-3.patch ant-1.9.3/debian/patches/CVE-2018-10886-3.patch --- ant-1.9.3/debian/patches/CVE-2018-10886-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ ant-1.9.3/debian/patches/CVE-2018-10886-3.patch 2018-07-23 14:06:50.000000000 +0000 @@ -0,0 +1,22 @@ +From f72406d53cfb3b3425cc9d000eea421a0e05d8fe Mon Sep 17 00:00:00 2001 +From: Stefan Bodewig+Date: Sat, 21 Apr 2018 20:03:07 +0200 +Subject: [PATCH] and forgot two words, oh my + +--- + manual/Tasks/unzip.html | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/manual/Tasks/unzip.html b/manual/Tasks/unzip.html +index 6b3eed374e..bf607b516b 100644 +--- a/manual/Tasks/unzip.html ++++ b/manual/Tasks/unzip.html +@@ -144,7 +144,7 @@ Parameters
+ to be outside of the dest directory. + since Ant 1.9.12 +No, defaults to false unless +- stripAbsolutePathSpec and the entry's name starts with a leading ++ stripAbsolutePathSpec is true and the entry's name starts with a leading + path spec. + + diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-4.patch ant-1.9.3/debian/patches/CVE-2018-10886-4.patch --- ant-1.9.3/debian/patches/CVE-2018-10886-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ ant-1.9.3/debian/patches/CVE-2018-10886-4.patch 2018-07-23 14:06:56.000000000 +0000 @@ -0,0 +1,51 @@ +From 857095da5153fd18504b46f276d84f1e76a66970 Mon Sep 17 00:00:00 2001 +From: Stefan Bodewig+Date: Sat, 5 May 2018 17:28:12 +0200 +Subject: [PATCH] change stripAbsolutePathSpec's default, credit Snyk + +--- + WHATSNEW | 4 +++- + manual/Tasks/unzip.html | 3 ++- + src/main/org/apache/tools/ant/taskdefs/Expand.java | 2 +- + src/tests/antunit/taskdefs/unzip-test.xml | 10 +++++----- + 4 files changed, 11 insertions(+), 8 deletions(-) + +#--- a/WHATSNEW +#+++ b/WHATSNEW +#@@ -193,10 +193,12 @@ Changes that could break older environme +# destination directory anymore by default. A new attribute +# allowFilesToEscapeDest can be used to override the behavior. +# Another special case is when stripAbsolutePathSpec is false (which +#- still is the default) and the entry's name starts with a +#+ no longer is the default) and the entry's name starts with a +# (back)slash and allowFilesToEscapeDest hasn't been specified +# explicitly, in this case the file may be created outside of the +# dest directory as well. +#+ In addition stripAbsolutePathSpec is now true by default. +#+ Based on a recommendation by the Snyk Security Research Team. +# +# Fixed bugs: +# ----------- +--- a/manual/Tasks/unzip.html ++++ b/manual/Tasks/unzip.html +@@ -126,7 +126,8 @@ archive. + Note that this changes the entry's name before applying + include/exclude patterns and before using the nested mappers (if + any). since Ant 1.8.0 +- No, defaults to false ++No, defaults to true since 1.9.12 ++ (used to default to false prior to that) + ++ scanForUnicodeExtraFields +--- a/src/main/org/apache/tools/ant/taskdefs/Expand.java ++++ b/src/main/org/apache/tools/ant/taskdefs/Expand.java +@@ -67,7 +67,7 @@ public class Expand extends Task { + private Union resources = new Union(); + private boolean resourcesSpecified = false; + private boolean failOnEmptyArchive = false; +- private boolean stripAbsolutePathSpec = false; ++ private boolean stripAbsolutePathSpec = true; + private boolean scanForUnicodeExtraFields = true; + private Boolean allowFilesToEscapeDest = null; + diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-5.patch ant-1.9.3/debian/patches/CVE-2018-10886-5.patch --- ant-1.9.3/debian/patches/CVE-2018-10886-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ ant-1.9.3/debian/patches/CVE-2018-10886-5.patch 2018-07-23 14:08:11.000000000 +0000 @@ -0,0 +1,97 @@ +From 6a41d62cb9ab4e640b72cb4de42a6c211dea645d Mon Sep 17 00:00:00 2001 +From: Stefan Bodewig+Date: Sun, 1 Jul 2018 11:03:01 +0200 +Subject: [PATCH] add additional isLeadingPath method that resolves symlinks + +--- + src/main/org/apache/tools/ant/util/FileUtils.java | 30 +++++++++++++++++++++ + .../org/apache/tools/ant/util/FileUtilsTest.java | 31 ++++++++++++++++++++++ + 2 files changed, 61 insertions(+) + +--- a/src/main/org/apache/tools/ant/util/FileUtils.java ++++ b/src/main/org/apache/tools/ant/util/FileUtils.java +@@ -1191,6 +1191,36 @@ public class FileUtils { + } + + /** ++ * Learn whether one path "leads" another. ++ * ++ * @param leading The leading path, must not be null, must be absolute. ++ * @param path The path to check, must not be null, must be absolute. ++ * @param resolveSymlinks whether symbolic links shall be resolved ++ * prior to comparing the paths. ++ * @return true if path starts with leading; false otherwise. ++ * @since Ant 1.9.13 ++ * @throws IOException if resolveSymlinks is true and invoking ++ * getCanonicaPath on either argument throws an exception ++ */ ++ public boolean isLeadingPath(File leading, File path, boolean resolveSymlinks) ++ throws IOException { ++ if (!resolveSymlinks) { ++ return isLeadingPath(leading, path); ++ } ++ String l = leading.getCanonicalPath(); ++ String p = path.getCanonicalPath(); ++ if (l.equals(p)) { ++ return true; ++ } ++ // ensure that l ends with a / ++ // so we never think /foo was a parent directory of /foobar ++ if (!l.endsWith(File.separator)) { ++ l += File.separator; ++ } ++ return p.startsWith(l); ++ } ++ ++ /** + * Constructs a file:
URI that represents the + * external form of the given pathname. + * +--- a/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java ++++ b/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java +@@ -23,6 +23,11 @@ import java.io.FileOutputStream; + import java.io.IOException; + + import junit.framework.TestCase; ++import static org.junit.Assert.assertFalse; ++import static org.junit.Assert.assertTrue; ++import static org.junit.Assert.fail; ++import static org.junit.Assume.assumeFalse; ++import static org.junit.Assume.assumeTrue; + + import org.apache.tools.ant.BuildException; + import org.apache.tools.ant.taskdefs.condition.Os; +@@ -587,6 +592,33 @@ public class FileUtilsTest extends TestC + } + + /** ++ * @see "https://bz.apache.org/bugzilla/show_bug.cgi?id=62502" ++ */ ++ public void isLeadingPathCanonicalVersionCannotBeFooledByTooManyDoubleDots() throws IOException { ++ assertFalse(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/../../bar"), true)); ++ assertFalse(FILE_UTILS.isLeadingPath(new File("c:\\foo"), new File("c:\\foo\\..\\..\\bar"), true)); ++ assertFalse(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/../.."), true)); ++ } ++ ++ public void isLeadingPathCanonicalVersionWorksAsExpectedOnUnix() throws IOException { ++ assumeFalse("Test doesn't run on DOS", Os.isFamily("dos")); ++ assertTrue(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/bar"), true)); ++ assertTrue(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/baz/../bar"), true)); ++ assertTrue(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/../foo/bar"), true)); ++ assertFalse(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foobar"), true)); ++ assertFalse(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/bar"), true)); ++ } ++ ++ public void isLeadingPathCanonicalVersionWorksAsExpectedOnDos() throws IOException { ++ assumeTrue("Test only runs on DOS", Os.isFamily("dos")); ++ assertTrue(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\foo\\bar"), true)); ++ assertTrue(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\foo\\baz\\..\\bar"), true)); ++ assertTrue(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\foo\\..\\foo\\bar"), true)); ++ assertFalse(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\foobar"), true)); ++ assertFalse(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\bar"), true)); ++ } ++ ++ /** + * adapt file separators to local conventions + */ + private String localize(String path) { diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-6.patch ant-1.9.3/debian/patches/CVE-2018-10886-6.patch --- ant-1.9.3/debian/patches/CVE-2018-10886-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ ant-1.9.3/debian/patches/CVE-2018-10886-6.patch 2018-07-23 14:10:08.000000000 +0000 @@ -0,0 +1,27 @@ +From 5a8c37b271677587046bfd0fea18c1675d5a6300 Mon Sep 17 00:00:00 2001 +From: Stefan Bodewig+Date: Sun, 1 Jul 2018 11:03:28 +0200 +Subject: [PATCH] take symlinks into account when expanding archives and + checking entries + +--- + src/main/org/apache/tools/ant/taskdefs/Expand.java | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/main/org/apache/tools/ant/taskdefs/Expand.java b/src/main/org/apache/tools/ant/taskdefs/Expand.java +index b3897efc6a..039f203ff2 100644 +--- a/src/main/org/apache/tools/ant/taskdefs/Expand.java ++++ b/src/main/org/apache/tools/ant/taskdefs/Expand.java +@@ -333,9 +333,9 @@ protected void extractFile(FileUtils fileUtils, File srcF, File dir, + mappedNames = new String[] {entryName}; + } + File f = fileUtils.resolveFile(dir, mappedNames[0]); +- if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) { +- log("skipping " + entryName + " as its target " + f + " is outside of " +- + dir + ".", Project.MSG_VERBOSE); ++ if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f, true)) { ++ log("skipping " + entryName + " as its target " + f.getCanonicalPath() ++ + " is outside of " + dir.getCanonicalPath() + ".", Project.MSG_VERBOSE); + return; + } + diff -Nru ant-1.9.3/debian/patches/series ant-1.9.3/debian/patches/series --- ant-1.9.3/debian/patches/series 2014-02-16 12:56:07.000000000 +0000 +++ ant-1.9.3/debian/patches/series 2018-07-23 14:10:08.000000000 +0000 @@ -5,3 +5,9 @@ 0007-use-build.classpath.patch 0008-junit4-replace-assumeFalse.patch 0009-fix-NullPointerException-when-no-destdir-was-set.patch +CVE-2018-10886-1.patch +CVE-2018-10886-2.patch +CVE-2018-10886-3.patch +CVE-2018-10886-4.patch +CVE-2018-10886-5.patch +CVE-2018-10886-6.patch