diff -Nru ant-1.9.3/debian/changelog ant-1.9.3/debian/changelog --- ant-1.9.3/debian/changelog 2014-04-07 23:44:37.000000000 +0000 +++ ant-1.9.3/debian/changelog 2018-07-23 14:35:01.000000000 +0000 @@ -1,3 +1,29 @@ +ant (1.9.3-2ubuntu0.1) trusty-security; urgency=medium + + * SECURITY UPDATE: Fix ZipSlip vulnerability + - debian/patches/CVE-2018-10886-1.patch: don't extract entires outside of + the destination directory in + src/main/org/apache/tools/ant/taskdefs/Expand.java, + src/tests/antunit/taskdefs/unzip-test.xml + - debian/patches/CVE-2018-10886-2.patch: Update the manual + manual/Tasks/unzip.html + - debian/patches/CVE-2018-10886-3.patch: Small update to the manual entry + manual/Tasks/unzip.html + - debian/patches/CVE-2018-10886-4.patch: Change stripAbsolutePathSpec's + default value + manual/Tasks/unzip.html + src/main/org/apache/tools/ant/taskdefs/Expand.java + - debian/patches/CVE-2018-10886-5.patch: add additional isLeadingPath + method that resolves symlinks + src/main/org/apache/tools/ant/util/FileUtils.java + src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java + - debian/patches/CVE-2018-10886-6.patch: take symlinks into account when + expanding archives and checking entries + src/main/org/apache/tools/ant/taskdefs/Expand.java + - CVE-2018-10886 + + -- Mike Salvatore Mon, 23 Jul 2018 09:07:56 -0400 + ant (1.9.3-2build1) trusty; urgency=medium * No-change upload to build the ant-gcj package on ppc64el. diff -Nru ant-1.9.3/debian/control ant-1.9.3/debian/control --- ant-1.9.3/debian/control 2014-02-16 12:51:31.000000000 +0000 +++ ant-1.9.3/debian/control 2018-07-19 19:38:31.000000000 +0000 @@ -1,7 +1,8 @@ Source: ant Section: java Priority: optional -Maintainer: Debian Java Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Matthias Klose , Ludovic Claude , Torsten Werner , diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-1.patch ant-1.9.3/debian/patches/CVE-2018-10886-1.patch --- ant-1.9.3/debian/patches/CVE-2018-10886-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ ant-1.9.3/debian/patches/CVE-2018-10886-1.patch 2018-07-23 14:06:35.000000000 +0000 @@ -0,0 +1,106 @@ +From e56e54565804991c62ec76dad385d2bdda8972a7 Mon Sep 17 00:00:00 2001 +From: Stefan Bodewig +Date: Sat, 21 Apr 2018 19:55:02 +0200 +Subject: [PATCH] unzip and friends could monitor where they write more closely + +--- + WHATSNEW | 13 ++++++ + src/main/org/apache/tools/ant/taskdefs/Expand.java | 35 +++++++++++++++- + src/tests/antunit/taskdefs/unzip-test.xml | 46 +++++++++++++++++++++ + .../antunit/taskdefs/zip/direscape-absolute.zip | Bin 0 -> 332 bytes + src/tests/antunit/taskdefs/zip/direscape.zip | Bin 0 -> 332 bytes + 5 files changed, 92 insertions(+), 2 deletions(-) + #create mode 100644 src/tests/antunit/taskdefs/zip/direscape-absolute.zip + #create mode 100644 src/tests/antunit/taskdefs/zip/direscape.zip + +#--- a/WHATSNEW +#+++ b/WHATSNEW +#@@ -185,6 +185,19 @@ Other changes: +# Changes from Ant 1.10.0 TO Ant 1.10.1 +# ===================================== +# +#+Changes that could break older environments: +#+------------------------------------------- +#+ +#+ * , and will no longer extract entries whose +#+ names would make the created files be placed outside of the +#+ destination directory anymore by default. A new attribute +#+ allowFilesToEscapeDest can be used to override the behavior. +#+ Another special case is when stripAbsolutePathSpec is false (which +#+ still is the default) and the entry's name starts with a +#+ (back)slash and allowFilesToEscapeDest hasn't been specified +#+ explicitly, in this case the file may be created outside of the +#+ dest directory as well. +#+ +# Fixed bugs: +# ----------- +# +--- a/src/main/org/apache/tools/ant/taskdefs/Expand.java ++++ b/src/main/org/apache/tools/ant/taskdefs/Expand.java +@@ -69,6 +69,7 @@ public class Expand extends Task { + private boolean failOnEmptyArchive = false; + private boolean stripAbsolutePathSpec = false; + private boolean scanForUnicodeExtraFields = true; ++ private Boolean allowFilesToEscapeDest = null; + + public static final String NATIVE_ENCODING = "native-encoding"; + +@@ -256,14 +257,17 @@ public class Expand extends Task { + boolean isDirectory, FileNameMapper mapper) + throws IOException { + +- if (stripAbsolutePathSpec && entryName.length() > 0 ++ final boolean entryNameStartsWithPathSpec = entryName.length() > 0 + && (entryName.charAt(0) == File.separatorChar + || entryName.charAt(0) == '/' +- || entryName.charAt(0) == '\\')) { ++ || entryName.charAt(0) == '\\'); ++ if (stripAbsolutePathSpec && entryNameStartsWithPathSpec) { + log("stripped absolute path spec from " + entryName, + Project.MSG_VERBOSE); + entryName = entryName.substring(1); + } ++ boolean allowedOutsideOfDest = Boolean.TRUE == getAllowFilesToEscapeDest() ++ || null == getAllowFilesToEscapeDest() && !stripAbsolutePathSpec && entryNameStartsWithPathSpec; + + if (patternsets != null && patternsets.size() > 0) { + String name = entryName.replace('/', File.separatorChar) +@@ -329,6 +333,12 @@ public class Expand extends Task { + mappedNames = new String[] {entryName}; + } + File f = fileUtils.resolveFile(dir, mappedNames[0]); ++ if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) { ++ log("skipping " + entryName + " as its target " + f + " is outside of " ++ + dir + ".", Project.MSG_VERBOSE); ++ return; ++ } ++ + try { + if (!overwrite && f.exists() + && f.lastModified() >= entryDate.getTime()) { +@@ -524,4 +534,25 @@ public class Expand extends Task { + return scanForUnicodeExtraFields; + } + ++ /** ++ * Whether to allow the extracted file or directory to be outside of the dest directory. ++ * ++ * @param b the flag ++ * @since Ant 1.9.12 ++ */ ++ public void setAllowFilesToEscapeDest(boolean b) { ++ allowFilesToEscapeDest = b; ++ } ++ ++ /** ++ * Whether to allow the extracted file or directory to be outside of the dest directory. ++ * ++ * @return {@code null} if the flag hasn't been set explicitly, ++ * otherwise the value set by the user. ++ * @since Ant 1.9.12 ++ */ ++ public Boolean getAllowFilesToEscapeDest() { ++ return allowFilesToEscapeDest; ++ } ++ + } diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-2.patch ant-1.9.3/debian/patches/CVE-2018-10886-2.patch --- ant-1.9.3/debian/patches/CVE-2018-10886-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ ant-1.9.3/debian/patches/CVE-2018-10886-2.patch 2018-07-23 14:06:44.000000000 +0000 @@ -0,0 +1,27 @@ +From 1a2b1e37e3616991588f21efa89c474dd6ff83ff Mon Sep 17 00:00:00 2001 +From: Stefan Bodewig +Date: Sat, 21 Apr 2018 20:01:02 +0200 +Subject: [PATCH] forgot to update the manual + +--- + manual/Tasks/unzip.html | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/manual/Tasks/unzip.html ++++ b/manual/Tasks/unzip.html +@@ -138,6 +138,15 @@ archive.

+ zip task page + No, defaults to true + ++ ++ allowFilesToEscapeDest ++ Whether to allow the extracted file or directory ++ to be outside of the dest directory. ++ since Ant 1.9.12 ++ No, defaults to false unless ++ stripAbsolutePathSpec and the entry's name starts with a leading ++ path spec. ++ + +

Examples

+ 
diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-3.patch ant-1.9.3/debian/patches/CVE-2018-10886-3.patch
--- ant-1.9.3/debian/patches/CVE-2018-10886-3.patch	1970-01-01 00:00:00.000000000 +0000
+++ ant-1.9.3/debian/patches/CVE-2018-10886-3.patch	2018-07-23 14:06:50.000000000 +0000
@@ -0,0 +1,22 @@
+From f72406d53cfb3b3425cc9d000eea421a0e05d8fe Mon Sep 17 00:00:00 2001
+From: Stefan Bodewig 
+Date: Sat, 21 Apr 2018 20:03:07 +0200
+Subject: [PATCH] and forgot two words, oh my
+
+---
+ manual/Tasks/unzip.html | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/manual/Tasks/unzip.html b/manual/Tasks/unzip.html
+index 6b3eed374e..bf607b516b 100644
+--- a/manual/Tasks/unzip.html
++++ b/manual/Tasks/unzip.html
+@@ -144,7 +144,7 @@ 
Parameters

+       to be outside of the dest directory.
+       since Ant 1.9.12
+     No, defaults to false unless
+-    stripAbsolutePathSpec and the entry's name starts with a leading
++    stripAbsolutePathSpec is true and the entry's name starts with a leading
+     path spec.
+   
+ 
diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-4.patch ant-1.9.3/debian/patches/CVE-2018-10886-4.patch
--- ant-1.9.3/debian/patches/CVE-2018-10886-4.patch	1970-01-01 00:00:00.000000000 +0000
+++ ant-1.9.3/debian/patches/CVE-2018-10886-4.patch	2018-07-23 14:06:56.000000000 +0000
@@ -0,0 +1,51 @@
+From 857095da5153fd18504b46f276d84f1e76a66970 Mon Sep 17 00:00:00 2001
+From: Stefan Bodewig 
+Date: Sat, 5 May 2018 17:28:12 +0200
+Subject: [PATCH] change stripAbsolutePathSpec's default, credit Snyk
+
+---
+ WHATSNEW                                           |  4 +++-
+ manual/Tasks/unzip.html                            |  3 ++-
+ src/main/org/apache/tools/ant/taskdefs/Expand.java |  2 +-
+ src/tests/antunit/taskdefs/unzip-test.xml          | 10 +++++-----
+ 4 files changed, 11 insertions(+), 8 deletions(-)
+
+#--- a/WHATSNEW
+#+++ b/WHATSNEW
+#@@ -193,10 +193,12 @@ Changes that could break older environme
+#    destination directory anymore by default. A new attribute
+#    allowFilesToEscapeDest can be used to override the behavior.
+#    Another special case is when stripAbsolutePathSpec is false (which
+#-   still is the default) and the entry's name starts with a
+#+   no longer is the default) and the entry's name starts with a
+#    (back)slash and allowFilesToEscapeDest hasn't been specified
+#    explicitly, in this case the file may be created outside of the
+#    dest directory as well.
+#+   In addition stripAbsolutePathSpec is now true by default.
+#+   Based on a recommendation by the Snyk Security Research Team.
+# 
+# Fixed bugs:
+# -----------
+--- a/manual/Tasks/unzip.html
++++ b/manual/Tasks/unzip.html
+@@ -126,7 +126,8 @@ archive.

+       Note that this changes the entry's name before applying
+       include/exclude patterns and before using the nested mappers (if
+       any).  since Ant 1.8.0
+-    No, defaults to false
++    No, defaults to true since 1.9.12
++      (used to default to false prior to that)
+   
+   
+     scanForUnicodeExtraFields
+--- a/src/main/org/apache/tools/ant/taskdefs/Expand.java
++++ b/src/main/org/apache/tools/ant/taskdefs/Expand.java
+@@ -67,7 +67,7 @@ public class Expand extends Task {
+     private Union resources = new Union();
+     private boolean resourcesSpecified = false;
+     private boolean failOnEmptyArchive = false;
+-    private boolean stripAbsolutePathSpec = false;
++    private boolean stripAbsolutePathSpec = true;
+     private boolean scanForUnicodeExtraFields = true;
+     private Boolean allowFilesToEscapeDest = null;
+ 
diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-5.patch ant-1.9.3/debian/patches/CVE-2018-10886-5.patch
--- ant-1.9.3/debian/patches/CVE-2018-10886-5.patch	1970-01-01 00:00:00.000000000 +0000
+++ ant-1.9.3/debian/patches/CVE-2018-10886-5.patch	2018-07-23 14:08:11.000000000 +0000
@@ -0,0 +1,97 @@
+From 6a41d62cb9ab4e640b72cb4de42a6c211dea645d Mon Sep 17 00:00:00 2001
+From: Stefan Bodewig 
+Date: Sun, 1 Jul 2018 11:03:01 +0200
+Subject: [PATCH] add additional isLeadingPath method that resolves symlinks
+
+---
+ src/main/org/apache/tools/ant/util/FileUtils.java  | 30 +++++++++++++++++++++
+ .../org/apache/tools/ant/util/FileUtilsTest.java   | 31 ++++++++++++++++++++++
+ 2 files changed, 61 insertions(+)
+
+--- a/src/main/org/apache/tools/ant/util/FileUtils.java
++++ b/src/main/org/apache/tools/ant/util/FileUtils.java
+@@ -1191,6 +1191,36 @@ public class FileUtils {
+     }
+ 
+     /**
++     * Learn whether one path "leads" another.
++     *
++     * @param leading The leading path, must not be null, must be absolute.
++     * @param path The path to check, must not be null, must be absolute.
++     * @param resolveSymlinks whether symbolic links shall be resolved
++     * prior to comparing the paths.
++     * @return true if path starts with leading; false otherwise.
++     * @since Ant 1.9.13
++     * @throws IOException if resolveSymlinks is true and invoking
++     * getCanonicaPath on either argument throws an exception
++     */
++    public boolean isLeadingPath(File leading, File path, boolean resolveSymlinks)
++        throws IOException {
++        if (!resolveSymlinks) {
++            return isLeadingPath(leading, path);
++        }
++        String l = leading.getCanonicalPath();
++        String p = path.getCanonicalPath();
++        if (l.equals(p)) {
++            return true;
++        }
++        // ensure that l ends with a /
++        // so we never think /foo was a parent directory of /foobar
++        if (!l.endsWith(File.separator)) {
++            l += File.separator;
++        }
++        return p.startsWith(l);
++    }
++
++    /**
+      * Constructs a file: URI that represents the
+      * external form of the given pathname.
+      *
+--- a/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
++++ b/src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
+@@ -23,6 +23,11 @@ import java.io.FileOutputStream;
+ import java.io.IOException;
+ 
+ import junit.framework.TestCase;
++import static org.junit.Assert.assertFalse;
++import static org.junit.Assert.assertTrue;
++import static org.junit.Assert.fail;
++import static org.junit.Assume.assumeFalse;
++import static org.junit.Assume.assumeTrue;
+ 
+ import org.apache.tools.ant.BuildException;
+ import org.apache.tools.ant.taskdefs.condition.Os;
+@@ -587,6 +592,33 @@ public class FileUtilsTest extends TestC
+     }
+ 
+     /**
++     * @see "https://bz.apache.org/bugzilla/show_bug.cgi?id=62502"
++     */
++    public void isLeadingPathCanonicalVersionCannotBeFooledByTooManyDoubleDots() throws IOException {
++        assertFalse(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/../../bar"), true));
++        assertFalse(FILE_UTILS.isLeadingPath(new File("c:\\foo"), new File("c:\\foo\\..\\..\\bar"), true));
++        assertFalse(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/../.."), true));
++    }
++
++    public void isLeadingPathCanonicalVersionWorksAsExpectedOnUnix() throws IOException {
++        assumeFalse("Test doesn't run on DOS", Os.isFamily("dos"));
++        assertTrue(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/bar"), true));
++        assertTrue(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/baz/../bar"), true));
++        assertTrue(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foo/../foo/bar"), true));
++        assertFalse(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/foobar"), true));
++        assertFalse(FILE_UTILS.isLeadingPath(new File("/foo"), new File("/bar"), true));
++    }
++
++    public void isLeadingPathCanonicalVersionWorksAsExpectedOnDos() throws IOException {
++        assumeTrue("Test only runs on DOS", Os.isFamily("dos"));
++        assertTrue(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\foo\\bar"), true));
++        assertTrue(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\foo\\baz\\..\\bar"), true));
++        assertTrue(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\foo\\..\\foo\\bar"), true));
++        assertFalse(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\foobar"), true));
++        assertFalse(FILE_UTILS.isLeadingPath(new File("C:\\foo"), new File("C:\\bar"), true));
++    }
++
++    /**
+      * adapt file separators to local conventions
+      */
+     private String localize(String path) {
diff -Nru ant-1.9.3/debian/patches/CVE-2018-10886-6.patch ant-1.9.3/debian/patches/CVE-2018-10886-6.patch
--- ant-1.9.3/debian/patches/CVE-2018-10886-6.patch	1970-01-01 00:00:00.000000000 +0000
+++ ant-1.9.3/debian/patches/CVE-2018-10886-6.patch	2018-07-23 14:10:08.000000000 +0000
@@ -0,0 +1,27 @@
+From 5a8c37b271677587046bfd0fea18c1675d5a6300 Mon Sep 17 00:00:00 2001
+From: Stefan Bodewig 
+Date: Sun, 1 Jul 2018 11:03:28 +0200
+Subject: [PATCH] take symlinks into account when expanding archives and
+ checking entries
+
+---
+ src/main/org/apache/tools/ant/taskdefs/Expand.java | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/org/apache/tools/ant/taskdefs/Expand.java b/src/main/org/apache/tools/ant/taskdefs/Expand.java
+index b3897efc6a..039f203ff2 100644
+--- a/src/main/org/apache/tools/ant/taskdefs/Expand.java
++++ b/src/main/org/apache/tools/ant/taskdefs/Expand.java
+@@ -333,9 +333,9 @@ protected void extractFile(FileUtils fileUtils, File srcF, File dir,
+             mappedNames = new String[] {entryName};
+         }
+         File f = fileUtils.resolveFile(dir, mappedNames[0]);
+-        if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f)) {
+-            log("skipping " + entryName + " as its target " + f + " is outside of "
+-                + dir + ".", Project.MSG_VERBOSE);
++        if (!allowedOutsideOfDest && !fileUtils.isLeadingPath(dir, f, true)) {
++            log("skipping " + entryName + " as its target " + f.getCanonicalPath()
++                + " is outside of " + dir.getCanonicalPath() + ".", Project.MSG_VERBOSE);
+                 return;
+         }
+ 
diff -Nru ant-1.9.3/debian/patches/series ant-1.9.3/debian/patches/series
--- ant-1.9.3/debian/patches/series	2014-02-16 12:56:07.000000000 +0000
+++ ant-1.9.3/debian/patches/series	2018-07-23 14:10:08.000000000 +0000
@@ -5,3 +5,9 @@
 0007-use-build.classpath.patch
 0008-junit4-replace-assumeFalse.patch
 0009-fix-NullPointerException-when-no-destdir-was-set.patch
+CVE-2018-10886-1.patch
+CVE-2018-10886-2.patch
+CVE-2018-10886-3.patch
+CVE-2018-10886-4.patch
+CVE-2018-10886-5.patch
+CVE-2018-10886-6.patch