CVEs have been assigned for two security issues in python-dulwich: http://openwall.com/lists/oss-security/2015/03/22/26 http://openwall.com/lists/oss-security/2015/03/22/19 The upstream commit to fix the first issue is linked in this message: http://openwall.com/lists/oss-security/2015/03/21/1 The second issue is fixed in 0.9.9 and the patch is included in the second message linked above. Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Packages in 4/core/updates_testing python-dulwich-debuginfo-0.9.9-1.mga4.x86_64 python-dulwich-debuginfo-0.9.9-1.mga4.i586 python-dulwich-0.9.9-1.mga4.i586 python-dulwich-0.9.9-1.mga4.x86_64 from python-dulwich-0.9.9-1.mga4.src Freeze push asked for python-dulwich-0.9.9-2.mga5.src
Philippe, strangely, it appears that the commit to fix CVE-2014-9706 didn't make it into 0.9.9.
David, I'm lost, what the meaning of :http://osdir.com/ml/general/2015-03/msg28606.html ? I see that in Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781001 and yes you are right, the code in 0.9.9 don't have https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176 it have been overwritten by https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=13777953e488adfa6eec11c7101f02af256a822e may be we should better use 0.10.0 https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=15f6c9e5928095d09b8ee402e053a821c7c0ddeb https://pypi.python.org/pypi/dulwich/0.10.0
(In reply to Philippe Makowski from comment #3) > David, I'm lost, what the meaning of > :http://osdir.com/ml/general/2015-03/msg28606.html ? > > I see that in Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781001 All that message shows is they changed the Bug title, changing the CVE number. Originally they had the one that only applied to the git software itself. dulwich is an independent implementation, so it's the same issue in different code, so it got a new CVE. > and yes you are right, the code in 0.9.9 don't have > https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff; > h=091638be3c89f46f42c3b1d57dc1504af5729176 > > it have been overwritten by > https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff; > h=13777953e488adfa6eec11c7101f02af256a822e which isn't in 0.9.9 either. > may be we should better use 0.10.0 > https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff; > h=15f6c9e5928095d09b8ee402e053a821c7c0ddeb > > https://pypi.python.org/pypi/dulwich/0.10.0 As long as it doesn't break anything that depends on it. The minor version bump worries me.
0.10.0 does contain the fix for CVE-2014-9706 though, so that's good.
Packages in 4/core/updates_testing python-dulwich-debuginfo-0.10.0-1.mga4.x86_64 python-dulwich-debuginfo-0.10.0-1.mga4.i586 python-dulwich-0.10.0-1.mga4.i586 python-dulwich-0.10.0-1.mga4.x86_64 from python-dulwich-0.10.0-1.mga4.src Freeze push asked for python-dulwich-0.10.0-2.mga5.src
Thanks Philippe! PoC information for CVE-2014-9706 here: http://openwall.com/lists/oss-security/2015/03/21/1 For CVE-2015-0838, the tests/test_pack.py part of the patch might be used to construct a PoC (the package doesn't run the tests at build time): http://openwall.com/lists/oss-security/2015/03/22/19 Advisory: ======================== Updated python-dulwich package fixes security vulnerabilities: Dulwich happily clones a repository which contains commit with invalid paths, say .git/hooks/pre-commit, and thus allowing execution of code on subsequent commits (CVE-2014-9706). Ivan Fratric of the Google Security Team has found a buffer overflow in the C implementation of the apply_delta() function in Dulwich. This function is used when accessing Git objects in pack files. Any Git server or client based on Dulwich that handles untrusted pack files is very likely to be vulnerable (CVE-2015-0838). The python-dulwich package has been updated to version 0.10.0, fixing these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0838 http://openwall.com/lists/oss-security/2015/03/22/26 http://openwall.com/lists/oss-security/2015/03/22/19 https://git.samba.org/?p=jelmer/dulwich.git;a=blob;f=NEWS;h=d0616a0c
CC: (none) => makowski.mageiaVersion: Cauldron => 4Assignee: makowski.mageia => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Debian has issued an advisory for this on March 28: https://www.debian.org/security/2015/dsa-3206 Advisory: ======================== Updated python-dulwich package fixes security vulnerabilities: It was discovered that Dulwich allows writing to files under .git/ when checking out working trees. This could lead to the execution of arbitrary code with the privileges of the user running an application based on Dulwich (CVE-2014-9706). Ivan Fratric of the Google Security Team has found a buffer overflow in the C implementation of the apply_delta() function, used when accessing Git objects in pack files. An attacker could take advantage of this flaw to cause the execution of arbitrary code with the privileges of the user running a Git server or client based on Dulwich (CVE-2015-0838). The python-dulwich package has been updated to version 0.10.0, fixing these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0838 https://www.debian.org/security/2015/dsa-3206 https://git.samba.org/?p=jelmer/dulwich.git;a=blob;f=NEWS;h=d0616a0c
URL: (none) => http://lwn.net/Vulnerabilities/638445/
Ran the PoC on i586 and x86-64 VBox VMs. IT causes an ugly segfault on both before the upgrade and runs to completion after that. I'll attach it soon.
CC: (none) => shlomifWhiteboard: (none) => MGA4-64-OK has_procedure MGA4-32-OK
Created attachment 6280 [details] A Proof-of-Concept script to run. This is the PoC.
Well done Shlomi. Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK has_procedure MGA4-32-OK => MGA4-64-OK has_procedure MGA4-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0157.html
Status: NEW => RESOLVEDResolution: (none) => FIXED