Explorar el Código

scripts: Add test cases for C-style encoded pathnames in patches

This covers the directory traversal issues from CVE-2014-0471 and
CVE-2014-3127.
Guillem Jover hace 12 años
padre
commit
dbb9cc36ae

+ 1 - 0
debian/changelog

@@ -13,6 +13,7 @@ dpkg (1.17.10) UNRELEASED; urgency=low
     - Add template test cases for most perl modules.
     - Add test cases for Dpkg::Deps OR relationships.
     - Add minimal test case for Dpkg::Source::Quilt.
+    - Add test cases for Dpkg::Source::Patch CVE-2014-0471 and CVE-2014-3127.
   * Fix non-security sensitive TOCTOU race in triggers database loading.
   * Fix non-security sensitive TOCTOU race in update-alternative alternative
     database loading.

+ 1 - 0
scripts/Makefile.am

@@ -256,6 +256,7 @@ test_data = \
 	t/Dpkg_Shlibs/objdump.libc6-2.6 \
 	t/Dpkg_Shlibs/objdump.dbd-pg \
 	t/Dpkg_Shlibs/objdump.ls \
+	t/Dpkg_Source_Patch/c-style.patch \
 	t/Dpkg_Changelog/countme \
 	t/Dpkg_Changelog/fields \
 	t/Dpkg_Changelog/misplaced-tz \

+ 28 - 2
scripts/t/Dpkg_Source_Patch.t

@@ -16,12 +16,38 @@
 use strict;
 use warnings;
 
-use Test::More tests => 1;
+use Test::More tests => 3;
+
+use File::Path qw(make_path);
 
 BEGIN {
     use_ok('Dpkg::Source::Patch');
 }
 
-# TODO: Add actual test cases.
+my $srcdir = $ENV{srcdir} || '.';
+my $datadir = $srcdir . '/t/Dpkg_Source_Patch';
+my $tmpdir = 't.tmp/Dpkg_Source_Patch';
+
+sub test_patch_escape {
+    my ($name, $symlink, $patchname, $desc) = @_;
+
+    make_path("$tmpdir/$name-tree");
+    make_path("$tmpdir/$name-out");
+    symlink "../$name-out", "$tmpdir/$name-tree/$symlink";
+
+    my $patch = Dpkg::Source::Patch->new(filename => "$datadir/$patchname");
+    eval {
+        $patch->apply("$tmpdir/$name-tree", verbose => 0);
+    };
+    ok(rmdir "$tmpdir/$name-out", $desc);
+}
+
+# This is CVE-2014-0471 with GNU patch >= 2.7
+test_patch_escape('c-style-parsed', "\tmp", 'c-style.patch',
+                  'Patch cannot escape using known c-style encoded filename');
+
+# This is CVE-2014-0471 with GNU patch < 2.7
+test_patch_escape('c-style-unknown', '\\tmp', 'c-style.patch',
+                  'Patch cannot escape using unknown c-style encoded filename');
 
 1;

+ 4 - 0
scripts/t/Dpkg_Source_Patch/c-style.patch

@@ -0,0 +1,4 @@
+--- /dev/null
++++ "b/\tmp/c-style"
+@@ -0,0 +1 @@
++Escaped