Debian Bug report logs - #776257
Fails to apply patch with dangling symlink

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Fails to apply patch with dangling symlink

Date: Mon, 26 Jan 2015 01:55:57 +0100

Package: patch
Version: 2.7.3-1
Severity: serious

Hi,

the latest update of patch broke the systemd package and causes it to
FTBFS:

dpkg-source: info: applying escape-beef-up-new-systemd-escape-tool.patch
patching symbolic link src/escape/Makefile
symbolic link target '../Makefile' is invalid
dpkg-source: info: the patch has fuzz which is not allowed, or is malformed
dpkg-source: info: if patch 'escape-beef-up-new-systemd-escape-tool.patch' is correctly applied by quilt, use 'quilt refresh' to update it
dpkg-source: info: restoring quilt backup files for escape-beef-up-new-systemd-escape-tool.patch
dpkg-source: error: LC_ALL=C patch -t -F 0 -N -p1 -u -V never -g0 -E -b -B .pc/escape-beef-up-new-systemd-escape-tool.patch/ --reject-file=- < systemd-215/debian/patches/escape-beef-up-new-systemd-escape-tool.patch gave error exit status 2


Issue is trivial to reproduce, simply run "apt-get source systemd".
The patch creates a dangling symlink, which is nothing extraordinary
which worked with older versions of "patch".
Downgrading to the version which is currently in jessie fixes the issue.

Marking as RC, since this is causing other packages to FTBFS and
therefore shouldn't migrate to testing.

Michael


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages patch depends on:
ii  libc6  2.19-13

patch recommends no packages.

Versions of packages patch suggests:
pn  diffutils-doc  <none>
ii  ed             1.10-2

-- no debconf information

Message #12 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Michael Biebl <biebl@debian.org>, 776257@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#776257: Fails to apply patch with dangling symlink

Date: Mon, 26 Jan 2015 08:38:07 +0100

Hey all,

Michael Biebl [2015-01-26  1:55 +0100]:
> the latest update of patch broke the systemd package and causes it to
> FTBFS:
> 
> dpkg-source: info: applying escape-beef-up-new-systemd-escape-tool.patch
> patching symbolic link src/escape/Makefile
> symbolic link target '../Makefile' is invalid
> dpkg-source: info: the patch has fuzz which is not allowed, or is malformed
> dpkg-source: info: if patch 'escape-beef-up-new-systemd-escape-tool.patch' is correctly applied by quilt, use 'quilt refresh' to update it
> dpkg-source: info: restoring quilt backup files for escape-beef-up-new-systemd-escape-tool.patch
> dpkg-source: error: LC_ALL=C patch -t -F 0 -N -p1 -u -V never -g0 -E -b -B .pc/escape-beef-up-new-systemd-escape-tool.patch/ --reject-file=- < systemd-215/debian/patches/escape-beef-up-new-systemd-escape-tool.patch gave error exit status 2

For the record, I simply dropped the dangling Makefile symlink from
that patch as it's not necessary in the first place:

  http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=492416fc

With this workaround we at least unblock uploading/building systemd
for the time being.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Message #22 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin@piware.de>

To: Michael Biebl <biebl@debian.org>, 776257@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#776257: Fails to apply patch with dangling symlink

Date: Wed, 28 Jan 2015 08:10:57 +0100

Michael Biebl [2015-01-26  1:55 +0100]:
> the latest update of patch broke the systemd package and causes it to
> FTBFS:

BTW, at least glibc is also affected, and judging by the recent slew
of autopkgtest failures in Ubuntu there's some more. We really need to
get this fixed fast.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Message #32 received at 776257@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: Martin Pitt <martin@piware.de>, Andreas Grünbacher <andreas.gruenbacher@gmail.com>

Cc: Michael Biebl <biebl@debian.org>, 776257@bugs.debian.org

Subject: Re: Bug#776257: Fails to apply patch with dangling symlink

Date: Wed, 28 Jan 2015 09:35:16 +0100

Control: tags -1 upstream

Hi,

On Wed, Jan 28, 2015 at 8:10 AM, Martin Pitt <martin@piware.de> wrote:
> Michael Biebl [2015-01-26 1:55 +0100]:
>> the latest update of patch broke the systemd package and causes it to
>> FTBFS:
>
> BTW, at least glibc is also affected, and judging by the recent slew
> of autopkgtest failures in Ubuntu there's some more. We really need to
> get this fixed fast.
 There were several security flaws in patch recently. One of these is
the possibility of writing arbitrary files via a symlink attack in a
patch file _and_ directory traversal via symlinks. It is named as
CVE-2015-1196[1]. Upstream fixed it and I've uploaded it.
It seems upstream put too much restriction on symlinks, Cc-ing him.
But will investigate this myself as well in the afternoon.

Regards,
Laszlo/GCS
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1196

Message #39 received at 776257@bugs.debian.org (full text, mbox, reply):

From: Andreas Grünbacher <andreas.gruenbacher@gmail.com>

To: László Böszörményi (GCS) <gcs@debian.org>, Martin Pitt <martin@piware.de>

Cc: Michael Biebl <biebl@debian.org>, 776257@bugs.debian.org

Subject: Re: Bug#776257: Fails to apply patch with dangling symlink

Date: Wed, 28 Jan 2015 10:41:00 +0100

This is also causing problems with kernel patches:
  http://thread.gmane.org/gmane.linux.kernel/1874498/

It's a bit of a hairy problem; we are currently trying to find a better
solution that doesn't break too many other things.

Thanks,
Andreas

Message #44 received at 776257-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 776257-close@bugs.debian.org

Subject: Bug#776257: fixed in patch 2.7.4-1

Date: Sat, 31 Jan 2015 22:34:21 +0000

Source: patch
Source-Version: 2.7.4-1

We believe that the bug you reported is fixed in the latest version of
patch, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 776257@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated patch package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 31 Jan 2015 21:43:36 +0000
Source: patch
Binary: patch
Architecture: source amd64
Version: 2.7.4-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 patch      - Apply a diff file to an original
Closes: 776257 776271
Changes:
 patch (2.7.4-1) unstable; urgency=high
 .
   * New upstream release.
   * Fix symlink handling (closes: #776257).
   * Fix infinite loop with fuzzed diff (closes: #776271).
Checksums-Sha1:
 76f1baef0d53a524fff28cca012b2858feab3b13 1795 patch_2.7.4-1.dsc
 b2e29867263095e0f8bfd4b1319124b04102f2b0 714392 patch_2.7.4.orig.tar.xz
 c7a999d94774007075e362cfbc3eab2c531bb56e 8052 patch_2.7.4-1.debian.tar.xz
 0fbdc13c651980381713aaf4c8195e7452a8abc9 105294 patch_2.7.4-1_amd64.deb
Checksums-Sha256:
 4c913aa5513930f41e5672124f19ed95a2acca379842a326a17244f0fbd8057f 1795 patch_2.7.4-1.dsc
 0eacbb07ce106fe4dcbfbe6c052e55b50bf3df8e1bb16228c9da77b6659ff109 714392 patch_2.7.4.orig.tar.xz
 e9ec22dee279dac0e02509d36455f4db4087ab974932a1bbe6be41f9738f24cb 8052 patch_2.7.4-1.debian.tar.xz
 6dc00d2141207fe457eafabe2e2e45a6fca74c1a9c107118738bb4b761736ba8 105294 patch_2.7.4-1_amd64.deb
Files:
 ef2b5b2785161a55872f8ac9050bb485 1795 vcs standard patch_2.7.4-1.dsc
 abc59498fcdddd44e0d07764aa105fd2 714392 vcs standard patch_2.7.4.orig.tar.xz
 021e82e1a3b89f417c2c623f43035be1 8052 vcs standard patch_2.7.4-1.debian.tar.xz
 c8fbd2a491796d04359bd8dc2a240056 105294 vcs standard patch_2.7.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUzVUrAAoJENzjEOeGTMi/5l8QAJ1kfzb3cm8go2mpkP573Arz
NkstVIAbl2DYOXYuXX6bS/KURFDcrG4FGL3/4iX1vPdjQqRsTHP0C3qfz477pKhm
Se2kVT64jtAaFf14U3kll5T28s1KDwP++MDBKGCK7N6K/6IHP/jjYgXf5dKxV+xL
LXvSj+0HPo1eMZlhKASbKVXqSAx/4sReHH5a9TF6X3xFq9wzMO2x+l3+K6T7mt7C
zy5z4gUqMeTNztm0vZ6W8+nn6Yl4Crl8/xCYAiOXAaBcjj0vxKPVUHyDNkhO6ves
hAeFvvwJhMz7/zozsrrZzxWsuc7zxBt4cxbiEAw7/CaAHksXg7LZeOmioriKL8XR
jYbVolNNEuKmhXUaZkYBxRYZD+E9XJGNEqtJA1QnPMeR5sRLT7Nq4gPYoteeYITC
sbMHvF/qzTlNy93nFYfyQALN1vIPv4Gv3DYu3h3P7sA3DTIjT0hZ/rYhSBIxvItX
jwQxQvr7koCxCgM558wPV4l/H0Fqmr5sF5tATx14e+4oKEsWnvCYHsSk4fzvgnOz
KKN9mSPJwjNG2OAzeCUFK6sxyOvIrdPYYfEYAysLrZdWZdQuZtHON1lOLxKhBHBc
+rSc3Yke2Z/lfPkEAImpmqzrLq11ChQFU9fhPm/yI2CtAyr7ZPf9T3xIh1Lxb8Ou
//Qj59vnlADE2gJID3fq
=7dFp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.