Launchpad itself

Multiple directory traversals, symlink vulnerabilities and arbitrary file overwrite vulnerabilities in custom upload publishing code

Bug #529710 reported by William Grant
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Julian Edwards
Launchpad itself 10.02

Bug Description

The custom upload publishing code in lib/lp/archivepublisher/customupload.py is... scary. It creates arbitrary symlinks without checking, deletes files, writes file, creates directories, all without performing any path sanitisation. And PPA binary uploads can have custom uploads.

I've successfully clobbered a couple of files around my system with a local PPA upload

Also, the various custom upload types have some bad sanitisation in their handlers. The versions, components etc. parsed from filenames are not sanitised.

Related branches

lp:~flacoste/launchpad/bug-529710 (Merged)
Revision history for this message
Julian Edwards (julian-edwards) wrote :

ARGH. Can you add some examples of what you did please?

tags: added: soyuz-publish
Revision history for this message
William Grant (wgrant) wrote :

I was foolish enough to keep my test source packages in /tmp, and Lucid disagreed with stability earlier, so they no longer exist.

But I have an example crafted tarball. It is attached. When extracted by Soyuz it will create or overwrite /tmp/haha through a symlink.

To test that this is the case, either use process_ddtp_tarball manually, or add it to your favourite arch-indep package and stick these lines in the install rule:

 cp foo_i386_3.0.tar.gz ../
 dpkg-distaddfile foo_i386_3.0.tar.gz raw-ddtp-tarball -

Upload, wait for it to build, and process-accepted.py. Check /tmp/haha. Scream.

Julian Edwards (julian-edwards)
Changed in soyuz:
status: New → Triaged
importance: Undecided → High
milestone: none → 10.03
Revision history for this message
William Grant (wgrant) wrote :

I realise that it's not a terribly easy fix, but shouldn't this be pretty critical?

Revision history for this message
Julian Edwards (julian-edwards) wrote :

Yes, it will get priority attention in 10.03.

Revision history for this message
Kees Cook (kees) wrote :

Is soyuz not using standard tools to unpack tarballs? The symlink following bugs are ancient vulnerabilities.

Revision history for this message
Julian Edwards (julian-edwards) wrote : Re: [Bug 529710] Re: Multiple directory traversals, symlink vulnerabilities and arbitrary file overwrite vulnerabilities in custom upload publishing code

On Tuesday 02 March 2010 17:48:10 Kees Cook wrote:
> Is soyuz not using standard tools to unpack tarballs? The symlink
> following bugs are ancient vulnerabilities.

If there is something standard in Python I'm all ears...?

Julian Edwards (julian-edwards)
Changed in soyuz:
status: Triaged → In Progress
Revision history for this message
Diogo Matsubara (matsubara) wrote : Bug fixed by a commit

Fixed in db r9077 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/db-devel/revision/9077>

Changed in soyuz:
status: In Progress → Fix Committed
Julian Edwards (julian-edwards)
Changed in soyuz:
status: Fix Committed → Fix Released
milestone: 10.03 → 10.02
assignee: nobody → Julian Edwards (julian-edwards)
William Grant (wgrant)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.