Version in base suite: 0.12.1-2 Base version: mat2_0.12.1-2 Target version: mat2_0.12.1-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mat2/mat2_0.12.1-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mat2/mat2_0.12.1-2+deb11u1.dsc changelog | 9 +++++++ patches/0002-CVE-2022-35410.patch | 48 ++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 58 insertions(+) diff -Nru mat2-0.12.1/debian/changelog mat2-0.12.1/debian/changelog --- mat2-0.12.1/debian/changelog 2021-05-24 15:01:29.000000000 +0000 +++ mat2-0.12.1/debian/changelog 2022-07-12 10:00:15.000000000 +0000 @@ -1,3 +1,12 @@ +mat2 (0.12.1-2+deb11u1) bullseye-security; urgency=high + + * debian/patches: + - Pull in upstream patch to prevent arbitrary file read via a zip archive + and inform the user in case of a path traversal attempt. + (CVE-2022-35410) + + -- Georg Faerber Tue, 12 Jul 2022 10:00:15 +0000 + mat2 (0.12.1-2) unstable; urgency=medium * debian/patches: diff -Nru mat2-0.12.1/debian/patches/0002-CVE-2022-35410.patch mat2-0.12.1/debian/patches/0002-CVE-2022-35410.patch --- mat2-0.12.1/debian/patches/0002-CVE-2022-35410.patch 1970-01-01 00:00:00.000000000 +0000 +++ mat2-0.12.1/debian/patches/0002-CVE-2022-35410.patch 2022-07-12 10:00:15.000000000 +0000 @@ -0,0 +1,48 @@ +Description: CVE-2022-35410: Prevent arbitrary file read via a zip archive + Additionally, inform the user in case of a path traversal attempt. +Origin: upstream +Bug: https://0xacab.org/jvoisin/mat2/-/issues/174 +Reviewed-by: Georg Faerber +Last-Update: 2022-07-12 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: mat2/libmat2/archive.py +=================================================================== +--- mat2.orig/libmat2/archive.py 2022-07-12 09:44:35.763609673 +0000 ++++ mat2/libmat2/archive.py 2022-07-12 09:44:49.651598413 +0000 +@@ -178,15 +178,31 @@ + if member_name[-1] == '/': # `is_dir` is added in Python3.6 + continue # don't keep empty folders + +- zin.extract(member=item, path=temp_folder) + full_path = os.path.join(temp_folder, member_name) ++ if not os.path.abspath(full_path).startswith(temp_folder): ++ logging.error("%s contains a file (%s) pointing outside (%s) of its root.", ++ self.filename, member_name, full_path) ++ abort = True ++ break ++ ++ zin.extract(member=item, path=temp_folder) ++ ++ try: ++ original_permissions = os.stat(full_path).st_mode ++ except FileNotFoundError: ++ logging.error("Something went wrong during processing of " ++ "%s in %s, likely a path traversal attack.", ++ member_name, self.filename) ++ abort = True ++ # we're breaking instead of continuing, because this exception ++ # is raised in case of weird path-traversal-like atttacks. ++ break + +- original_permissions = os.stat(full_path).st_mode + os.chmod(full_path, original_permissions | stat.S_IWUSR | stat.S_IRUSR) + + if self._specific_cleanup(full_path) is False: +- logging.warning("Something went wrong during deep cleaning of %s", +- member_name) ++ logging.warning("Something went wrong during deep cleaning of %s in %s", ++ member_name, self.filename) + abort = True + continue + diff -Nru mat2-0.12.1/debian/patches/series mat2-0.12.1/debian/patches/series --- mat2-0.12.1/debian/patches/series 2021-05-24 15:01:29.000000000 +0000 +++ mat2-0.12.1/debian/patches/series 2022-07-12 10:00:15.000000000 +0000 @@ -1 +1,2 @@ +0002-CVE-2022-35410.patch 0001-improve-support-for-xlsx-files.patch