main/augeas: security fix for CVE-2017-7555

fixes #7723

2 files changed, 173 insertions, 5 deletions

diff --git a/main/augeas/APKBUILD b/main/augeas/APKBUILD
index 8597aaac45..7328dc3507 100644
--- a/main/augeas/APKBUILD
+++ b/main/augeas/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=augeas
 pkgver=1.4.0
-pkgrel=4
+pkgrel=5
 pkgdesc="A configuration editing tool"
 url="http://augeas.net"
 arch="all"
@@ -30,7 +30,9 @@ source="http://download.augeas.net/augeas-$pkgver.tar.gz
 	0016-Shellvars-allow-in-commands.patch
 	0017-Shellvars-allow-wrapping-command-sequences.patch
 	0018-Shellvars-test-case-for-wrapping-command-arguments.patch
-	0019-Shellvars-allow-command-specific-environment-variabl.patch"
+	0019-Shellvars-allow-command-specific-environment-variabl.patch
+	CVE-2017-7555.patch
+	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
@@ -42,6 +44,10 @@ prepare() {
 	done
 }
 
+# secfixes:
+#   1.4.0-r5:
+#   - CVE-2017-7555
+
 build() {
 	cd "$_builddir"
 	./configure \
@@ -98,7 +104,8 @@ d66b1b77d7f39a9d211765364e7cfa0f  0014-Shellvars-Allow-almost-any-command.patch
 461ac5da32645468623b2cb1f886acae  0016-Shellvars-allow-in-commands.patch
 c3b968af2e2aa423581a564c8107605c  0017-Shellvars-allow-wrapping-command-sequences.patch
 5e31b0f813afc1d5b43f52d34baa9832  0018-Shellvars-test-case-for-wrapping-command-arguments.patch
-59e19136f59c70d6c36025124deb389b  0019-Shellvars-allow-command-specific-environment-variabl.patch"
+59e19136f59c70d6c36025124deb389b  0019-Shellvars-allow-command-specific-environment-variabl.patch
+07d362cc4133a271eadcf64218ce2084  CVE-2017-7555.patch"
 sha256sums="659fae7ac229029e60a869a3b88c616cfd51cf2fba286cdfe3af3a052cb35b30  augeas-1.4.0.tar.gz
 590857f339fc3e758624c6854c8686ba19faa7d28bde58d19ffa4513d63d76ed  0001-Shellvars-accept-and-builtins.patch
 4ac77be95a2d98185dd7966acb2b8b8e9af24589d50ba8650862835a9388db27  0002-Shellvars-Add-test-for.patch
@@ -118,7 +125,8 @@ bb2a9460a367040186a858bad95aff355fdb9162488bc453125c28ced1680204  0014-Shellvars
 5a96fe8d5b513014ef77ecb5c64bb6cf27eba560347d498bcda2bc3cc2e4bc56  0016-Shellvars-allow-in-commands.patch
 4191d31076f2751996cdffa5dcc8d3337c7cc197b4e2711c368d9d5f061c27e6  0017-Shellvars-allow-wrapping-command-sequences.patch
 9bd9ab6b1902202748e0f3dc004297e64a14a68dee025b4a3951330bfe13ac6b  0018-Shellvars-test-case-for-wrapping-command-arguments.patch
-bf25ccc9a0bf4cd45f91bfcfa9c6b8dd89f0903c1117d74c8eaf61685173a088  0019-Shellvars-allow-command-specific-environment-variabl.patch"
+bf25ccc9a0bf4cd45f91bfcfa9c6b8dd89f0903c1117d74c8eaf61685173a088  0019-Shellvars-allow-command-specific-environment-variabl.patch
+c82638220c1136000539db1e084abf10efd0d41e0d02a226e6b6bb8f5bbcce6e  CVE-2017-7555.patch"
 sha512sums="182457698e51be89feadb16879bae2f2413a5761127efb63a9b7ef30806f4059bca614e8c9627b0c7a010b9ec9c03c85161e655bdb2902f7cf43e89b66e312db  augeas-1.4.0.tar.gz
 8844c34c2cbf68d605214d0738e2106d5712ddb2e745910bfb99856fb34a2475e9522d68df6e596e2d81423136b1a6a23db9f5f7a0c4dcc43b618017fa493742  0001-Shellvars-accept-and-builtins.patch
 d9178f6f90556b14a4c1295fa9ec0649e0d1ef72bc4431e194ba03b42ef20363d8ea057a209f6a2a278a8b072b56241caa7e5fc574d2c3a01bc4f642f05b8eb4  0002-Shellvars-Add-test-for.patch
@@ -138,4 +146,5 @@ c268d6a45bb3978737431ca97b4b1670db8ca765607fe4c632919e2481258702779205532ee5eba4
 211339389eea3dce5aaed66db416fade2231c8353ccf4dbb1f9e766a8ac54b5857ca0016783da094daa32e32cd25ffd89b12b6cb3920a1dcaf758913978c088d  0016-Shellvars-allow-in-commands.patch
 48b3172aec95b52b1473fda28a99e43a085844497027adba8b8cd8830da4a7d5bf0a6f6eb3dbbab24d8023a3a24ab0d19f355f5242488821ed8bceb34a0b5bf8  0017-Shellvars-allow-wrapping-command-sequences.patch
 18d986609523ad968b0e006081ad7073a799f40902c880c4a3e4f2478b2792b5568d68e9fa48fed3314c136dac985ae8ea0a4c8d7152c24cbda1b9fb1e097683  0018-Shellvars-test-case-for-wrapping-command-arguments.patch
-8371f154457b3dbb8a95f73cd39cd9bc6bfde03418174561eb09fd04f76bd6ce7215890c68d45d4b9ac5fef4433c2ef79c01910dc3a3818cfb46a3aa1d8b0082  0019-Shellvars-allow-command-specific-environment-variabl.patch"
+8371f154457b3dbb8a95f73cd39cd9bc6bfde03418174561eb09fd04f76bd6ce7215890c68d45d4b9ac5fef4433c2ef79c01910dc3a3818cfb46a3aa1d8b0082  0019-Shellvars-allow-command-specific-environment-variabl.patch
+209364d6d8af5b755f8675b2eff8fa8e240ec364fc97e7a4644f320aad94f64600120d3da7d67a7a4f243acace4a41d13b1dbccfbe0c2021853adb7f3949c8b4  CVE-2017-7555.patch"
diff --git a/main/augeas/CVE-2017-7555.patch b/main/augeas/CVE-2017-7555.patch
new file mode 100644
index 0000000000..aaacdc2674
--- /dev/null
+++ b/main/augeas/CVE-2017-7555.patch
@@ -0,0 +1,159 @@
+From 4cca923b732990bec0c699b2e69911c2221b2498 Mon Sep 17 00:00:00 2001
+From: David Lutterkort <lutter@watzmann.net>
+Date: Fri, 4 Aug 2017 17:13:52 -0700
+Subject: [PATCH] * src/pathx.c (parse_name): correctly handle trailing
+ whitespace in names
+
+When a name ended in whitespace, we incorrectly assumed it was always ok to
+trim that whitespace. That is not true if that whitespace is escaped,
+i.e. if the path expression is something like '/x\ '. In that case, the
+name really needs to be literally 'x ', i.e., we can not trim that
+whitespace.
+
+The incorrect behavior led to turning '/x\ ' first into 'x\' and then,
+because we assume that '\' is always followed by a character inside the
+string, when we removed the escaping '\', we would read beyond the end of
+the intermediate string result; if we were lucky, that would lead to a
+crash, otherwise we'd continue with junk.
+
+We now make sure that escaped whitespace at the end of a string does not
+get stripped, avoiding all these headaches.
+
+Fixes RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1475621
+---
+ src/pathx.c        | 27 +++++++++++++++++++------
+ tests/test-xpath.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 80 insertions(+), 6 deletions(-)
+
+diff --git a/src/pathx.c b/src/pathx.c
+index d292cb30..9a2f9c76 100644
+--- a/src/pathx.c
++++ b/src/pathx.c
+@@ -1710,6 +1710,16 @@ int pathx_escape_name(const char *in, char **out) {
+     return 0;
+ }
+ 
++/* Return true if POS is preceded by an odd number of backslashes, i.e., if
++ * POS is escaped. Stop the search when we get to START */
++static bool backslash_escaped(const char *pos, const char *start) {
++    bool result=false;
++    while (pos-- > start && *pos == '\\') {
++        result = !result;
++    }
++    return result;
++}
++
+ /*
+  * NameNoWS ::= [^][|/\= \t\n] | \\.
+  * NameWS   ::= [^][|/\=] | \\.
+@@ -1719,11 +1729,14 @@ static char *parse_name(struct state *state) {
+     const char *s = state->pos;
+     char *result;
+ 
++    /* Advance state->pos until it points to the first character that is
++     * not part of a name. */
+     while (*state->pos != '\0' && strchr(name_follow, *state->pos) == NULL) {
+-        /* This is a hack: since we allow spaces in names, we need to avoid
+-         * gobbling up stuff that is in follow(Name), e.g. 'or' so that
+-         * things like [name1 or name2] still work.
+-         */
++        /* Since we allow spaces in names, we need to avoid gobbling up
++         * stuff that is in follow(Name), e.g. 'or' so that things like
++         * [name1 or name2] still work. In other words, we'll parse 'x frob
++         * y' as one name, but for 'x or y', we consider 'x' a name in its
++         * own right. */
+         if (STREQLEN(state->pos, " or ", strlen(" or ")) ||
+             STREQLEN(state->pos, " and ", strlen(" and ")))
+             break;
+@@ -1738,10 +1751,12 @@ static char *parse_name(struct state *state) {
+         state->pos += 1;
+     }
+ 
+-    /* Strip trailing white space */
++    /* Strip trailing white space. Make sure we respect escaped whitespace
++     * and don't strip it as in "x\\ " */
+     if (state->pos > s) {
+         state->pos -= 1;
+-        while (isspace(*state->pos) && state->pos >= s)
++        while (isspace(*state->pos) && state->pos > s
++               && !backslash_escaped(state->pos, s))
+             state->pos -= 1;
+         state->pos += 1;
+     }
+diff --git a/tests/test-xpath.c b/tests/test-xpath.c
+index 3e418e5f..82986474 100644
+--- a/tests/test-xpath.c
++++ b/tests/test-xpath.c
+@@ -355,6 +355,62 @@ static int test_wrong_regexp_flag(struct augeas *aug) {
+     return -1;
+ }
+ 
++static int test_trailing_ws_in_name(struct augeas *aug) {
++    int r;
++
++    printf("%-30s ... ", "trailing_ws_in_name");
++
++    /* We used to incorrectly lop escaped whitespace off the end of a
++     * name. Make sure that we really create a tree node with label 'x '
++     * with the below set, and look for it in a number of ways to ensure we
++     * are not lopping off trailing whitespace. */
++    r = aug_set(aug, "/ws\\ ", "1");
++    if (r < 0) {
++        fprintf(stderr, "failed to set '/ws ': %d\n", r);
++        goto fail;
++    }
++    /* We did not create a node with label 'ws' */
++    r = aug_get(aug, "/ws", NULL);
++    if (r != 0) {
++        fprintf(stderr, "created '/ws' instead: %d\n", r);
++        goto fail;
++    }
++
++    /* We did not create a node with label 'ws\t' (this also checks that we
++     * don't create something like 'ws\\' by dropping the last whitespace
++     * character. */
++    r = aug_get(aug, "/ws\\\t", NULL);
++    if (r != 0) {
++        fprintf(stderr, "found '/ws\\t': %d\n", r);
++        goto fail;
++    }
++
++    /* But we did create 'ws ' */
++    r = aug_get(aug, "/ws\\ ", NULL);
++    if (r != 1) {
++        fprintf(stderr, "could not find '/ws ': %d\n", r);
++        goto fail;
++    }
++
++    /* If the whitespace is preceded by an even number of '\\' chars,
++     * whitespace must be stripped */
++    r = aug_set(aug, "/nows\\\\ ", "1");
++    if (r < 0) {
++        fprintf(stderr, "set of '/nows' failed: %d\n", r);
++        goto fail;
++    }
++    r = aug_get(aug, "/nows\\\\", NULL);
++    if (r != 1) {
++        fprintf(stderr, "could not get '/nows\\'\n");
++        goto fail;
++    }
++    printf("PASS\n");
++    return 0;
++ fail:
++    printf("FAIL\n");
++    return -1;
++}
++
+ static int run_tests(struct test *tests, int argc, char **argv) {
+     char *lensdir;
+     struct augeas *aug = NULL;
+@@ -398,6 +454,9 @@ static int run_tests(struct test *tests, int argc, char **argv) {
+ 
+         if (test_wrong_regexp_flag(aug) < 0)
+             result = EXIT_FAILURE;
++
++        if (test_trailing_ws_in_name(aug) < 0)
++            result = EXIT_FAILURE;
+     }
+     aug_close(aug);
+     free(lensdir);