casa-mp-base

Upstream: https://anonscm.debian.org/cgit/collab-maint/tardiff.git/tree/debian/patches/CVE-2015-0857.diff

Edit: gnutar instead of tar

​

Description: Fix local code execution when calling diff (CVE-2015-0857)

 Reported by Rainer Müller <raimue@codingfarm.de>. Implemented using

 Text::Diff instead of diff and backticks.

Author: Axel Beckert <abe@debian.org>

Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0857

​

Index: tardiff

===================================================================

--- tardiff 2016-04-28 19:19:02.194646937 +0200

+++ tardiff 2016-04-28 19:36:41.253948109 +0200

@@ -6,6 +6,7 @@

 # Published under GNU GPL conditions

 use strict;

+use Text::Diff;

 my $VERSION = '0.1';

@@ -73,7 +74,12 @@

        $flag = "-j";

    }

-   my $list = `gnutar -C $tempdir $flag -xvf $tarball 2>/dev/null`;

+   open(TARLIST, '-|', qw(gnutar -C), $tempdir, $flag, qw(-xvf), $tarball)

+       or die "Can't call tar as expected: $!";

+   local $/ = undef; # slurp mode

+   my $list = <TARLIST> or die "Couldn't read from tar";

+   close(TARLIST) or warn "tar exited with non-zero exit code";

+

    return $list;

 }

@@ -116,7 +122,7 @@

    if(-d $file1 and -d $file2){

        return 0;

    }elsif(-f $file1 and -f $file2){

-       my $diff = `diff $file1 $file2`;

+       my $diff = diff $file1, $file2, { STYLE => "OldStyle" };

        if($diff){

            if($opt_stats){

                my $plus = 0;