Bug 1541821 - Update debian7 docker images for CVE-2019-3462. r=tomprince

This imports the changes from wheezy-lts (http://deb.freexian.com/extended-lts/) and creates a package we install in the debian7-based images (with a modified version number to work around bug #1419577. This leaves out debian7-raw and debian7-packages as unpatched, because of the chicken-and-egg problem. Depends on D26100 Differential Revision: https://phabricator.services.mozilla.com/D26102 --HG-- extra : moz-landing-system : lando
2019-04-04 16:23:58 +00:00 · 2019-04-04 16:23:58 +00:00 · b22d57ac74
--- a/build/debian-packages/apt-wheezy.diff
+++ b/build/debian-packages/apt-wheezy.diff
@ -0,0 +1,31 @@
+diff -Nru apt-0.9.7.9+deb7u7/apt-pkg/acquire-method.cc apt-0.9.7.9+deb7u8/apt-pkg/acquire-method.cc
+--- apt-0.9.7.9+deb7u7/apt-pkg/acquire-method.cc	2013-03-01 19:51:21.000000000 +0900
+++ apt-0.9.7.9+deb7u8/apt-pkg/acquire-method.cc	2019-01-23 05:51:06.000000000 +0900
+@@ -416,6 +416,12 @@
+  * the worker will enqueue again later on to the right queue */
+ void pkgAcqMethod::Redirect(const string &NewURI)
+ {
+   if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos)
+   {
+      _error->Error("SECURITY: URL redirect target contains control characters, rejecting.");
+      Fail();
+      return;
+   }
+    std::cout << "103 Redirect\nURI: " << Queue->Uri << "\n"
+ 	     << "New-URI: " << NewURI << "\n"
+ 	     << "\n" << std::flush;
+diff -Nru apt-0.9.7.9+deb7u7/debian/changelog apt-0.9.7.9+deb7u8/debian/changelog
+--- apt-0.9.7.9+deb7u7/debian/changelog	2014-10-17 16:13:17.000000000 +0900
+++ apt-0.9.7.9+deb7u8/debian/changelog	2019-01-23 05:55:19.000000000 +0900
+@@ -1,3 +1,11 @@
+apt (0.9.7.9.deb7u8) wheezy-security; urgency=high
+
+  * CVE-2019-3462: Fix a content injection vulnerability that could be
+    exploited to inject arbitrary .deb or other files into a signed
+    repository via injected redirect headers.
+
+ -- Chris Lamb <lamby@debian.org>  Tue, 22 Jan 2019 20:51:26 +0000
+
+ apt (0.9.7.9+deb7u7) stable; urgency=medium
+ 
+   [ David Kalnischkies ]
--- a/taskcluster/ci/docker-image/kind.yml
+++ b/taskcluster/ci/docker-image/kind.yml
@ -51,6 +51,7 @@ jobs:
    definition: debian-base
    parent: debian7-raw
    packages:
+      - deb7-apt
      - deb7-gdb
      - deb7-git
      - deb7-make
--- a/taskcluster/ci/packages/kind.yml
+++ b/taskcluster/ci/packages/kind.yml
@ -24,6 +24,17 @@ job-defaults:
    snapshot: 20171210T214726Z

 jobs:
+  deb7-apt:
+    description: "Updated APT for Debian wheezy"
+    treeherder:
+      symbol: Deb7(apt)
+    run:
+      using: debian-package
+      dsc:
+        url: http://snapshot.debian.org/archive/debian/20141023T170002Z/pool/main/a/apt/apt_0.9.7.9%2Bdeb7u7.dsc
+        sha256: 7835d9f97acf8adcad7eee0eca2990eaef72ffe21272302d3c36d8053d6baf82
+      patch: apt-wheezy.diff
+
  deb7-sqlite3:
    description: "SQLite backport for Debian wheezy"
    treeherder: