Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1

Sun, 10 Jan 2021 11:42:15 -0800 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Hi there,

This is an buster proposed update to fix CVE-2020-28241:
| libmaxminddb before 1.4.3 has a heap-based buffer over-read in
| dump_entry_data_list in maxminddb.c.

The security team has marked the CVE as "<no-dsa> (Minor issue)", and
filed #973878 against the package.

The fix was part of the 1.4.3 upstream version; bullseye has 1.4.3-1,
sid has 1.5.0-1, so it's fixed in both.

You'll find the source debdiff below (and also in salsa).

Thanks!
Faidon


diff -Nru libmaxminddb-1.3.2/debian/changelog 
libmaxminddb-1.3.2/debian/changelog
--- libmaxminddb-1.3.2/debian/changelog 2018-05-26 19:37:59.000000000 +0300
+++ libmaxminddb-1.3.2/debian/changelog 2021-01-10 21:10:00.000000000 +0200
@@ -1,3 +1,10 @@
+libmaxminddb (1.3.2-1+deb10u1) buster; urgency=medium
+
+  * Backport upstream fix for CVE-2020-28241, heap-based buffer over-read in
+    dump_entry_data_list in maxminddb.c. (Closes: #973878)
+
+ -- Faidon Liambotis <parav...@debian.org>  Sun, 10 Jan 2021 21:10:00 +0200
+
 libmaxminddb (1.3.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libmaxminddb-1.3.2/debian/gbp.conf libmaxminddb-1.3.2/debian/gbp.conf
--- libmaxminddb-1.3.2/debian/gbp.conf  2018-05-26 19:28:43.000000000 +0300
+++ libmaxminddb-1.3.2/debian/gbp.conf  2021-01-10 21:10:00.000000000 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-tree=tag
-debian-branch=debian
+debian-branch=debian/buster
 upstream-tag = %(version)s
 no-create-orig = False
 submodules = True
diff -Nru libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 
libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch
--- libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 1970-01-01 
02:00:00.000000000 +0200
+++ libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 2021-01-10 
21:10:00.000000000 +0200
@@ -0,0 +1,113 @@
+From: Gregory Oschwald <goschw...@maxmind.com>
+Date: Wed, 5 Aug 2020 14:16:17 -0700
+Subject: [PATCH] Replace most malloc uses with calloc
+
+Closes #236.
+---
+ bin/mmdblookup.c    |  2 +-
+ doc/libmaxminddb.md |  2 +-
+ src/maxminddb.c     | 16 ++++++++--------
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c
+index 030d88c..513ad2d 100644
+--- a/bin/mmdblookup.c
++++ b/bin/mmdblookup.c
+@@ -263,7 +263,7 @@ LOCAL const char **get_options(
+     }
+ 
+     const char **lookup_path =
+-        malloc(sizeof(const char *) * ((argc - optind) + 1));
++        calloc((argc - optind) + 1, sizeof(const char *));
+     int i;
+     for (i = 0; i < argc - optind; i++) {
+         lookup_path[i] = argv[i + optind];
+diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md
+index e6de9d5..15433c3 100644
+--- a/doc/libmaxminddb.md
++++ b/doc/libmaxminddb.md
+@@ -307,7 +307,7 @@ libmaxminddb code.
+ 
+ The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this 
structure
+ are all pointers directly into the database's data section. This can either be
+-a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will
++a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will
+ become invalid after `MMDB_close()` is called.
+ 
+ If you need to refer to this data after that time you should copy the data
+diff --git a/src/maxminddb.c b/src/maxminddb.c
+index 7580e1e..ec547d6 100644
+--- a/src/maxminddb.c
++++ b/src/maxminddb.c
+@@ -35,7 +35,7 @@
+     do {                                                        \
+         char *binary = byte_to_binary(byte);                    \
+         if (NULL == binary) {                                   \
+-            fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \
++            fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \
+             abort();                                            \
+         }                                                       \
+         fprintf(stderr, fmt "\n", binary);                      \
+@@ -54,7 +54,7 @@
+ #ifdef MMDB_DEBUG
+ DEBUG_FUNC char *byte_to_binary(uint8_t byte)
+ {
+-    char *bits = malloc(sizeof(char) * 9);
++    char *bits = calloc(9, sizeof(char));
+     if (NULL == bits) {
+         return bits;
+     }
+@@ -687,7 +687,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s 
*metadata_db,
+                               MMDB_INVALID_METADATA_ERROR);
+ 
+     mmdb->metadata.languages.count = 0;
+-    mmdb->metadata.languages.names = malloc(array_size * sizeof(char *));
++    mmdb->metadata.languages.names = calloc(array_size, sizeof(char *));
+     if (NULL == mmdb->metadata.languages.names) {
+         return MMDB_OUT_OF_MEMORY_ERROR;
+     }
+@@ -705,7 +705,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s 
*metadata_db,
+         if (NULL == mmdb->metadata.languages.names[i]) {
+             return MMDB_OUT_OF_MEMORY_ERROR;
+         }
+-        // We assign this as we go so that if we fail a malloc and need to
++        // We assign this as we go so that if we fail a calloc and need to
+         // free it, the count is right.
+         mmdb->metadata.languages.count = i + 1;
+     }
+@@ -757,7 +757,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, 
MMDB_s *metadata_db,
+                               MMDB_INVALID_METADATA_ERROR);
+ 
+     mmdb->metadata.description.descriptions =
+-        malloc(map_size * sizeof(MMDB_description_s *));
++        calloc(map_size, sizeof(MMDB_description_s *));
+     if (NULL == mmdb->metadata.description.descriptions) {
+         status = MMDB_OUT_OF_MEMORY_ERROR;
+         goto cleanup;
+@@ -765,7 +765,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, 
MMDB_s *metadata_db,
+ 
+     for (uint32_t i = 0; i < map_size; i++) {
+         mmdb->metadata.description.descriptions[i] =
+-            malloc(sizeof(MMDB_description_s));
++            calloc(1, sizeof(MMDB_description_s));
+         if (NULL == mmdb->metadata.description.descriptions[i]) {
+             status = MMDB_OUT_OF_MEMORY_ERROR;
+             goto cleanup;
+@@ -1172,7 +1172,7 @@ int MMDB_vget_value(MMDB_entry_s *const start,
+     MAYBE_CHECK_SIZE_OVERFLOW(length, SIZE_MAX / sizeof(const char *) - 1,
+                               MMDB_INVALID_METADATA_ERROR);
+ 
+-    const char **path = malloc((length + 1) * sizeof(const char *));
++    const char **path = calloc(length + 1, sizeof(const char *));
+     if (NULL == path) {
+         return MMDB_OUT_OF_MEMORY_ERROR;
+     }
+@@ -2130,7 +2130,7 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size)
+     char *hex_string;
+     MAYBE_CHECK_SIZE_OVERFLOW(size, SIZE_MAX / 2 - 1, NULL);
+ 
+-    hex_string = malloc((size * 2) + 1);
++    hex_string = calloc((size * 2) + 1, sizeof(char));
+     if (NULL == hex_string) {
+         return NULL;
+     }
diff -Nru libmaxminddb-1.3.2/debian/patches/series 
libmaxminddb-1.3.2/debian/patches/series
--- libmaxminddb-1.3.2/debian/patches/series    2018-05-26 19:29:20.000000000 
+0300
+++ libmaxminddb-1.3.2/debian/patches/series    2021-01-10 21:10:00.000000000 
+0200
@@ -1 +1,2 @@
 0001-Remove-Pandoc-version-from-manpages.patch
+0002-CVE-2020-28241.patch

Reply via email to