Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi there, This is an buster proposed update to fix CVE-2020-28241: | libmaxminddb before 1.4.3 has a heap-based buffer over-read in | dump_entry_data_list in maxminddb.c. The security team has marked the CVE as "<no-dsa> (Minor issue)", and filed #973878 against the package. The fix was part of the 1.4.3 upstream version; bullseye has 1.4.3-1, sid has 1.5.0-1, so it's fixed in both. You'll find the source debdiff below (and also in salsa). Thanks! Faidon diff -Nru libmaxminddb-1.3.2/debian/changelog libmaxminddb-1.3.2/debian/changelog --- libmaxminddb-1.3.2/debian/changelog 2018-05-26 19:37:59.000000000 +0300 +++ libmaxminddb-1.3.2/debian/changelog 2021-01-10 21:10:00.000000000 +0200 @@ -1,3 +1,10 @@ +libmaxminddb (1.3.2-1+deb10u1) buster; urgency=medium + + * Backport upstream fix for CVE-2020-28241, heap-based buffer over-read in + dump_entry_data_list in maxminddb.c. (Closes: #973878) + + -- Faidon Liambotis <parav...@debian.org> Sun, 10 Jan 2021 21:10:00 +0200 + libmaxminddb (1.3.2-1) unstable; urgency=medium * New upstream release. diff -Nru libmaxminddb-1.3.2/debian/gbp.conf libmaxminddb-1.3.2/debian/gbp.conf --- libmaxminddb-1.3.2/debian/gbp.conf 2018-05-26 19:28:43.000000000 +0300 +++ libmaxminddb-1.3.2/debian/gbp.conf 2021-01-10 21:10:00.000000000 +0200 @@ -1,6 +1,6 @@ [DEFAULT] upstream-tree=tag -debian-branch=debian +debian-branch=debian/buster upstream-tag = %(version)s no-create-orig = False submodules = True diff -Nru libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch --- libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 1970-01-01 02:00:00.000000000 +0200 +++ libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 2021-01-10 21:10:00.000000000 +0200 @@ -0,0 +1,113 @@ +From: Gregory Oschwald <goschw...@maxmind.com> +Date: Wed, 5 Aug 2020 14:16:17 -0700 +Subject: [PATCH] Replace most malloc uses with calloc + +Closes #236. +--- + bin/mmdblookup.c | 2 +- + doc/libmaxminddb.md | 2 +- + src/maxminddb.c | 16 ++++++++-------- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c +index 030d88c..513ad2d 100644 +--- a/bin/mmdblookup.c ++++ b/bin/mmdblookup.c +@@ -263,7 +263,7 @@ LOCAL const char **get_options( + } + + const char **lookup_path = +- malloc(sizeof(const char *) * ((argc - optind) + 1)); ++ calloc((argc - optind) + 1, sizeof(const char *)); + int i; + for (i = 0; i < argc - optind; i++) { + lookup_path[i] = argv[i + optind]; +diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md +index e6de9d5..15433c3 100644 +--- a/doc/libmaxminddb.md ++++ b/doc/libmaxminddb.md +@@ -307,7 +307,7 @@ libmaxminddb code. + + The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this structure + are all pointers directly into the database's data section. This can either be +-a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will ++a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will + become invalid after `MMDB_close()` is called. + + If you need to refer to this data after that time you should copy the data +diff --git a/src/maxminddb.c b/src/maxminddb.c +index 7580e1e..ec547d6 100644 +--- a/src/maxminddb.c ++++ b/src/maxminddb.c +@@ -35,7 +35,7 @@ + do { \ + char *binary = byte_to_binary(byte); \ + if (NULL == binary) { \ +- fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \ ++ fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \ + abort(); \ + } \ + fprintf(stderr, fmt "\n", binary); \ +@@ -54,7 +54,7 @@ + #ifdef MMDB_DEBUG + DEBUG_FUNC char *byte_to_binary(uint8_t byte) + { +- char *bits = malloc(sizeof(char) * 9); ++ char *bits = calloc(9, sizeof(char)); + if (NULL == bits) { + return bits; + } +@@ -687,7 +687,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + MMDB_INVALID_METADATA_ERROR); + + mmdb->metadata.languages.count = 0; +- mmdb->metadata.languages.names = malloc(array_size * sizeof(char *)); ++ mmdb->metadata.languages.names = calloc(array_size, sizeof(char *)); + if (NULL == mmdb->metadata.languages.names) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +@@ -705,7 +705,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + if (NULL == mmdb->metadata.languages.names[i]) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +- // We assign this as we go so that if we fail a malloc and need to ++ // We assign this as we go so that if we fail a calloc and need to + // free it, the count is right. + mmdb->metadata.languages.count = i + 1; + } +@@ -757,7 +757,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + MMDB_INVALID_METADATA_ERROR); + + mmdb->metadata.description.descriptions = +- malloc(map_size * sizeof(MMDB_description_s *)); ++ calloc(map_size, sizeof(MMDB_description_s *)); + if (NULL == mmdb->metadata.description.descriptions) { + status = MMDB_OUT_OF_MEMORY_ERROR; + goto cleanup; +@@ -765,7 +765,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + + for (uint32_t i = 0; i < map_size; i++) { + mmdb->metadata.description.descriptions[i] = +- malloc(sizeof(MMDB_description_s)); ++ calloc(1, sizeof(MMDB_description_s)); + if (NULL == mmdb->metadata.description.descriptions[i]) { + status = MMDB_OUT_OF_MEMORY_ERROR; + goto cleanup; +@@ -1172,7 +1172,7 @@ int MMDB_vget_value(MMDB_entry_s *const start, + MAYBE_CHECK_SIZE_OVERFLOW(length, SIZE_MAX / sizeof(const char *) - 1, + MMDB_INVALID_METADATA_ERROR); + +- const char **path = malloc((length + 1) * sizeof(const char *)); ++ const char **path = calloc(length + 1, sizeof(const char *)); + if (NULL == path) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +@@ -2130,7 +2130,7 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size) + char *hex_string; + MAYBE_CHECK_SIZE_OVERFLOW(size, SIZE_MAX / 2 - 1, NULL); + +- hex_string = malloc((size * 2) + 1); ++ hex_string = calloc((size * 2) + 1, sizeof(char)); + if (NULL == hex_string) { + return NULL; + } diff -Nru libmaxminddb-1.3.2/debian/patches/series libmaxminddb-1.3.2/debian/patches/series --- libmaxminddb-1.3.2/debian/patches/series 2018-05-26 19:29:20.000000000 +0300 +++ libmaxminddb-1.3.2/debian/patches/series 2021-01-10 21:10:00.000000000 +0200 @@ -1 +1,2 @@ 0001-Remove-Pandoc-version-from-manpages.patch +0002-CVE-2020-28241.patch