Hi, On Mon, Oct 23, 2023 at 07:07:44PM +0200, Salvo "LtWorf" Tomaselli wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: web...@packages.debian.org, tipos...@tiscali.it > Control: affects -1 + src:weborf > > I have found a denial of service in all versions of weborf. > > It is tracked in #1054417 and solved in 1.0 upstream. > https://github.com/ltworf/weborf/pull/88 > > The issue is fixed in unstable but remains in stable and oldstable. > > [ Reason ] > The bug has been there undetected for years. The fix is minimal. > > [ Impact ] > The denial of service and extremely unlikely but theoretically possible > remote execution issue will remain. > > The issue exists only if the process has CGI enabled (not the default). > > [ Tests ] > > There are no automated tests covering the issue. > > [ Risks ] > > The patch is just 3 lines. > > [ Checklist ] > [*] *all* changes are documented in the d/changelog > [*] I reviewed all changes and I approve them > [*] attach debdiff against the package in (old)stable > [*] the issue is verified as fixed in unstable > > [ Changes ] > > A patch to remove a memory allocation and copy, where I forgot a +1 in the > copy. > > The resulting code just reuses the same buffer instead of copying, which was > not > needed to begin with. > > [ Other info ] > > Tracked in CVE-2023-46586
> diff -Nru weborf-0.19/debian/changelog weborf-0.19/debian/changelog > --- weborf-0.19/debian/changelog 2022-10-15 12:57:06.000000000 +0200 > +++ weborf-0.19/debian/changelog 2023-10-23 18:38:21.000000000 +0200 > @@ -1,3 +1,9 @@ > +weborf (0.19-3) bookworm; urgency=medium > + > + * Backport patch from upstream to fix denial of service (Closes: 1054417) > + > + -- Salvo 'LtWorf' Tomaselli <tipos...@tiscali.it> Mon, 23 Oct 2023 > 18:38:21 +0200 The version works because 0.19-3 was never landing in the archive. Normally you would use a +debXuY suffix, in the above case +deb12u1. But I assume SRM will still ack the fix as it is (other package do as well not follow this as strict rule, e.g. src:linux but because its following the stable series). Regards, Salvatore