Your message dated Thu, 27 Apr 2023 08:08:42 +0200 with message-id <8db57183-18a0-693c-b582-a124a9cb4...@debian.org> and subject line Re: Bug#1034654: unblock: src:libsignal-protocol-c/2.3.3-3 has caused the Debian Bug report #1034654, regarding unblock: src:libsignal-protocol-c/2.3.3-3 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1034654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034654 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: t...@security.debian.org Dear release team, dear security team, I added a patch to libsignal-protocol-c and uploaded to unstable. It fixes https://security-tracker.debian.org/tracker/CVE-2022-48468 in an embedded code copy. Please let it go into bookworm. Thanks! Cheersdiff -Nru libsignal-protocol-c-2.3.3/debian/changelog libsignal-protocol-c-2.3.3/debian/changelog --- libsignal-protocol-c-2.3.3/debian/changelog 2023-01-13 00:49:29.000000000 +0000 +++ libsignal-protocol-c-2.3.3/debian/changelog 2023-04-20 21:52:41.000000000 +0000 @@ -1,3 +1,10 @@ +libsignal-protocol-c (2.3.3-3) unstable; urgency=medium + + * Add patch to fix unsigned integer overflow in protobuf code + CVE: https://security-tracker.debian.org/tracker/CVE-2022-48468 + + -- Martin <deba...@debian.org> Thu, 20 Apr 2023 21:52:41 +0000 + libsignal-protocol-c (2.3.3-2) unstable; urgency=medium * Bump debhelper compat diff -Nru libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch --- libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch 2023-04-20 21:49:54.000000000 +0000 @@ -0,0 +1,30 @@ +Description: Fix unsigned integer overflow + and fix regression caused by that fix + related CVE: + https://security-tracker.debian.org/tracker/CVE-2022-48468 +Author: 10054172 <hui.zh...@thalesgroup.com>, Todd C. Miller <todd.mil...@sudo.ws> +Origin: other +Bug: https://github.com/protobuf-c/protobuf-c/issues/499 +Last-Update: 2023-04-20 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/src/protobuf-c/protobuf-c.c ++++ b/src/protobuf-c/protobuf-c.c +@@ -2456,10 +2456,13 @@ + return FALSE; + + def_mess = scanned_member->field->default_value; +- subm = protobuf_c_message_unpack(scanned_member->field->descriptor, +- allocator, +- len - pref_len, +- data + pref_len); ++ if (len >= pref_len) ++ subm = protobuf_c_message_unpack(scanned_member->field->descriptor, ++ allocator, ++ len - pref_len, ++ data + pref_len); ++ else ++ subm = NULL; + + if (maybe_clear && + *pmessage != NULL && diff -Nru libsignal-protocol-c-2.3.3/debian/patches/series libsignal-protocol-c-2.3.3/debian/patches/series --- libsignal-protocol-c-2.3.3/debian/patches/series 2023-01-13 00:49:29.000000000 +0000 +++ libsignal-protocol-c-2.3.3/debian/patches/series 2023-04-20 21:45:25.000000000 +0000 @@ -1 +1,2 @@ full-library-version-soname.patch +fix-unsigned-integer-overflow.patch
--- End Message ---
--- Begin Message ---Hi Martin, On 21-04-2023 00:11, Martin wrote:I added a patch to libsignal-protocol-c and uploaded to unstable. It fixes https://security-tracker.debian.org/tracker/CVE-2022-48468 in an embedded code copy. Please let it go into bookworm. Thanks!It was already unblocked and it migrated yesterday. Closing this bug. PaulOpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---