Your message dated Thu, 27 Apr 2023 08:08:42 +0200
with message-id <8db57183-18a0-693c-b582-a124a9cb4...@debian.org>
and subject line Re: Bug#1034654: unblock: src:libsignal-protocol-c/2.3.3-3
has caused the Debian Bug report #1034654,
regarding unblock: src:libsignal-protocol-c/2.3.3-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1034654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034654
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: t...@security.debian.org
Dear release team, dear security team,
I added a patch to libsignal-protocol-c and uploaded to unstable.
It fixes https://security-tracker.debian.org/tracker/CVE-2022-48468
in an embedded code copy. Please let it go into bookworm. Thanks!
Cheers
diff -Nru libsignal-protocol-c-2.3.3/debian/changelog libsignal-protocol-c-2.3.3/debian/changelog
--- libsignal-protocol-c-2.3.3/debian/changelog 2023-01-13 00:49:29.000000000 +0000
+++ libsignal-protocol-c-2.3.3/debian/changelog 2023-04-20 21:52:41.000000000 +0000
@@ -1,3 +1,10 @@
+libsignal-protocol-c (2.3.3-3) unstable; urgency=medium
+
+ * Add patch to fix unsigned integer overflow in protobuf code
+ CVE: https://security-tracker.debian.org/tracker/CVE-2022-48468
+
+ -- Martin <deba...@debian.org> Thu, 20 Apr 2023 21:52:41 +0000
+
libsignal-protocol-c (2.3.3-2) unstable; urgency=medium
* Bump debhelper compat
diff -Nru libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch
--- libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch 1970-01-01 00:00:00.000000000 +0000
+++ libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch 2023-04-20 21:49:54.000000000 +0000
@@ -0,0 +1,30 @@
+Description: Fix unsigned integer overflow
+ and fix regression caused by that fix
+ related CVE:
+ https://security-tracker.debian.org/tracker/CVE-2022-48468
+Author: 10054172 <hui.zh...@thalesgroup.com>, Todd C. Miller <todd.mil...@sudo.ws>
+Origin: other
+Bug: https://github.com/protobuf-c/protobuf-c/issues/499
+Last-Update: 2023-04-20
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/protobuf-c/protobuf-c.c
++++ b/src/protobuf-c/protobuf-c.c
+@@ -2456,10 +2456,13 @@
+ return FALSE;
+
+ def_mess = scanned_member->field->default_value;
+- subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+- allocator,
+- len - pref_len,
+- data + pref_len);
++ if (len >= pref_len)
++ subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
++ allocator,
++ len - pref_len,
++ data + pref_len);
++ else
++ subm = NULL;
+
+ if (maybe_clear &&
+ *pmessage != NULL &&
diff -Nru libsignal-protocol-c-2.3.3/debian/patches/series libsignal-protocol-c-2.3.3/debian/patches/series
--- libsignal-protocol-c-2.3.3/debian/patches/series 2023-01-13 00:49:29.000000000 +0000
+++ libsignal-protocol-c-2.3.3/debian/patches/series 2023-04-20 21:45:25.000000000 +0000
@@ -1 +1,2 @@
full-library-version-soname.patch
+fix-unsigned-integer-overflow.patch
--- End Message ---
--- Begin Message ---
Hi Martin,
On 21-04-2023 00:11, Martin wrote:
I added a patch to libsignal-protocol-c and uploaded to unstable.
It fixes https://security-tracker.debian.org/tracker/CVE-2022-48468
in an embedded code copy. Please let it go into bookworm. Thanks!
It was already unblocked and it migrated yesterday. Closing this bug.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
