Control: tags 781806 + pending
Dear maintainer,
I've prepared an NMU for das-watchdog (versioned as 0.9.0-3.1) and
uploaded it due to the close Jessie release. Attached here is the used
debdiff for the upload.
Regards,
Salvatore
diff -Nru das-watchdog-0.9.0/debian/changelog das-watchdog-0.9.0/debian/changelog
--- das-watchdog-0.9.0/debian/changelog 2013-10-16 18:37:01.000000000 +0200
+++ das-watchdog-0.9.0/debian/changelog 2015-04-10 22:34:03.000000000 +0200
@@ -1,3 +1,13 @@
+das-watchdog (0.9.0-3.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix buffer overflow in the handling of the XAUTHORITY env variable
+ (CVE-2015-2831) (Closes: #781806)
+ * Remove duplicate check for temp[i] == '\0' in das_watchdog.c
+ * Fix infinite loop on platforms where char is unsigned
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 10 Apr 2015 22:19:18 +0200
+
das-watchdog (0.9.0-3) unstable; urgency=low
* Team upload.
diff -Nru das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch
--- das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch 1970-01-01 01:00:00.000000000 +0100
+++ das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch 2015-04-10 22:34:03.000000000 +0200
@@ -0,0 +1,41 @@
+From bd20bb02e75e2c0483832b52f2577253febfb690 Mon Sep 17 00:00:00 2001
+From: Kjetil Matheussen <k.s.matheus...@usit.uio.no>
+Date: Wed, 1 Apr 2015 16:06:48 +0200
+Subject: [PATCH] Fix memory overflow if the name of an environment is larger
+ than 500 characters. Bug found by Adam Sampson.
+
+---
+ das_watchdog.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/das_watchdog.c b/das_watchdog.c
+index c98bbea..8473fe8 100644
+--- a/das_watchdog.c
++++ b/das_watchdog.c
+@@ -306,7 +306,9 @@ static int checksoftirq(int force){
+
+
+ static char *get_pid_environ_val(pid_t pid,char *val){
+- char temp[500];
++ int temp_size = 500;
++ char *temp = malloc(temp_size);
++
+ int i=0;
+ int foundit=0;
+ FILE *fp;
+@@ -319,6 +321,12 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+
+
+ for(;;){
++
++ if (i >= temp_size) {
++ temp_size *= 2;
++ temp = realloc(temp, temp_size);
++ }
++
+ temp[i]=fgetc(fp);
+
+ if(foundit==1 && (temp[i]==0 || temp[i]=='\0' || temp[i]==EOF)){
+--
+2.1.4
+
diff -Nru das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch
--- das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch 1970-01-01 01:00:00.000000000 +0100
+++ das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch 2015-04-10 22:34:03.000000000 +0200
@@ -0,0 +1,50 @@
+From 286489dd7dad59f8b5a9b9fdfececb95bcf5c570 Mon Sep 17 00:00:00 2001
+From: Kjetil Matheussen <k.s.matheus...@usit.uio.no>
+Date: Wed, 1 Apr 2015 16:12:39 +0200
+Subject: [PATCH] Fixed memory leak in bd20bb02e75e2c0483832b52f2577253febfb690
+
+---
+ das_watchdog.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/das_watchdog.c b/das_watchdog.c
+index 8381d56..26385b2 100644
+--- a/das_watchdog.c
++++ b/das_watchdog.c
+@@ -316,9 +316,10 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+ sprintf(temp,"/proc/%d/environ",pid);
+
+ fp=fopen(temp,"r");
+- if(fp==NULL)
++ if(fp==NULL){
++ free(temp);
+ return NULL;
+-
++ }
+
+ for(;;){
+
+@@ -330,17 +331,15 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+ temp[i]=fgetc(fp);
+
+ if(foundit==1 && (temp[i]==0 || temp[i]=='\0' || temp[i]==EOF)){
+- char *ret;
+- temp[i]=0;
+- ret=malloc(strlen(temp)+10);
+- sprintf(ret,"%s",temp);
+ fclose(fp);
+- return ret;
++ temp[i]=0;
++ return temp;
+ }
+
+ switch(temp[i]){
+ case EOF:
+ fclose(fp);
++ free(temp);
+ return NULL;
+ case '=':
+ temp[i]=0;
+--
+2.1.4
+
diff -Nru das-watchdog-0.9.0/debian/patches/0001-Remove-duplicate-check-for-temp-i-0.patch das-watchdog-0.9.0/debian/patches/0001-Remove-duplicate-check-for-temp-i-0.patch
--- das-watchdog-0.9.0/debian/patches/0001-Remove-duplicate-check-for-temp-i-0.patch 1970-01-01 01:00:00.000000000 +0100
+++ das-watchdog-0.9.0/debian/patches/0001-Remove-duplicate-check-for-temp-i-0.patch 2015-04-10 22:34:03.000000000 +0200
@@ -0,0 +1,25 @@
+From b76e17f733bddb5295ef34eed4dd444b31c7b12f Mon Sep 17 00:00:00 2001
+From: Adam Sampson <a...@offog.org>
+Date: Wed, 1 Apr 2015 20:28:28 +0100
+Subject: [PATCH 1/3] Remove duplicate check for temp[i] == '\0'
+
+---
+ das_watchdog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/das_watchdog.c b/das_watchdog.c
+index ab97753..176fb1b 100644
+--- a/das_watchdog.c
++++ b/das_watchdog.c
+@@ -330,7 +330,7 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+
+ temp[i]=fgetc(fp);
+
+- if(foundit==1 && (temp[i]==0 || temp[i]=='\0' || temp[i]==EOF)){
++ if(foundit==1 && (temp[i]=='\0' || temp[i]==EOF)){
+ fclose(fp);
+ temp[i]=0;
+ return temp;
+--
+2.1.4
+
diff -Nru das-watchdog-0.9.0/debian/patches/0003-The-result-of-fgetc-is-an-int-not-a-char.patch das-watchdog-0.9.0/debian/patches/0003-The-result-of-fgetc-is-an-int-not-a-char.patch
--- das-watchdog-0.9.0/debian/patches/0003-The-result-of-fgetc-is-an-int-not-a-char.patch 1970-01-01 01:00:00.000000000 +0100
+++ das-watchdog-0.9.0/debian/patches/0003-The-result-of-fgetc-is-an-int-not-a-char.patch 2015-04-10 22:34:03.000000000 +0200
@@ -0,0 +1,59 @@
+From 57e7400d046f382ee94745791ccb0e1a06efb2e4 Mon Sep 17 00:00:00 2001
+From: Adam Sampson <a...@offog.org>
+Date: Wed, 1 Apr 2015 20:33:41 +0100
+Subject: [PATCH 3/3] The result of fgetc is an int, not a char
+
+Without this change, get_pid_environ_val would go into an infinite loop
+when asked to find a variable that doesn't exist on a platform where
+char is unsigned (e.g. ARM): fgetc would return -1 (EOF), which would be
+stored as 255 in temp[i], which then wouldn't be equal to -1 when
+testing.
+---
+ das_watchdog.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/das_watchdog.c b/das_watchdog.c
+index 176fb1b..0dfe38a 100644
+--- a/das_watchdog.c
++++ b/das_watchdog.c
+@@ -322,21 +322,20 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+ }
+
+ for(;;){
+-
++ int c = fgetc(fp);
++
+ if (i >= temp_size) {
+ temp_size *= 2;
+ temp = realloc(temp, temp_size);
+ }
+-
+- temp[i]=fgetc(fp);
+
+- if(foundit==1 && (temp[i]=='\0' || temp[i]==EOF)){
++ if(foundit==1 && (c=='\0' || c==EOF)){
+ fclose(fp);
+ temp[i]=0;
+ return temp;
+ }
+
+- switch(temp[i]){
++ switch(c){
+ case EOF:
+ fclose(fp);
+ free(temp);
+@@ -349,9 +348,11 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+ i=0;
+ break;
+ case '\0':
++ temp[i]=0;
+ i=0;
+ break;
+ default:
++ temp[i]=c;
+ i++;
+ }
+ }
+--
+2.1.4
+
diff -Nru das-watchdog-0.9.0/debian/patches/series das-watchdog-0.9.0/debian/patches/series
--- das-watchdog-0.9.0/debian/patches/series 2013-10-16 18:34:25.000000000 +0200
+++ das-watchdog-0.9.0/debian/patches/series 2015-04-10 22:34:03.000000000 +0200
@@ -1,3 +1,7 @@
01-rc.patch
02-makefile.patch
03-hardening.patch
+0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch
+0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch
+0001-Remove-duplicate-check-for-temp-i-0.patch
+0003-The-result-of-fgetc-is-an-int-not-a-char.patch
