Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package libnl3 In CVE-2017-0553 a possible (but moderate) security issue was found which resulted in bug #859948 against the Debian libnl3 package. The 3.2.27-2 fixes this (and only this) issue. debdiff: diff -Nru libnl3-3.2.27/debian/changelog libnl3-3.2.27/debian/changelog --- libnl3-3.2.27/debian/changelog 2016-01-24 23:54:53.000000000 +0100 +++ libnl3-3.2.27/debian/changelog 2017-04-10 11:48:23.000000000 +0200 @@ -1,3 +1,9 @@ +libnl3 (3.2.27-2) unstable; urgency=low + + * Add upstream fix for CVE-2017-0553 (Closes: #859948) + + -- Heiko Stuebner <mm...@debian.org> Mon, 10 Apr 2017 11:48:23 +0200 + libnl3 (3.2.27-1) unstable; urgency=low * New upstream release diff -Nru libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch --- libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch 2017-04-10 10:55:21.000000000 +0200 @@ -0,0 +1,38 @@ +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001 +From: Thomas Haller <thal...@redhat.com> +Date: Mon, 6 Feb 2017 22:23:52 +0100 +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() + +In general, libnl functions are not robust against calling with +invalid arguments. Thus, never call libnl functions with invalid +arguments. In case of nlmsg_reserve() this means never provide +a @len argument that causes overflow. + +Still, add an additional safeguard to avoid exploiting such bugs. + +Assume that @pad is a trusted, small integer. +Assume that n->nm_size is a valid number of allocated bytes (and thus +much smaller then SIZE_T_MAX). +Assume, that @len may be set to an untrusted value. Then the patch +avoids an integer overflow resulting in reserving too few bytes. +--- + lib/msg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/msg.c b/lib/msg.c +index 9af3f3a..3e27d4e 100644 +--- a/lib/msg.c ++++ b/lib/msg.c +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) + size_t nlmsg_len = n->nm_nlh->nlmsg_len; + size_t tlen; + ++ if (len > n->nm_size) ++ return NULL; ++ + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; + + if ((tlen + nlmsg_len) > n->nm_size) +-- +2.9.3 + diff -Nru libnl3-3.2.27/debian/patches/series libnl3-3.2.27/debian/patches/series --- libnl3-3.2.27/debian/patches/series 2016-01-24 00:36:27.000000000 +0100 +++ libnl3-3.2.27/debian/patches/series 2017-04-10 10:57:45.000000000 +0200 @@ -3,3 +3,4 @@ debian/no-symvers.diff -p1 debian/__nl_cache_ops_lookup-unstatic.diff -p1 debian/_nl_socket_generate_local_port_no_release.diff -p1 +debian/nlmsg_reserve-overflow.patch -p1 unblock libnl3/3.2.27-2 -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)