Control: tags -1 confirmed Heiko Stuebner: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package libnl3 > > In CVE-2017-0553 a possible (but moderate) security issue was found > which resulted in bug #859948 against the Debian libnl3 package. > > The 3.2.27-2 fixes this (and only this) issue. >
Ack from here, CC'ing KiBi for a d-i ack (and keeping the debdiff for his sake). ~Niels > debdiff: > diff -Nru libnl3-3.2.27/debian/changelog libnl3-3.2.27/debian/changelog > --- libnl3-3.2.27/debian/changelog 2016-01-24 23:54:53.000000000 +0100 > +++ libnl3-3.2.27/debian/changelog 2017-04-10 11:48:23.000000000 +0200 > @@ -1,3 +1,9 @@ > +libnl3 (3.2.27-2) unstable; urgency=low > + > + * Add upstream fix for CVE-2017-0553 (Closes: #859948) > + > + -- Heiko Stuebner <mm...@debian.org> Mon, 10 Apr 2017 11:48:23 +0200 > + > libnl3 (3.2.27-1) unstable; urgency=low > > * New upstream release > diff -Nru libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch > libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch > --- libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch > 2017-04-10 10:55:21.000000000 +0200 > @@ -0,0 +1,38 @@ > +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001 > +From: Thomas Haller <thal...@redhat.com> > +Date: Mon, 6 Feb 2017 22:23:52 +0100 > +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() > + > +In general, libnl functions are not robust against calling with > +invalid arguments. Thus, never call libnl functions with invalid > +arguments. In case of nlmsg_reserve() this means never provide > +a @len argument that causes overflow. > + > +Still, add an additional safeguard to avoid exploiting such bugs. > + > +Assume that @pad is a trusted, small integer. > +Assume that n->nm_size is a valid number of allocated bytes (and thus > +much smaller then SIZE_T_MAX). > +Assume, that @len may be set to an untrusted value. Then the patch > +avoids an integer overflow resulting in reserving too few bytes. > +--- > + lib/msg.c | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/lib/msg.c b/lib/msg.c > +index 9af3f3a..3e27d4e 100644 > +--- a/lib/msg.c > ++++ b/lib/msg.c > +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int > pad) > + size_t nlmsg_len = n->nm_nlh->nlmsg_len; > + size_t tlen; > + > ++ if (len > n->nm_size) > ++ return NULL; > ++ > + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; > + > + if ((tlen + nlmsg_len) > n->nm_size) > +-- > +2.9.3 > + > diff -Nru libnl3-3.2.27/debian/patches/series > libnl3-3.2.27/debian/patches/series > --- libnl3-3.2.27/debian/patches/series 2016-01-24 00:36:27.000000000 +0100 > +++ libnl3-3.2.27/debian/patches/series 2017-04-10 10:57:45.000000000 +0200 > @@ -3,3 +3,4 @@ > debian/no-symvers.diff -p1 > debian/__nl_cache_ops_lookup-unstatic.diff -p1 > debian/_nl_socket_generate_local_port_no_release.diff -p1 > +debian/nlmsg_reserve-overflow.patch -p1 > > > unblock libnl3/3.2.27-2 > > [...]
