Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, the attached debdiff fix the CVE-2018-19198, CVE-2018-19199 and CVE-2018-19200. The maintainer email address and the Vcs-* location are also changed. CU Jörg - -- System Information: Debian Release: buster/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (300, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAlvuqgUACgkQCfifPIyh 0l2zqhAAq0bStaT+o8QELmNS2OZBFLGrv/Li3g5DHnEee5juZLQ9VgLIh5eXb96f ycgBpuItaCfLbMM5WnKGXnmEnB37gMlReYR8nMIF2eVLTeS124SUa6Qeyp/nh3bg 5waNanD9KbxuJDLKzNgeERdf1QKD78VPTnaIPvMQzb6k5ole6PqzxzgqLaOicR/X omYT26BvG9sDnLGtVPuyYqEeiZm575qTpjqUPJzHJd9styiRQiICwiWBfB7D02U0 OoorOWwm/rvDafhrlyxitpvj15pEg97gcyXkKdBhO+PYM5zIDGemDAGh1T/qlkyl FQTiZVgHj23udtS+UnpWeJgFpm9E+9/s6gcXdg+b3P/K/zNHFL6wfnlHNYzfp3mz 2OCHi7UKlkFxkkdn8uA50V2VpULUramKWupe2KGYPS7XXDn+Qh+6vbnNncqacAfp 8noPhUo2woT7Gd4HHUOf0size7BLLeDGL+HrbCQzmSKoIjhxBjQ7IjbXsw4Alstv WZJQWEov+n8ISSJvFuuYkbghbopzsmbDNJvIIUOhKmdbC1yBuGDpY2OaAxahohRy eG2fIg1ku0txTYgCyYk+5JeO3QQu6hvNGjzdanuVuCKJr+eVHQOKQ5gzx9XP/ffM 82myXAlVHITOUQTMR70NQQ4B4NEvPAMTaQYAWUiVEG03G2rovQ4= =HbnA -----END PGP SIGNATURE-----
diff -Nru uriparser-0.8.4/debian/changelog uriparser-0.8.4/debian/changelog --- uriparser-0.8.4/debian/changelog 2015-11-04 07:02:13.000000000 +0100 +++ uriparser-0.8.4/debian/changelog 2018-11-16 09:43:24.000000000 +0100 @@ -1,3 +1,15 @@ +uriparser (0.8.4-1+deb9u1) stable; urgency=medium + + * Fix multiple CVEs (Closes: #913817): + - New debian/patches/CVE-2018-19198.patch to fix CVE-2018-19198. + - New debian/patches/CVE-2018-19199.patch to fix CVE-2018-19199. + - New debian/patches/CVE-2018-19200.patch to fix CVE-2018-19200. + * debian/control: + - Change to my new email address. + - Switch Vcs-* to new location. + + -- Jörg Frings-Fürst <debian@jff.email> Fri, 16 Nov 2018 09:43:24 +0100 + uriparser (0.8.4-1) unstable; urgency=medium * New upstream release. diff -Nru uriparser-0.8.4/debian/control uriparser-0.8.4/debian/control --- uriparser-0.8.4/debian/control 2015-11-02 07:02:50.000000000 +0100 +++ uriparser-0.8.4/debian/control 2018-11-16 09:37:15.000000000 +0100 @@ -1,7 +1,7 @@ Source: uriparser Section: libs Priority: optional -Maintainer: Jörg Frings-Fürst <deb...@jff-webhosting.net> +Maintainer: Jörg Frings-Fürst <debian@jff.email> Build-Depends: debhelper (>= 9), dh-autoreconf, @@ -14,8 +14,8 @@ libqt5sql5-sqlite Standards-Version: 3.9.6 Homepage: http://uriparser.sourceforge.net -Vcs-Git: git://anonscm.debian.org/collab-maint/uriparser.git -Vcs-Browser: http://anonscm.debian.org/cgit/collab-maint/uriparser.git +Vcs-Git: git://jff.email/opt/git/uriparser.git +Vcs-Browser: https://jff.email/cgit/uriparser.git Package: liburiparser1 Architecture: any diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19198.patch uriparser-0.8.4/debian/patches/CVE-2018-19198.patch --- uriparser-0.8.4/debian/patches/CVE-2018-19198.patch 1970-01-01 01:00:00.000000000 +0100 +++ uriparser-0.8.4/debian/patches/CVE-2018-19198.patch 2018-11-16 09:19:24.000000000 +0100 @@ -0,0 +1,73 @@ +From 864f5d4c127def386dd5cc926ad96934b297f04e Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebast...@pipping.org> +Date: Sun, 23 Sep 2018 20:07:25 +0200 +Subject: [PATCH] UriQuery.c: Fix out-of-bounds-write in ComposeQuery and ...Ex + +Reported by Google Autofuzz team +--- + src/UriQuery.c | 1 + + test/test.cpp | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +Index: stretch/src/UriQuery.c +=================================================================== +--- stretch.orig/src/UriQuery.c ++++ stretch/src/UriQuery.c +@@ -223,6 +223,7 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHA + + /* Copy key */ + if (firstItem == URI_TRUE) { ++ ampersandLen = 1; + firstItem = URI_FALSE; + } else { + write[0] = _UT('&'); +Index: stretch/test/test.cpp +=================================================================== +--- stretch.orig/test/test.cpp ++++ stretch/test/test.cpp +@@ -102,6 +102,7 @@ public: + TEST_ADD(UriSuite::testQueryList) + TEST_ADD(UriSuite::testQueryListPair) + TEST_ADD(UriSuite::testQueryDissection_Bug3590761) ++ TEST_ADD(UriSuite::testQueryCompositionMathWrite_GoogleAutofuzz113244572) + TEST_ADD(UriSuite::testFreeCrash_Bug20080827) + TEST_ADD(UriSuite::testParseInvalid_Bug16) + TEST_ADD(UriSuite::testRangeComparison) +@@ -1718,6 +1719,37 @@ Rule | Ex + uriFreeQueryListA(queryList); + } + ++ void testQueryCompositionMathWrite_GoogleAutofuzz113244572() { ++ UriQueryListA second = { .key = "\x11", .value = NULL, .next = NULL }; ++ UriQueryListA first = { .key = "\x01", .value = "\x02", .next = &second }; ++ ++ const UriBool spaceToPlus = URI_TRUE; ++ const UriBool normalizeBreaks = URI_FALSE; /* for factor 3 but 6 */ ++ ++ const int charsRequired = (3 + 1 + 3) + 1 + (3); ++ ++ { ++ // Minimum space to hold everything fine ++ const char * const expected = "%01=%02" "&" "%11"; ++ char dest[charsRequired + 1]; ++ int charsWritten; ++ TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest), ++ &charsWritten, spaceToPlus, normalizeBreaks) ++ == URI_SUCCESS); ++ TEST_ASSERT(! strcmp(dest, expected)); ++ TEST_ASSERT(charsWritten == strlen(expected) + 1); ++ } ++ ++ { ++ // Previous math failed to take ampersand into account ++ char dest[charsRequired + 1 - 1]; ++ int charsWritten; ++ TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest), ++ &charsWritten, spaceToPlus, normalizeBreaks) ++ == URI_ERROR_OUTPUT_TOO_LARGE); ++ } ++ } ++ + void testFreeCrash_Bug20080827() { + char const * const sourceUri = "abc"; + char const * const baseUri = "http://www.example.org/"; diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19199.patch uriparser-0.8.4/debian/patches/CVE-2018-19199.patch --- uriparser-0.8.4/debian/patches/CVE-2018-19199.patch 1970-01-01 01:00:00.000000000 +0100 +++ uriparser-0.8.4/debian/patches/CVE-2018-19199.patch 2018-11-16 09:20:41.000000000 +0100 @@ -0,0 +1,43 @@ +From f76275d4a91b28d687250525d3a0c5509bbd666f Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebast...@pipping.org> +Date: Sun, 23 Sep 2018 21:30:39 +0200 +Subject: [PATCH] UriQuery.c: Catch integer overflow in ComposeQuery and ...Ex + +--- + ChangeLog | 2 ++ + src/UriQuery.c | 14 ++++++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +Index: stretch/src/UriQuery.c +=================================================================== +--- stretch.orig/src/UriQuery.c ++++ stretch/src/UriQuery.c +@@ -68,6 +68,10 @@ + + + ++#include <limits.h> ++ ++ ++ + static int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest, + const URI_TYPE(QueryList) * queryList, + int maxChars, int * charsWritten, int * charsRequired, +@@ -201,9 +205,15 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHA + const URI_CHAR * const value = queryList->value; + const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3); + const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key); +- const int keyRequiredChars = worstCase * keyLen; ++ int keyRequiredChars; + const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value); +- const int valueRequiredChars = worstCase * valueLen; ++ int valueRequiredChars; ++ ++ if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) { ++ return URI_ERROR_OUTPUT_TOO_LARGE; ++ } ++ keyRequiredChars = worstCase * keyLen; ++ valueRequiredChars = worstCase * valueLen; + + if (dest == NULL) { + if (firstItem == URI_TRUE) { diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19200.patch uriparser-0.8.4/debian/patches/CVE-2018-19200.patch --- uriparser-0.8.4/debian/patches/CVE-2018-19200.patch 1970-01-01 01:00:00.000000000 +0100 +++ uriparser-0.8.4/debian/patches/CVE-2018-19200.patch 2018-11-16 08:49:00.000000000 +0100 @@ -0,0 +1,23 @@ +From f58c25069cf4a986fe17a80c5b38687e31feb539 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebast...@pipping.org> +Date: Wed, 10 Oct 2018 14:49:51 +0200 +Subject: [PATCH] ResetUri: Protect against NULL + +--- + src/UriCommon.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/UriCommon.c b/src/UriCommon.c +index 3775306..039beda 100644 +--- a/src/UriCommon.c ++++ b/src/UriCommon.c +@@ -75,6 +75,9 @@ + + + void URI_FUNC(ResetUri)(URI_TYPE(Uri) * uri) { ++ if (uri == NULL) { ++ return; ++ } + memset(uri, 0, sizeof(URI_TYPE(Uri))); + } + diff -Nru uriparser-0.8.4/debian/patches/series uriparser-0.8.4/debian/patches/series --- uriparser-0.8.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ uriparser-0.8.4/debian/patches/series 2018-11-16 09:18:50.000000000 +0100 @@ -0,0 +1,3 @@ +CVE-2018-19198.patch +CVE-2018-19199.patch +CVE-2018-19200.patch