Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package monit in t-p-u. The version 1:5.25.2-3+deb10u1 has only targeted fixes for security issue #927775 (two CVE's). See attached diff.
diff --git a/debian/changelog b/debian/changelog index bd3d9b0..8712671 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +monit (1:5.25.2-3+deb10u1) testing-proposed-updates; urgency=medium + + * Backport upstream fixes (Closes: #927775): + + CVE-2019-11454 Persistent cross-site scripting (XSS) in http/cervlet.c + + CVE-2019-11455 A buffer over-read in Util_urlDecode in util.c + + -- Sergey B Kirpichev <skirpic...@gmail.com> Mon, 17 Jun 2019 10:57:40 +0300 + monit (1:5.25.2-3) unstable; urgency=medium * Spelling fixes in manpage diff --git a/debian/patches/CVE-2019-11454.patch b/debian/patches/CVE-2019-11454.patch new file mode 100644 index 0000000..ce73e8d --- /dev/null +++ b/debian/patches/CVE-2019-11454.patch @@ -0,0 +1,20 @@ +Description: Fix CVE-2019-11454 +Origin: https://bitbucket.org/tildeslash/monit/commits/328f607 +Forwarded: not needed +Bug-Debian: https://bugs.debian.org/927775 + +--- + src/http/cervlet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/http/cervlet.c ++++ b/src/http/cervlet.c +@@ -906,7 +906,7 @@ static void do_viewlog(HttpRequest req, + StringBuffer_append(res->outputbuffer, "<br><p><form><textarea cols=120 rows=30 readonly>"); + while ((n = fread(buf, sizeof(char), sizeof(buf) - 1, f)) > 0) { + buf[n] = 0; +- StringBuffer_append(res->outputbuffer, "%s", buf); ++ escapeHTML(res->outputbuffer, buf); + } + fclose(f); + StringBuffer_append(res->outputbuffer, "</textarea></form>"); diff --git a/debian/patches/CVE-2019-11455.patch b/debian/patches/CVE-2019-11455.patch new file mode 100644 index 0000000..3845fd3 --- /dev/null +++ b/debian/patches/CVE-2019-11455.patch @@ -0,0 +1,58 @@ +Description: Fix CVE-2019-11455 +Origin: https://bitbucket.org/tildeslash/monit/commits/f12d0cdb +Forwarded: not needed +Bug-Debian: https://bugs.debian.org/927775 + +--- + src/util.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/src/util.c ++++ b/src/util.c +@@ -233,7 +233,7 @@ static char *is_str_defined(char *s) { + /** + * Convert a hex char to a char + */ +-static char x2c(char *hex) { ++static char _x2c(char *hex) { + register char digit; + digit = ((hex[0] >= 'A') ? ((hex[0] & 0xdf) - 'A')+10 : (hex[0] - '0')); + digit *= 16; +@@ -535,7 +535,7 @@ void Util_handleEscapes(char *buf) { + */ + *(buf + insertpos) = *(buf+editpos); + } else { +- *(buf + insertpos) = x2c(&buf[editpos + 3]); ++ *(buf + insertpos) = _x2c(&buf[editpos + 3]); + editpos += 4; + } + } +@@ -571,7 +571,7 @@ int Util_handle0Escapes(char *buf) { + switch (*(buf + editpos + 1)) { + case '0': + if (*(buf + editpos + 2) == 'x') { +- *(buf + insertpos) = x2c(&buf[editpos+3]); ++ *(buf + insertpos) = _x2c(&buf[editpos+3]); + editpos += 4; + } + break; +@@ -1561,13 +1561,15 @@ char *Util_urlDecode(char *url) { + if (url && *url) { + register int x, y; + for (x = 0, y = 0; url[y]; x++, y++) { +- if ((url[x] = url[y]) == '+') ++ if (url[y] == '+') { + url[x] = ' '; +- else if (url[x] == '%') { +- if (! (url[x + 1] && url[x + 2])) ++ } else if (url[y] == '%') { ++ if (! url[y + 1] || ! url[y + 2]) + break; +- url[x] = x2c(url + y + 1); ++ url[x] = _x2c(url + y + 1); + y += 2; ++ } else { ++ url[x] = url[y]; + } + } + url[x] = 0; diff --git a/debian/patches/series b/debian/patches/series index 98bcb60..fc04d2d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,5 @@ 05_monitrc.patch 07_cross.patch 11_enable_hurd.patch +CVE-2019-11455.patch +CVE-2019-11454.patch