Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear Release Team, I would like to update the sleuthkit on the buster to prevent a stack buffer overflow in yaffsfs_istat, because during a review of the Debian Security Tracker, I found CVE-2020-10232. There is no DSA assigned to the bug and it was marked "no-dsa" and so I'm doing a normal upload. "This is potentially exploitable by an attacker creating a file in a yaffs image with abnormally large time values", as reported in: https://github.com/sleuthkit/sleuthkit/pull/1836 Vulnerable code follows: tsk/fs/yaffs.cpp line 2442: char timeBuf[32]; This vulnerability has been assigned the CVE id CVE-2020-10232. Upstream fixed the bug at: https://github.com/sleuthkit/sleuthkit/pull/1836/commits/459ae818fc8dae717549810150de4d191ce158f1 [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10232 [1] https://security-tracker.debian.org/tracker/CVE-2020-10232 [2] https://bugs.debian.org/953976 Sincerely, Francisco diff -Nru sleuthkit-4.6.5/debian/changelog sleuthkit-4.6.5/debian/changelog --- sleuthkit-4.6.5/debian/changelog 2019-01-22 11:53:42.000000000 +0000 +++ sleuthkit-4.6.5/debian/changelog 2020-09-16 23:47:07.000000000 +0000 @@ -1,3 +1,11 @@ +sleuthkit (4.6.5-1+deb10u1) buster; urgency=high + + * Team upload. + * Add patch to fix stack buffer overflow in yaffsfs_istat. + (Closes: #953976, CVE-2020-10232) + + -- Francisco Vilmar Cardoso Ruviaro <francisco.ruvi...@riseup.net> Wed, 16 Sep 2020 23:47:07 +0000 + sleuthkit (4.6.5-1) unstable; urgency=medium * Team upload diff -Nru sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch --- sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch 1970-01-01 00:00:00.000000000 +0000 +++ sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch 2020-09-16 23:47:07.000000000 +0000 @@ -0,0 +1,21 @@ +Description: Fix stack buffer overflow in yaffsfs_istat. + Prevent a stack buffer overflow in yaffsfs_istat by increasing + the buffer size to the size required by tsk_fs_time_to_str. +Author: micrictor <mic.ric....@gmail.com> +Origin: https://github.com/sleuthkit/sleuthkit/commit/459ae818fc8dae717549810150de4d191ce158f1 +Bug: https://github.com/sleuthkit/sleuthkit/pull/1836 +Forwarded: not-needed +Reviewed-By: Francisco Vilmar Cardoso Ruviaro <francisco.ruvi...@riseup.net> +Last-Update: 2020-08-28 + +--- sleuthkit-4.6.5.orig/tsk/fs/yaffs.cpp ++++ sleuthkit-4.6.5/tsk/fs/yaffs.cpp +@@ -2439,7 +2439,7 @@ static uint8_t + YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)fs; + char ls[12]; + YAFFSFS_PRINT_ADDR print; +- char timeBuf[32]; ++ char timeBuf[128]; + YaffsCacheObject * obj = NULL; + YaffsCacheVersion * version = NULL; + YaffsHeader * header = NULL; diff -Nru sleuthkit-4.6.5/debian/patches/series sleuthkit-4.6.5/debian/patches/series --- sleuthkit-4.6.5/debian/patches/series 2019-01-22 11:52:14.000000000 +0000 +++ sleuthkit-4.6.5/debian/patches/series 2020-09-16 23:47:07.000000000 +0000 @@ -3,4 +3,4 @@ 50_disable-ant-clean.patch 60_fix-FTBFS-HURD.patch 0005-Disable-test_libraries.sh.patch - +CVE-2020-10232.patch -- Francisco Vilmar Cardoso Ruviaro <francisco.ruvi...@riseup.net> 4096R: 1B8C F656 EF3B 8447 2F48 F0E7 82FB F706 0B2F 7D00