Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: t...@security.debian.org
[ Reason ] A heap-based buffer over-read has been found in libconfuse, labeled as CVE-2022-40320, and reported as bug #1019596. The security team considers this vulnerability as low severity which does not warrant a DSA. [ Impact ] In case the update isn't approved, the vulnerability will still be present users systems. [ Tests ] The changed code is tested by the testsuite, but there is no specific test to check the vulnerability is fixed. [ Risks ] The fix is very simple and comes from upstream. It has been in testing/sid for 2 weeks. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] There is a single change in this version: * Add debian/patches/CVE-2022-40320.patch from upstream to fix a heap-based buffer over-read in cfg_tilde_expand (CVE-2022-40320). Closes: #1019596. The change is to ensure the string copied with strncpy is always zero terminated. [ Other info ] Given the changes are minimal, I have already uploaded the package to the archive. Thanks for considering.
diff -Nru libconfuse-3.3/debian/changelog libconfuse-3.3/debian/changelog --- libconfuse-3.3/debian/changelog 2021-01-10 15:30:20.000000000 +0100 +++ libconfuse-3.3/debian/changelog 2022-10-04 00:14:59.000000000 +0200 @@ -1,3 +1,10 @@ +libconfuse (3.3-2+deb11u1) bullseye; urgency=medium + + * Add debian/patches/CVE-2022-40320.patch from upstream to fix a heap-based + buffer over-read in cfg_tilde_expand (CVE-2022-40320). Closes: #1019596. + + -- Aurelien Jarno <aure...@debian.org> Tue, 04 Oct 2022 00:14:59 +0200 + libconfuse (3.3-2) unstable; urgency=medium * German translation update, by Fabian Baumanis. Closes: #978117. diff -Nru libconfuse-3.3/debian/patches/CVE-2022-40320.patch libconfuse-3.3/debian/patches/CVE-2022-40320.patch --- libconfuse-3.3/debian/patches/CVE-2022-40320.patch 1970-01-01 01:00:00.000000000 +0100 +++ libconfuse-3.3/debian/patches/CVE-2022-40320.patch 2022-09-14 22:39:16.000000000 +0200 @@ -0,0 +1,37 @@ +commit d73777c2c3566fb2647727bb56d9a2295b81669b +Author: Joachim Wiberg <troglo...@gmail.com> +Date: Fri Sep 2 16:12:46 2022 +0200 + + Fix #163: unterminated username used with getpwnam() + + Signed-off-by: Joachim Wiberg <troglo...@gmail.com> + +diff --git a/src/confuse.c b/src/confuse.c +index 6d1fdbd..05566b5 100644 +--- a/src/confuse.c ++++ b/src/confuse.c +@@ -1894,18 +1894,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename) + passwd = getpwuid(geteuid()); + file = filename + 1; + } else { +- /* ~user or ~user/path */ +- char *user; ++ char *user; /* ~user or ~user/path */ ++ size_t len; + + file = strchr(filename, '/'); + if (file == 0) + file = filename + strlen(filename); + +- user = malloc(file - filename); ++ len = file - filename - 1; ++ user = malloc(len + 1); + if (!user) + return NULL; + +- strncpy(user, filename + 1, file - filename - 1); ++ strncpy(user, &filename[1], len); ++ user[len] = 0; + passwd = getpwnam(user); + free(user); + } diff -Nru libconfuse-3.3/debian/patches/series libconfuse-3.3/debian/patches/series --- libconfuse-3.3/debian/patches/series 2021-01-10 15:12:53.000000000 +0100 +++ libconfuse-3.3/debian/patches/series 2022-09-14 22:39:16.000000000 +0200 @@ -1 +1,2 @@ de.po.patch +CVE-2022-40320.patch