Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@security.debian.org
[ Reason ]
A heap-based buffer over-read has been found in libconfuse, labeled as
CVE-2022-40320, and reported as bug #1019596. The security team
considers this vulnerability as low severity which does not warrant a
DSA.
[ Impact ]
In case the update isn't approved, the vulnerability will still be
present users systems.
[ Tests ]
The changed code is tested by the testsuite, but there is no specific
test to check the vulnerability is fixed.
[ Risks ]
The fix is very simple and comes from upstream. It has been in
testing/sid for 2 weeks.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
There is a single change in this version:
* Add debian/patches/CVE-2022-40320.patch from upstream to fix a heap-based
buffer over-read in cfg_tilde_expand (CVE-2022-40320). Closes: #1019596.
The change is to ensure the string copied with strncpy is always zero
terminated.
[ Other info ]
Given the changes are minimal, I have already uploaded the package to
the archive. Thanks for considering.
diff -Nru libconfuse-3.3/debian/changelog libconfuse-3.3/debian/changelog
--- libconfuse-3.3/debian/changelog 2021-01-10 15:30:20.000000000 +0100
+++ libconfuse-3.3/debian/changelog 2022-10-04 00:14:59.000000000 +0200
@@ -1,3 +1,10 @@
+libconfuse (3.3-2+deb11u1) bullseye; urgency=medium
+
+ * Add debian/patches/CVE-2022-40320.patch from upstream to fix a heap-based
+ buffer over-read in cfg_tilde_expand (CVE-2022-40320). Closes: #1019596.
+
+ -- Aurelien Jarno <aure...@debian.org> Tue, 04 Oct 2022 00:14:59 +0200
+
libconfuse (3.3-2) unstable; urgency=medium
* German translation update, by Fabian Baumanis. Closes: #978117.
diff -Nru libconfuse-3.3/debian/patches/CVE-2022-40320.patch
libconfuse-3.3/debian/patches/CVE-2022-40320.patch
--- libconfuse-3.3/debian/patches/CVE-2022-40320.patch 1970-01-01
01:00:00.000000000 +0100
+++ libconfuse-3.3/debian/patches/CVE-2022-40320.patch 2022-09-14
22:39:16.000000000 +0200
@@ -0,0 +1,37 @@
+commit d73777c2c3566fb2647727bb56d9a2295b81669b
+Author: Joachim Wiberg <troglo...@gmail.com>
+Date: Fri Sep 2 16:12:46 2022 +0200
+
+ Fix #163: unterminated username used with getpwnam()
+
+ Signed-off-by: Joachim Wiberg <troglo...@gmail.com>
+
+diff --git a/src/confuse.c b/src/confuse.c
+index 6d1fdbd..05566b5 100644
+--- a/src/confuse.c
++++ b/src/confuse.c
+@@ -1894,18 +1894,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename)
+ passwd = getpwuid(geteuid());
+ file = filename + 1;
+ } else {
+- /* ~user or ~user/path */
+- char *user;
++ char *user; /* ~user or ~user/path */
++ size_t len;
+
+ file = strchr(filename, '/');
+ if (file == 0)
+ file = filename + strlen(filename);
+
+- user = malloc(file - filename);
++ len = file - filename - 1;
++ user = malloc(len + 1);
+ if (!user)
+ return NULL;
+
+- strncpy(user, filename + 1, file - filename - 1);
++ strncpy(user, &filename[1], len);
++ user[len] = 0;
+ passwd = getpwnam(user);
+ free(user);
+ }
diff -Nru libconfuse-3.3/debian/patches/series
libconfuse-3.3/debian/patches/series
--- libconfuse-3.3/debian/patches/series 2021-01-10 15:12:53.000000000
+0100
+++ libconfuse-3.3/debian/patches/series 2022-09-14 22:39:16.000000000
+0200
@@ -1 +1,2 @@
de.po.patch
+CVE-2022-40320.patch
