Package: release.debian.org
The <URL: https://tracker.debian.org/pkg/newlib > package got an open security problem with malloc and friends in stable and oldstable, see <URL: https://bugs.debian.org/984446 > for the CVE issue. The package is orphaned. I would like to fix the bug at least in stable, and propose the following upload. The change is already in the git repo on salsa in the debian/bookworm branch. The problem is already fixed in unstable and testing with a new version of the upstream code. The fix to stable is only the minimal patch to solve the issue. I propose to use the version number 3.3.0-2, but am open to better proposals. The version in testing is 4.4.0.20231231-2. Complete proposed patch is below: diff --git a/debian/changelog b/debian/changelog index b3e3ef851..1c8ddc5cb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +newlib (3.3.0-2) bookworm; urgency=medium + + * QA upload. + * Orphan package to reflect status in Unstable. + * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow + check in malloc and friends. + + -- Petter Reinholdtsen <p...@debian.org> Sat, 16 Mar 2024 08:53:41 +0100 + newlib (3.3.0-1.3) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/control b/debian/control index ff12d0bc5..4daa4e559 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,7 @@ Source: newlib Section: devel Priority: optional -Maintainer: Agustin Henze <t...@debian.org> +Maintainer: Debian QA Group <packa...@qa.debian.org> Build-Depends: debhelper (>= 9), texinfo, diff --git a/debian/gbp.conf b/debian/gbp.conf index f4a0824a9..04f21b160 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,6 +1,7 @@ [DEFAULT] pristine-tar = True merge = True +debian-branch = debian/bookworm [import-orig] postimport = gbp dch --debian-branch=$GBP_BRANCH --new-version=$GBP_DEBIAN_VERSION diff --git a/debian/patches/mallocr-CVE-2021-3420.patch b/debian/patches/mallocr-CVE-2021-3420.patch new file mode 100644 index 000000000..cd93fa41e --- /dev/null +++ b/debian/patches/mallocr-CVE-2021-3420.patch @@ -0,0 +1,50 @@ +From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001 +From: Corinna Vinschen <vinsc...@redhat.com> +Date: Tue, 17 Nov 2020 10:50:57 +0100 +Subject: malloc/nano-malloc: correctly check for out-of-bounds allocation reqs +Origin: https://keithp.com/cgit/picolibc.git/patch/newlib/libc/stdlib/mallocr.c?id=aa106b29a6a8a1b0df9e334704292cbc32f2d44e +Forwarded: not-needed + +The overflow check in mEMALIGn erroneously checks for INT_MAX, +albeit the input parameter is size_t. Fix this to check for +__SIZE_MAX__ instead. Also, it misses to check the req against +adding the alignment before calling mALLOc. + +While at it, add out-of-bounds checks to pvALLOc, nano_memalign, +nano_valloc, and Cygwin's (unused) dlpvalloc. + +Signed-off-by: Corinna Vinschen <cori...@vinschen.de> +--- + newlib/libc/stdlib/mallocr.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +(limited to 'newlib/libc/stdlib/mallocr.c') + +diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c +index 9ad720ada..13d014cc8 100644 +--- a/newlib/libc/stdlib/mallocr.c ++++ b/newlib/libc/stdlib/mallocr.c +@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes; + nb = request2size(bytes); + + /* Check for overflow. */ +- if (nb > INT_MAX || nb < bytes) ++ if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes) + { + RERRNO = ENOMEM; + return 0; +@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes; + #endif + { + size_t pagesize = malloc_getpagesize; ++ if (bytes > __SIZE_MAX__ - pagesize) ++ { ++ RERRNO = ENOMEM; ++ return 0; ++ } + return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1)); + } + +-- +cgit v1.2.3 + diff --git a/debian/patches/series b/debian/patches/series index 3de9ae1fa..4b7d26190 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ reproducible-builds-locale.patch fix-include-paths-nano-specs.patch +mallocr-CVE-2021-3420.patch