I finally was able to make room for a newlib build, and as uploaded the fix a few minutes ago. Included is the final diff. I dropped the switch to the QA team, as this package is not maintained by the gcc group in unstable, and went with the more traditional version number scheme.
diff --git a/debian/changelog b/debian/changelog index b3e3ef851..0b92b542b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +newlib (3.3.0-1.3+deb12u1) bookworm; urgency=medium + + * Team approved upload. + * Changed maintainer to reflect the ones listed in unstable. + * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow + check in malloc and friends (Closes: #984446). + + -- Petter Reinholdtsen <p...@debian.org> Mon, 22 Jul 2024 09:42:18 +0200 + newlib (3.3.0-1.3) unstable; urgency=medium * Non-maintainer upload. diff --git a/debian/control b/debian/control index ff12d0bc5..a4b7bc142 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,8 @@ Source: newlib Section: devel Priority: optional -Maintainer: Agustin Henze <t...@debian.org> +Maintainer: Debian GCC Maintainers <debian-...@lists.debian.org> +Uploaders: Matthias Klose <d...@debian.org> Build-Depends: debhelper (>= 9), texinfo, diff --git a/debian/gbp.conf b/debian/gbp.conf index f4a0824a9..04f21b160 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,6 +1,7 @@ [DEFAULT] pristine-tar = True merge = True +debian-branch = debian/bookworm [import-orig] postimport = gbp dch --debian-branch=$GBP_BRANCH --new-version=$GBP_DEBIAN_VERSION diff --git a/debian/patches/mallocr-CVE-2021-3420.patch b/debian/patches/mallocr-CVE-2021-3420.patch new file mode 100644 index 000000000..cd93fa41e --- /dev/null +++ b/debian/patches/mallocr-CVE-2021-3420.patch @@ -0,0 +1,50 @@ +From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001 +From: Corinna Vinschen <vinsc...@redhat.com> +Date: Tue, 17 Nov 2020 10:50:57 +0100 +Subject: malloc/nano-malloc: correctly check for out-of-bounds allocation reqs +Origin: https://keithp.com/cgit/picolibc.git/patch/newlib/libc/stdlib/mallocr.c?id=aa106b29a6a8a1b0df9e334704292cbc32f2d44e +Forwarded: not-needed + +The overflow check in mEMALIGn erroneously checks for INT_MAX, +albeit the input parameter is size_t. Fix this to check for +__SIZE_MAX__ instead. Also, it misses to check the req against +adding the alignment before calling mALLOc. + +While at it, add out-of-bounds checks to pvALLOc, nano_memalign, +nano_valloc, and Cygwin's (unused) dlpvalloc. + +Signed-off-by: Corinna Vinschen <cori...@vinschen.de> +--- + newlib/libc/stdlib/mallocr.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +(limited to 'newlib/libc/stdlib/mallocr.c') + +diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c +index 9ad720ada..13d014cc8 100644 +--- a/newlib/libc/stdlib/mallocr.c ++++ b/newlib/libc/stdlib/mallocr.c +@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes; + nb = request2size(bytes); + + /* Check for overflow. */ +- if (nb > INT_MAX || nb < bytes) ++ if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes) + { + RERRNO = ENOMEM; + return 0; +@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes; + #endif + { + size_t pagesize = malloc_getpagesize; ++ if (bytes > __SIZE_MAX__ - pagesize) ++ { ++ RERRNO = ENOMEM; ++ return 0; ++ } + return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1)); + } + +-- +cgit v1.2.3 + diff --git a/debian/patches/series b/debian/patches/series index 3de9ae1fa..4b7d26190 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ reproducible-builds-locale.patch fix-include-paths-nano-specs.patch +mallocr-CVE-2021-3420.patch -- Vennlig hilsen Petter Reinholdtsen
