Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi The attached debdiff adresses CVE-2018-6758 / 889753 for uwsgi in jessie. Cf. http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html . The issue does not warrant a DSA. +uwsgi (2.0.7-1+deb8u2) jessie; urgency=medium + + * Non-maintainer upload. + * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758) + (Closes: #889753) Can it be considered for the upcoming jessie point release? Regards, Salvatore
diff -Nru uwsgi-2.0.7/debian/changelog uwsgi-2.0.7/debian/changelog --- uwsgi-2.0.7/debian/changelog 2017-02-19 22:17:18.000000000 +0100 +++ uwsgi-2.0.7/debian/changelog 2018-02-06 21:39:42.000000000 +0100 @@ -1,3 +1,11 @@ +uwsgi (2.0.7-1+deb8u2) jessie; urgency=medium + + * Non-maintainer upload. + * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758) + (Closes: #889753) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 06 Feb 2018 21:39:42 +0100 + uwsgi (2.0.7-1+deb8u1) jessie; urgency=medium * Add patch cherry-picked upstream to fix compilation with recent diff -Nru uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch --- uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 1970-01-01 01:00:00.000000000 +0100 +++ uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 2018-02-06 21:39:42.000000000 +0100 @@ -0,0 +1,46 @@ +From: Unbit <i...@unbit.it> +Date: Tue, 6 Feb 2018 16:01:47 +0100 +Subject: improve uwsgi_expand_path() to sanitize input, avoiding stack + corruption and potential security issue +Origin: https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe +Bug-Debian: https://bugs.debian.org/889753 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6758 + +--- + core/utils.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/core/utils.c b/core/utils.c +index b4c98dfd..fd886932 100644 +--- a/core/utils.c ++++ b/core/utils.c +@@ -3674,9 +3674,12 @@ void uwsgi_write_pidfile_explicit(char *pidfile_name, pid_t pid) { + } + + char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) { +- char src[PATH_MAX + 1]; +- memcpy(src, dir, dir_len); +- src[dir_len] = 0; ++ if (dir_len > PATH_MAX) ++ { ++ uwsgi_log("invalid path size: %d (max %d)\n", dir_len, PATH_MAX); ++ return NULL; ++ } ++ char *src = uwsgi_concat2n(dir, dir_len, "", 0); + char *dst = ptr; + if (!dst) + dst = uwsgi_malloc(PATH_MAX + 1); +@@ -3684,8 +3687,10 @@ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) { + uwsgi_error_realpath(src); + if (!ptr) + free(dst); ++ free(src); + return NULL; + } ++ free(src); + return dst; + } + +-- +2.11.0 + diff -Nru uwsgi-2.0.7/debian/patches/series uwsgi-2.0.7/debian/patches/series --- uwsgi-2.0.7/debian/patches/series 2017-02-08 20:11:59.000000000 +0100 +++ uwsgi-2.0.7/debian/patches/series 2018-02-06 21:39:42.000000000 +0100 @@ -1,4 +1,5 @@ 020150415~f6e5db9.patch +0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 1001_avoid_setting_RPATH.patch 1002_fix-reload-process-name.patch 1003_remove-php-libs.patch