Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi release team, The ros-ros-comm version in stretch is affected by two new CVEs: CVE-2019-13465 and CVE-2019-13445. The first one was already fixed by 1.12.6-2+deb9u1, cf. #945944, but the second one is new. The attached patch is against 1.12.6-2+deb9u1 and also adopts the changelog to mention the second CVE. Cheers Jochen -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index b4bfdc6..7630a9a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,12 @@ +ros-ros-comm (1.12.6-2+deb9u2) stretch; urgency=medium + + * Add https://github.com/ros/ros_comm/pull/1741 (Fix CVE-2019-13445) + + -- Jochen Sprickerhof <jspri...@debian.org> Sun, 05 Jan 2020 15:45:11 +0100 + ros-ros-comm (1.12.6-2+deb9u1) stretch; urgency=high - * Add https://github.com/ros/ros_comm/pull/1771 (Fix CVE-2019-13566) + * Add https://github.com/ros/ros_comm/pull/1771 (Fix CVE-2019-13566, CVE-2019-13465) -- Jochen Sprickerhof <jspri...@debian.org> Sun, 24 Nov 2019 17:03:50 +0100 diff --git a/debian/patches/1741.patch b/debian/patches/1741.patch new file mode 100644 index 0000000..86b4b35 --- /dev/null +++ b/debian/patches/1741.patch @@ -0,0 +1,21 @@ +From: Christopher Wecht <christopher.wechtstudent.kit.edu> +Date: Thu, 4 Jul 2019 21:19:14 +0200 +Subject: [PATCH] rosbag/record: fix signed int overflow + +--- + tools/rosbag/src/record.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/rosbag/src/record.cpp b/tools/rosbag/src/record.cpp +index dda378f..95e3413 100644 +--- a/tools/rosbag/src/record.cpp ++++ b/tools/rosbag/src/record.cpp +@@ -121,7 +121,7 @@ rosbag::RecorderOptions parseOptions(int argc, char** argv) { + ROS_WARN("Use of \"--split <MAX_SIZE>\" has been deprecated. Please use --split --size <MAX_SIZE> or --split --duration <MAX_DURATION>"); + if (S < 0) + throw ros::Exception("Split size must be 0 or positive"); +- opts.max_size = 1048576 * S; ++ opts.max_size = 1048576 * static_cast<uint64_t>(S); + } + } + if(vm.count("max-splits")) diff --git a/debian/patches/series b/debian/patches/series index 6695bde..bbadad6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ 0005-Add-defaults-to-roswtf.patch 0007-move-heaers-to-include-xmlrpcpp.patch 0007-fixing-string-check.patch +1741.patch