Bug#986328: marked as done (unblock: lib3mf/1.8.1+ds-4)

Sun, 04 Apr 2021 11:12:46 -0700 

Your message dated Sun, 04 Apr 2021 18:09:48 +0000
with message-id <e1lt7c0-00087d...@respighi.debian.org>
and subject line unblock lib3mf
has caused the Debian Bug report #986328,
regarding unblock: lib3mf/1.8.1+ds-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
986328: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986328
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package lib3mf

[ Reason ]

This is a targeted fix, a backport of upstream fix for CVE-2021-21772, which
is a use-after-free on user-controlled input:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985092
  https://github.com/3MFConsortium/lib3mf/issues/254

[ Impact ]

This is a published security bug in upstream lib3mf.

[ Tests ]

 - We obtained a (non-published) .3mf that triggers the bug. I verified
   (with Valgrind) that opening this 3MF file triggers a use-after-free in
   lib3mf_1.8.1+ds-3.1 and that it does not in lib3mf_1.8.1+ds-4.

 - Package `openscad', the main reverse dependency, has a comprehensive
   testsuite which passes with lib3mf_1.8.1+ds-4.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock lib3mf/1.8.1+ds-4

-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-0.bpo.4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru lib3mf-1.8.1+ds/debian/changelog lib3mf-1.8.1+ds/debian/changelog
--- lib3mf-1.8.1+ds/debian/changelog    2020-12-06 02:27:21.000000000 +0100
+++ lib3mf-1.8.1+ds/debian/changelog    2021-04-01 21:25:54.000000000 +0200
@@ -1,3 +1,10 @@
+lib3mf (1.8.1+ds-4) unstable; urgency=medium
+
+  * Fix use-after-free (CVE-2021-21772), backporting fix from v2.1.1
+    (Closes: #985092)
+
+ -- Kristian Nielsen <kniel...@knielsen-hq.org>  Thu, 01 Apr 2021 21:25:54 
+0200
+
 lib3mf (1.8.1+ds-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru lib3mf-1.8.1+ds/debian/control lib3mf-1.8.1+ds/debian/control
--- lib3mf-1.8.1+ds/debian/control      2019-01-20 18:32:34.000000000 +0100
+++ lib3mf-1.8.1+ds/debian/control      2021-04-01 21:25:54.000000000 +0200
@@ -2,6 +2,7 @@
 Section: libs
 Priority: optional
 Maintainer: Torsten Paul <torsten.p...@gmx.de>
+Uploaders: Kristian Nielsen <kniel...@knielsen-hq.org>
 Build-Depends: debhelper (>=12~), pkg-kde-tools, cmake, libzip-dev, 
zlib1g-dev, uuid-dev
 Standards-Version: 4.3.0
 Homepage: https://github.com/3MFConsortium/lib3mf
diff -Nru lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch 
lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch
--- lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch     1970-01-01 
01:00:00.000000000 +0100
+++ lib3mf-1.8.1+ds/debian/patches/fix_use_after_free.patch     2021-04-01 
21:25:54.000000000 +0200
@@ -0,0 +1,76 @@
+From: Kristian Nielsen <kniel...@knielsen-hq.org>
+Date: Thu, 1 Apr 2021 21:28:00 +0100
+Subject: Remove unnecessary zip_source_close
+
+This patch fixes CVE-2021-21772, a use-after-free bug. It is a
+backport of the upstream fix in v2.1.1.
+
+Forwarded: not-needed
+---
+ Include/Common/OPC/NMR_OpcPackageReader.h  |  1 -
+ Source/Common/OPC/NMR_OpcPackageReader.cpp | 16 ++++++----------
+ 2 files changed, 6 insertions(+), 11 deletions(-)
+
+--- a/Include/Common/OPC/NMR_OpcPackageReader.h
++++ b/Include/Common/OPC/NMR_OpcPackageReader.h
+@@ -54,7 +54,6 @@ namespace NMR {
+               std::vector<nfByte> m_Buffer;
+               zip_error_t m_ZIPError;
+               zip_t * m_ZIParchive;
+-              zip_source_t * m_ZIPsource;
+               std::map <std::string, nfUint64> m_ZIPEntries;
+               std::map <std::string, POpcPackagePart> m_Parts;
+ 
+diff --git a/Source/Common/OPC/NMR_OpcPackageReader.cpp 
b/Source/Common/OPC/NMR_OpcPackageReader.cpp
+index 16dd2e8c..4f3a604d 100644
+--- a/Source/Common/OPC/NMR_OpcPackageReader.cpp
++++ b/Source/Common/OPC/NMR_OpcPackageReader.cpp
+@@ -111,7 +111,7 @@ namespace NMR {
+               m_ZIPError.sys_err = 0;
+               m_ZIPError.zip_err = 0;
+               m_ZIParchive = nullptr;
+-              m_ZIPsource = nullptr;
++              zip_source_t* pZIPsource = nullptr;
+ 
+               try {
+                       // determine stream size
+@@ -131,20 +131,20 @@ namespace NMR {
+ #endif
+                       if (bUseCallback) {
+                               // read ZIP from callback: faster and requires 
less memory
+-                              m_ZIPsource = 
zip_source_function_create(custom_zip_source_callback, pImportStream.get(), 
&m_ZIPError);
++                              pZIPsource = 
zip_source_function_create(custom_zip_source_callback, pImportStream.get(), 
&m_ZIPError);
+                       }
+                       else {
+                               // read ZIP into memory
+                               m_Buffer.resize((size_t)nStreamSize);
+                               pImportStream->readBuffer(&m_Buffer[0], 
nStreamSize, true);
+-                              m_ZIPsource = 
zip_source_buffer_create(&m_Buffer[0], (size_t)nStreamSize, 0, &m_ZIPError);
++                              pZIPsource = 
zip_source_buffer_create(&m_Buffer[0], (size_t)nStreamSize, 0, &m_ZIPError);
+                       }
+-                      if (m_ZIPsource == nullptr)
++                      if (pZIPsource == nullptr)
+                               throw 
CNMRException(NMR_ERROR_COULDNOTREADZIPFILE);
+ 
+-                      m_ZIParchive = zip_open_from_source(m_ZIPsource, 
ZIP_RDONLY | ZIP_CHECKCONS, &m_ZIPError);
++                      m_ZIParchive = zip_open_from_source(pZIPsource, 
ZIP_RDONLY | ZIP_CHECKCONS, &m_ZIPError);
+                       if (m_ZIParchive == nullptr) {
+-                              m_ZIParchive = 
zip_open_from_source(m_ZIPsource, ZIP_RDONLY, &m_ZIPError);
++                              m_ZIParchive = zip_open_from_source(pZIPsource, 
ZIP_RDONLY, &m_ZIPError);
+                               if (m_ZIParchive == nullptr)
+                                       throw 
CNMRException(NMR_ERROR_COULDNOTREADZIPFILE);
+                               else
+@@ -208,13 +208,9 @@ namespace NMR {
+               if (m_ZIParchive != nullptr)
+                       zip_close(m_ZIParchive);
+ 
+-              if (m_ZIPsource != nullptr)
+-                      zip_source_close(m_ZIPsource);
+-
+               zip_error_fini(&m_ZIPError);
+               m_Buffer.resize(0);
+ 
+-              m_ZIPsource = nullptr;
+               m_ZIParchive = nullptr;
+       }
+ 
diff -Nru lib3mf-1.8.1+ds/debian/patches/series 
lib3mf-1.8.1+ds/debian/patches/series
--- lib3mf-1.8.1+ds/debian/patches/series       2020-12-06 02:26:45.000000000 
+0100
+++ lib3mf-1.8.1+ds/debian/patches/series       2021-04-01 21:07:16.000000000 
+0200
@@ -1 +1,2 @@
 link-z.patch
+fix_use_after_free.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---

Reply via email to