Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Hi Release-Team,
[ Reason ]
I'm currently preparing a security update for clickhouse for LTS.
As the versions are quite similar, I've also prepared an update for bullseye,
even if the issues are marked "minor".
The CVE's are:
CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
(Details on them are in #1008216)
I've checked with the security team and they indicated that this
might be something for stable-proposed-updates.
The changes are on this branch:
https://salsa.debian.org/debian/ClickHouse/-/commits/debian/bullseye
[ Impact ]
The assement in #1008216 is:
By triggering the vulnerabilities, an attacker can crash the ClickHouse server,
leak memory contents or even cause remote code execution.
[ Tests ]
The package has an extensive test suite. I've also locally briefly
tested the package.
[ Risks ]
The change is cherry-picked from upstream fix. Upstream has moved
along source files and restructued things, but the affected code
is the same. The upstream fix mentioned below also contains other
fixes, introduced in later -- no in Debian -- versions.
Upstream fix: https://github.com/ClickHouse/ClickHouse/pull/27136
Patch used:
https://salsa.debian.org/debian/ClickHouse/-/blob/debian/bullseye/debian/patches/CVE-2021-4238x-and-4330x.patch
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
The NMU fixing this is currently in DELAYED. ETA Nov 5 ~13:00)
[ Changes ]
See patch.
(The remaining change is to salsa-ci configuration, to be able to utilize
the CI for testbuilds.)
[ Other info ]
Cheers,
--
tobi
diff -Nru clickhouse-18.16.1+ds/debian/changelog
clickhouse-18.16.1+ds/debian/changelog
--- clickhouse-18.16.1+ds/debian/changelog 2020-12-03 20:45:03.0
+0100
+++ clickhouse-18.16.1+ds/debian/changelog 2022-10-31 17:33:32.0
+0100
@@ -1,3 +1,12 @@
+clickhouse (18.16.1+ds-7.2+deb11u1) bullseye-security; urgency=medium
+
+ * Non-maintainer upload by the Security Team.
+ * Add Salsa CI config for bullseye.
+ * Fix CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
+(Closes: #1008216)
+
+ -- Tobias Frost Mon, 31 Oct 2022 17:33:32 +0100
+
clickhouse (18.16.1+ds-7.2) unstable; urgency=medium
[Balint Reczey]
diff -Nru clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch
clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch
--- clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch
1970-01-01 01:00:00.0 +0100
+++ clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch
2022-10-31 17:25:21.0 +0100
@@ -0,0 +1,134 @@
+Description: Fix for CVE-2021-42387, CVE-2021-42388, CVE-2021-43304,
CVE-2021-43305
+ Cherry pick relevant parts from upstream PR, adapted to version in Debian.
+Origin: https://github.com/ClickHouse/ClickHouse/pull/27136
+Bug-Debian: https://bugs.debian.org/1008216
+Forwarded: no
+Applied-Upstream: yes, https://github.com/ClickHouse/ClickHouse/pull/27136
+Last-Update: 2022-10-30
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/dbms/src/IO/LZ4_decompress_faster.cpp
b/dbms/src/IO/LZ4_decompress_faster.cpp
+@@ -342,13 +342,16 @@
+
+
+ template
+-void NO_INLINE decompressImpl(
++bool NO_INLINE decompressImpl(
+ const char * const source,
+ char * const dest,
++ size_t source_size,
+ size_t dest_size)
+ {
+ const UInt8 * ip = (UInt8 *)source;
+ UInt8 * op = (UInt8 *)dest;
++const UInt8 * const input_end = ip + source_size;
++UInt8 * const output_begin = op;
+ UInt8 * const output_end = op + dest_size;
+
+ while (1)
+@@ -387,13 +390,19 @@
+ /// output: xyzHello, w
+ /// ^-op (we will overwrite excessive bytes on next
iteration)
+
+-wildCopy(op, ip, copy_end);/// Here we can write up
to copy_amount - 1 bytes after buffer.
++{
++auto * target = std::min(copy_end, output_end);
++wildCopy(op, ip, target);/// Here we can write
up to copy_amount - 1 bytes after buffer.
++
++if (target == output_end)
++return true;
++}
+
+ ip += length;
+ op = copy_end;
+
+-if (copy_end >= output_end)
+-return;
++if (unlikely(ip > input_end))
++return false;
+
+ /// Get match offset.
+
+@@ -401,6 +410,9 @@
+ ip += 2;
+ const UInt8 * match = op - offset;
+
++if (unlikely(match < output_begin))
++return false;
++
+ /// Get match length.
+
+ length = token & 0x0F;
+@@ -441,7 +453,10 @@
+
+ copy(op, match); /// copy_amount + copy_amount - 1 - 4
* 2 bytes after buffer.