subject:"Bug#868054\: stretch\-pu\: package dwarfutils\/20161124\-1\+deb9u1"

Bug#868054: stretch-pu: package dwarfutils/20161124-1+deb9u1

2017-07-15 Thread Adam D. Barratt

Control: tags -1 + pending

On Sat, 2017-07-15 at 14:58 +0200, Daniel Stender wrote:
> On 15.07.2017 12:25, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Tue, 2017-07-11 at 17:01 +0200, Fabian Wolff wrote:
> >>   * Add patch 02-fix-CVE-2017-9052.patch to fix CVE-2017-9052 and
> >> CVE-2017-9055 (Closes: #864064).
> >>   * Add patch 03-fix-CVE-2017-9053.patch to fix CVE-2017-9053.
> >>   * Add patch 04-fix-CVE-2017-9054.patch to fix CVE-2017-9054.
> >>   * Add patch 05-fix-CVE-2017-9998.patch to fix CVE-2017-9998
> >> (Closes: #866968).
> > 
> > A changelog distribution of "stretch" would be preferred over "stable".
> > 
> > Please go ahead, bearing in mind that the window for 9.1 will close
> > during the weekend.
> > 
> > Regards,
> > 
> > Adam
> 
> In!

Flagged for acceptance.

Regards,

Adam

Bug#868054: stretch-pu: package dwarfutils/20161124-1+deb9u1

2017-07-15 Thread Daniel Stender

On 15.07.2017 12:25, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2017-07-11 at 17:01 +0200, Fabian Wolff wrote:
>>   * Add patch 02-fix-CVE-2017-9052.patch to fix CVE-2017-9052 and
>> CVE-2017-9055 (Closes: #864064).
>>   * Add patch 03-fix-CVE-2017-9053.patch to fix CVE-2017-9053.
>>   * Add patch 04-fix-CVE-2017-9054.patch to fix CVE-2017-9054.
>>   * Add patch 05-fix-CVE-2017-9998.patch to fix CVE-2017-9998
>> (Closes: #866968).
> 
> A changelog distribution of "stretch" would be preferred over "stable".
> 
> Please go ahead, bearing in mind that the window for 9.1 will close
> during the weekend.
> 
> Regards,
> 
> Adam

In!


Mapping stretch to stable.
Mapping stable to proposed-updates.

Accepted:

* *ANFANG des verschlüsselten oder unterschriebenen Bereichs* *

Format: 1.8
Date: Sat, 15 Jul 2017 12:50:56 +0200
Source: dwarfutils
Binary: dwarfdump libdwarf-dev libdwarf1
Architecture: source amd64
Version: 20161124-1+deb9u1
Distribution: stretch


Have a nice weekend.

Best,
Daniel Stender

-- 
4096R/DF5182C8 (sten...@debian.org)
http://www.danielstender.com/

Bug#868054: stretch-pu: package dwarfutils/20161124-1+deb9u1

2017-07-15 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Tue, 2017-07-11 at 17:01 +0200, Fabian Wolff wrote:
>   * Add patch 02-fix-CVE-2017-9052.patch to fix CVE-2017-9052 and
> CVE-2017-9055 (Closes: #864064).
>   * Add patch 03-fix-CVE-2017-9053.patch to fix CVE-2017-9053.
>   * Add patch 04-fix-CVE-2017-9054.patch to fix CVE-2017-9054.
>   * Add patch 05-fix-CVE-2017-9998.patch to fix CVE-2017-9998
> (Closes: #866968).

A changelog distribution of "stretch" would be preferred over "stable".

Please go ahead, bearing in mind that the window for 9.1 will close
during the weekend.

Regards,

Adam

Bug#868054: stretch-pu: package dwarfutils/20161124-1+deb9u1

2017-07-11 Thread Fabian Wolff

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear Release Team,

I would like to propose the following changes to the dwarfutils
package in stretch:

  * Add patch 02-fix-CVE-2017-9052.patch to fix CVE-2017-9052 and
CVE-2017-9055 (Closes: #864064).
  * Add patch 03-fix-CVE-2017-9053.patch to fix CVE-2017-9053.
  * Add patch 04-fix-CVE-2017-9054.patch to fix CVE-2017-9054.
  * Add patch 05-fix-CVE-2017-9998.patch to fix CVE-2017-9998
(Closes: #866968).

This update would fix all currently known vulnerabilities in the
dwarfutils package in stretch. All changes have been cherry-picked
from the upstream development repository, and all of them are already
in unstable.

I have attached the debdiff that I would like to apply to the current
version in stable.

Thank you!

Kind regards,
Fabian
diff -Nru dwarfutils-20161124/debian/changelog 
dwarfutils-20161124/debian/changelog
--- dwarfutils-20161124/debian/changelog2016-11-25 14:23:27.0 
+0100
+++ dwarfutils-20161124/debian/changelog2017-07-11 15:33:51.0 
+0200
@@ -1,3 +1,14 @@
+dwarfutils (20161124-1+deb9u1) stable; urgency=medium
+
+  * Add patch 02-fix-CVE-2017-9052.patch to fix CVE-2017-9052 and
+CVE-2017-9055 (Closes: #864064).
+  * Add patch 03-fix-CVE-2017-9053.patch to fix CVE-2017-9053.
+  * Add patch 04-fix-CVE-2017-9054.patch to fix CVE-2017-9054.
+  * Add patch 05-fix-CVE-2017-9998.patch to fix CVE-2017-9998
+(Closes: #866968).
+
+ -- Fabian Wolff   Tue, 11 Jul 2017 15:33:51 +0200
+
 dwarfutils (20161124-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru dwarfutils-20161124/debian/patches/02-fix-CVE-2017-9052.patch 
dwarfutils-20161124/debian/patches/02-fix-CVE-2017-9052.patch
--- dwarfutils-20161124/debian/patches/02-fix-CVE-2017-9052.patch   
1970-01-01 01:00:00.0 +0100
+++ dwarfutils-20161124/debian/patches/02-fix-CVE-2017-9052.patch   
2017-07-11 15:33:51.0 +0200
@@ -0,0 +1,31 @@
+Description: Fix CVE-2017-9052 and CVE-2017-9055
+Origin: upstream, 
https://sourceforge.net/p/libdwarf/code/ci/cc37d6917011733d776ae228af4e5d6abe9613c1/
+Bug: https://www.prevanders.net/dwarfbug.html#DW201703-006
+Bug-Debian: https://bugs.debian.org/864064
+Last-Update: 2017-07-08
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libdwarf/dwarf_form.c
 b/libdwarf/dwarf_form.c
+@@ -934,6 +934,10 @@
+ switch (attr->ar_attribute_form) {
+ 
+ case DW_FORM_data1:
++if (attr->ar_debug_ptr >= section_end) {
++_dwarf_error(dbg, error, DW_DLE_DIE_BAD);
++return DW_DLV_ERROR;
++}
+ *return_sval = (*(Dwarf_Sbyte *) attr->ar_debug_ptr);
+ return DW_DLV_OK;
+ 
+--- a/libdwarf/dwarf_query.c
 b/libdwarf/dwarf_query.c
+@@ -377,7 +377,7 @@
+ }
+ if (_dwarf_reference_outside_section(die,
+ (Dwarf_Small*) info_ptr,
+-(Dwarf_Small*) info_ptr)) {
++((Dwarf_Small*) info_ptr)+1)) {
+ _dwarf_error(dbg, error,DW_DLE_ATTR_OUTSIDE_SECTION);
+ return DW_DLV_ERROR;
+ }
diff -Nru dwarfutils-20161124/debian/patches/03-fix-CVE-2017-9053.patch 
dwarfutils-20161124/debian/patches/03-fix-CVE-2017-9053.patch
--- dwarfutils-20161124/debian/patches/03-fix-CVE-2017-9053.patch   
1970-01-01 01:00:00.0 +0100
+++ dwarfutils-20161124/debian/patches/03-fix-CVE-2017-9053.patch   
2017-07-11 15:33:51.0 +0200
@@ -0,0 +1,86 @@
+Description: Fix CVE-2017-9053
+Origin: upstream, 
https://sourceforge.net/p/libdwarf/code/ci/cc37d6917011733d776ae228af4e5d6abe9613c1/
+Bug: https://www.prevanders.net/dwarfbug.html#DW201703-005
+Bug-Debian: https://bugs.debian.org/864064
+Last-Update: 2017-07-08
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libdwarf/dwarf_loc.c
 b/libdwarf/dwarf_loc.c
+@@ -237,6 +237,10 @@
+ break;
+ 
+ case DW_OP_const1u:
++if (loc_ptr >= section_end) {
++_dwarf_error(dbg,error,DW_DLE_LOCEXPR_OFF_SECTION_END);
++return DW_DLV_ERROR;
++}
+ operand1 = *(Dwarf_Small *) loc_ptr;
+ loc_ptr = loc_ptr + 1;
+ if (loc_ptr > section_end) {
+@@ -247,6 +251,10 @@
+ break;
+ 
+ case DW_OP_const1s:
++if (loc_ptr >= section_end) {
++_dwarf_error(dbg,error,DW_DLE_LOCEXPR_OFF_SECTION_END);
++return DW_DLV_ERROR;
++}
+ operand1 = *(Dwarf_Sbyte *) loc_ptr;
+ SIGN_EXTEND(operand1,1);
+ loc_ptr = loc_ptr + 1;
+@@ -372,6 +380,10 @@
+ break;
+ 
+ case DW_OP_pick:
++if (loc_ptr >= section_end) {
++_dwarf_error(dbg,error,DW_DLE_LOCEXPR_OFF_SECTION_END);
++return DW_DLV_ERROR;
++}
+ operand1 = *(Dwarf_Small *) loc_ptr;
+ loc_ptr = loc_ptr + 1;
+ if (loc_ptr

Bug#868054: stretch-pu: package dwarfutils/20161124-1+deb9u1

Bug#868054: stretch-pu: package dwarfutils/20161124-1+deb9u1

Bug#868054: stretch-pu: package dwarfutils/20161124-1+deb9u1

Bug#868054: stretch-pu: package dwarfutils/20161124-1+deb9u1

4 matches

Site Navigation

Mail list logo

Footer information