Bug#889753: uwsgi: diff for NMU version 2.0.15-10.2

2018-02-09 Thread Salvatore Bonaccorso 
Control: tags -1 + pending

Jonas confirmed me on IRC to be fine to straight upload rather than
targed a delayed queue.

I have as well prepared updates for jessie- and stretch-pu.

Regards,
Salvatore

Bug#889753: uwsgi: diff for NMU version 2.0.15-10.2

2018-02-09 Thread Salvatore Bonaccorso 
Control: tags 889753 + patch

Dear maintainer,

I've prepared an NMU for uwsgi (versioned as 2.0.15-10.2). Not yet
uploaded (to any delayed queue).

Regards,
Salvatore
diff -Nru uwsgi-2.0.15/debian/changelog uwsgi-2.0.15/debian/changelog
--- uwsgi-2.0.15/debian/changelog	2018-01-24 14:23:23.0 +0100
+++ uwsgi-2.0.15/debian/changelog	2018-02-09 21:35:00.0 +0100
@@ -1,3 +1,11 @@
+uwsgi (2.0.15-10.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+(Closes: #889753)
+
+ -- Salvatore Bonaccorso   Fri, 09 Feb 2018 21:35:00 +0100
+
 uwsgi (2.0.15-10.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru uwsgi-2.0.15/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch uwsgi-2.0.15/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
--- uwsgi-2.0.15/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch	1970-01-01 01:00:00.0 +0100
+++ uwsgi-2.0.15/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch	2018-02-09 21:35:00.0 +0100
@@ -0,0 +1,46 @@
+From: Unbit 
+Date: Tue, 6 Feb 2018 16:01:47 +0100
+Subject: improve uwsgi_expand_path() to sanitize input, avoiding stack
+ corruption and potential security issue
+Origin: https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
+Bug-Debian: https://bugs.debian.org/889753
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6758
+
+---
+ core/utils.c | 11 ---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/core/utils.c b/core/utils.c
+index b4c98dfd..fd886932 100644
+--- a/core/utils.c
 b/core/utils.c
+@@ -3674,9 +3674,12 @@ void uwsgi_write_pidfile_explicit(char *pidfile_name, pid_t pid) {
+ }
+ 
+ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
+-	char src[PATH_MAX + 1];
+-	memcpy(src, dir, dir_len);
+-	src[dir_len] = 0;
++	if (dir_len > PATH_MAX)
++	{
++		uwsgi_log("invalid path size: %d (max %d)\n", dir_len, PATH_MAX);
++		return NULL;
++	}
++	char *src = uwsgi_concat2n(dir, dir_len, "", 0);
+ 	char *dst = ptr;
+ 	if (!dst)
+ 		dst = uwsgi_malloc(PATH_MAX + 1);
+@@ -3684,8 +3687,10 @@ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
+ 		uwsgi_error_realpath(src);
+ 		if (!ptr)
+ 			free(dst);
++		free(src);
+ 		return NULL;
+ 	}
++	free(src);
+ 	return dst;
+ }
+ 
+-- 
+2.11.0
+
diff -Nru uwsgi-2.0.15/debian/patches/series uwsgi-2.0.15/debian/patches/series
--- uwsgi-2.0.15/debian/patches/series	2018-01-24 14:23:23.0 +0100
+++ uwsgi-2.0.15/debian/patches/series	2018-02-09 21:35:00.0 +0100
@@ -1,6 +1,7 @@
 020170502~a63b659.patch
 020170503~ef58701.patch
 020170604~8368f94.patch
+0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
 1001_avoid_setting_RPATH.patch
 1002_fix-reload-process-name.patch
 1003_remove-php-libs.patch