Bug#948219: stretch-pu: package ros-ros-comm/1.12.6-2

2020-01-06 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2020-01-05 at 15:53 +0100, Jochen Sprickerhof wrote:
> The ros-ros-comm version in stretch is affected by two new CVEs:
> CVE-2019-13465 and CVE-2019-13445. The first one was already fixed by
> 1.12.6-2+deb9u1, cf. #945944, but the second one is new. The attached
> patch is against 1.12.6-2+deb9u1 and also adopts the changelog to
> mention the second CVE.
> 

Please go ahead.

Regards,

Adam

Bug#948219: stretch-pu: package ros-ros-comm/1.12.6-2

2020-01-05 Thread Jochen Sprickerhof 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi release team,

The ros-ros-comm version in stretch is affected by two new CVEs:
CVE-2019-13465 and CVE-2019-13445. The first one was already fixed by
1.12.6-2+deb9u1, cf. #945944, but the second one is new. The attached
patch is against 1.12.6-2+deb9u1 and also adopts the changelog to
mention the second CVE.

Cheers Jochen

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.4.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index b4bfdc6..7630a9a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,12 @@
+ros-ros-comm (1.12.6-2+deb9u2) stretch; urgency=medium
+
+  * Add https://github.com/ros/ros_comm/pull/1741 (Fix CVE-2019-13445)
+
+ -- Jochen Sprickerhof   Sun, 05 Jan 2020 15:45:11 +0100
+
 ros-ros-comm (1.12.6-2+deb9u1) stretch; urgency=high
 
-  * Add https://github.com/ros/ros_comm/pull/1771 (Fix CVE-2019-13566)
+  * Add https://github.com/ros/ros_comm/pull/1771 (Fix CVE-2019-13566, 
CVE-2019-13465)
 
  -- Jochen Sprickerhof   Sun, 24 Nov 2019 17:03:50 +0100
 
diff --git a/debian/patches/1741.patch b/debian/patches/1741.patch
new file mode 100644
index 000..86b4b35
--- /dev/null
+++ b/debian/patches/1741.patch
@@ -0,0 +1,21 @@
+From: Christopher Wecht 
+Date: Thu, 4 Jul 2019 21:19:14 +0200
+Subject: [PATCH] rosbag/record: fix signed int overflow
+
+---
+ tools/rosbag/src/record.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/rosbag/src/record.cpp b/tools/rosbag/src/record.cpp
+index dda378f..95e3413 100644
+--- a/tools/rosbag/src/record.cpp
 b/tools/rosbag/src/record.cpp
+@@ -121,7 +121,7 @@ rosbag::RecorderOptions parseOptions(int argc, char** 
argv) {
+ ROS_WARN("Use of \"--split \" has been deprecated.  Please 
use --split --size  or --split --duration ");
+ if (S < 0)
+   throw ros::Exception("Split size must be 0 or positive");
+-opts.max_size = 1048576 * S;
++opts.max_size = 1048576 * static_cast(S);
+   }
+ }
+ if(vm.count("max-splits"))
diff --git a/debian/patches/series b/debian/patches/series
index 6695bde..bbadad6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@
 0005-Add-defaults-to-roswtf.patch
 0007-move-heaers-to-include-xmlrpcpp.patch
 0007-fixing-string-check.patch
+1741.patch