Bug#983918: buster-pu: package libbsd/0.9.1-2

[Adam D. Barratt]

I somehow missed that libbsd produces a udeb when I was processing
stable-new, so CCing KiBi and -boot now.

Regards,

Adam

On Wed, 2021-03-03 at 12:05 +0100, Gianfranco Costamagna wrote:
> Package: release.debian.org
> User: release.debian@packages.debian.org
> Usertags: pu
> Tags: buster
> Severity: normal
> 
> CVE-2019-20367 (no DSA) has been fixed for stretch in 0.8.3-1+deb9u1
> and
> for bullseye, sid with version 0.10.0-1
> Buster has been left out from the patches, and since the patch is
> trivial, I propose to apply it for buster too
> 
> 
> diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
> --- libbsd-0.9.1/debian/changelog 2019-02-25 01:33:03.0
> +0100
> +++ libbsd-0.9.1/debian/changelog 2021-03-03 12:03:12.0
> +0100
> @@ -1,3 +1,12 @@
> +libbsd (0.9.1-2+deb10u1) buster; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * CVE-2019-20367
> +A non-NUL terminated symbol name in the string table might
> +result in a out-of-bounds read.
> +
> + -- Gianfranco Costamagna   Wed, 03 Mar
> 2021 12:03:12 +0100
> +
>  libbsd (0.9.1-2) unstable; urgency=medium
>  
>* Perform a proper and correct /usr-merge transition by moving the
> package
> diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch libbsd-
> 0.9.1/debian/patches/CVE-2019-20367.patch
> --- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch  1970-01-01
> 01:00:00.0 +0100
> +++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch  2021-03-03
> 12:00:40.0 +0100
> @@ -0,0 +1,42 @@
> +From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00
> 2001
> +From: Guillem Jover 
> +Date: Wed, 7 Aug 2019 22:58:30 +0200
> +Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
> +
> +When doing a string comparison for a symbol name from the string
> table,
> +we should make sure we do a bounded comparison, otherwise a non-NUL
> +terminated string might make the code read out-of-bounds.
> +
> +Warned-by: coverity
> +---
> + src/nlist.c | 6 --
> + 1 file changed, 4 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/nlist.c b/src/nlist.c
> +index 8aa46a2..228c220 100644
> +--- a/src/nlist.c
>  b/src/nlist.c
> +@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
> + symsize -= cc;
> + for (s = sbuf; cc > 0 && nent > 0; ++s, cc -=
> sizeof(*s)) {
> + char *name;
> ++Elf_Word size;
> + struct nlist *p;
> + 
> + name = strtab + s->st_name;
> + if (name[0] == '\0')
> + continue;
> ++size = symstrsize - s->st_name;
> + 
> + for (p = list; !ISLAST(p); p++) {
> + if ((p->n_un.n_name[0] == '_' &&
> +-strcmp(name, p->n_un.n_name+1) ==
> 0)
> +-|| strcmp(name, p->n_un.n_name) ==
> 0) {
> ++ strncmp(name, p->n_un.n_name+1,
> size) == 0) ||
> ++strncmp(name, p->n_un.n_name, size)
> == 0) {
> + elf_sym_to_nlist(p, s, shdr,
> + ehdr.e_shnum);
> + if (--nent <= 0)
> +-- 
> +GitLab
> +
> diff -Nru libbsd-0.9.1/debian/patches/series libbsd-
> 0.9.1/debian/patches/series
> --- libbsd-0.9.1/debian/patches/series1970-01-01
> 01:00:00.0 +0100
> +++ libbsd-0.9.1/debian/patches/series2021-03-03
> 12:01:48.0 +0100
> @@ -0,0 +1 @@
> +CVE-2019-20367.patch

Bug#983918: buster-pu: package libbsd/0.9.1-2

[Gianfranco Costamagna]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

CVE-2019-20367 (no DSA) has been fixed for stretch in 0.8.3-1+deb9u1 and
for bullseye, sid with version 0.10.0-1
Buster has been left out from the patches, and since the patch is
trivial, I propose to apply it for buster too


diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
--- libbsd-0.9.1/debian/changelog   2019-02-25 01:33:03.0 +0100
+++ libbsd-0.9.1/debian/changelog   2021-03-03 12:03:12.0 +0100
@@ -1,3 +1,12 @@
+libbsd (0.9.1-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-20367
+A non-NUL terminated symbol name in the string table might
+result in a out-of-bounds read.
+
+ -- Gianfranco Costamagna   Wed, 03 Mar 2021 
12:03:12 +0100
+
 libbsd (0.9.1-2) unstable; urgency=medium
 
   * Perform a proper and correct /usr-merge transition by moving the package
diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 
libbsd-0.9.1/debian/patches/CVE-2019-20367.patch
--- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch1970-01-01 
01:00:00.0 +0100
+++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch2021-03-03 
12:00:40.0 +0100
@@ -0,0 +1,42 @@
+From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001
+From: Guillem Jover 
+Date: Wed, 7 Aug 2019 22:58:30 +0200
+Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
+
+When doing a string comparison for a symbol name from the string table,
+we should make sure we do a bounded comparison, otherwise a non-NUL
+terminated string might make the code read out-of-bounds.
+
+Warned-by: coverity
+---
+ src/nlist.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/nlist.c b/src/nlist.c
+index 8aa46a2..228c220 100644
+--- a/src/nlist.c
 b/src/nlist.c
+@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
+   symsize -= cc;
+   for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) {
+   char *name;
++  Elf_Word size;
+   struct nlist *p;
+ 
+   name = strtab + s->st_name;
+   if (name[0] == '\0')
+   continue;
++  size = symstrsize - s->st_name;
+ 
+   for (p = list; !ISLAST(p); p++) {
+   if ((p->n_un.n_name[0] == '_' &&
+-  strcmp(name, p->n_un.n_name+1) == 0)
+-  || strcmp(name, p->n_un.n_name) == 0) {
++   strncmp(name, p->n_un.n_name+1, size) == 
0) ||
++  strncmp(name, p->n_un.n_name, size) == 0) {
+   elf_sym_to_nlist(p, s, shdr,
+   ehdr.e_shnum);
+   if (--nent <= 0)
+-- 
+GitLab
+
diff -Nru libbsd-0.9.1/debian/patches/series libbsd-0.9.1/debian/patches/series
--- libbsd-0.9.1/debian/patches/series  1970-01-01 01:00:00.0 +0100
+++ libbsd-0.9.1/debian/patches/series  2021-03-03 12:01:48.0 +0100
@@ -0,0 +1 @@
+CVE-2019-20367.patch
diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
--- libbsd-0.9.1/debian/changelog   2019-02-25 01:33:03.0 +0100
+++ libbsd-0.9.1/debian/changelog   2021-03-03 12:03:12.0 +0100
@@ -1,3 +1,12 @@
+libbsd (0.9.1-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-20367
+A non-NUL terminated symbol name in the string table might
+result in a out-of-bounds read.
+
+ -- Gianfranco Costamagna   Wed, 03 Mar 2021 
12:03:12 +0100
+
 libbsd (0.9.1-2) unstable; urgency=medium
 
   * Perform a proper and correct /usr-merge transition by moving the package
diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 
libbsd-0.9.1/debian/patches/CVE-2019-20367.patch
--- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch1970-01-01 
01:00:00.0 +0100
+++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch2021-03-03 
12:00:40.0 +0100
@@ -0,0 +1,42 @@
+From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001
+From: Guillem Jover 
+Date: Wed, 7 Aug 2019 22:58:30 +0200
+Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
+
+When doing a string comparison for a symbol name from the string table,
+we should make sure we do a bounded comparison, otherwise a non-NUL
+terminated string might make the code read out-of-bounds.
+
+Warned-by: coverity
+---
+ src/nlist.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/nlist.c b/src/nlist.c
+index 8aa46a2..228c220 100644
+--- a/src/nlist.c
 b/src/nlist.c
+@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
+   symsize -= cc;
+   for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) {
+