NEW changes in oldstable-new
Processing changes file: aide_0.16.1-1+deb10u1_source.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_all-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_amd64-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_arm64-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_armel-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_armhf-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_i386-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_mips-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_mips64el-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_mipsel-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_ppc64el-buildd.changes ACCEPT Processing changes file: aide_0.16.1-1+deb10u1_s390x-buildd.changes ACCEPT Processing changes file: ipython_5.8.0-1+deb10u1_source.changes ACCEPT Processing changes file: ipython_5.8.0-1+deb10u1_all-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_source.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_all-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_amd64-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_arm64-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_armel-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_armhf-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_i386-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_mips-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_mips64el-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_mipsel-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_ppc64el-buildd.changes ACCEPT Processing changes file: lighttpd_1.4.53-4+deb10u2_s390x-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_sourceonly.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_all-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_amd64-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_arm64-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_armel-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_armhf-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_i386-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_mips-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_mips64el-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_mipsel-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_ppc64el-buildd.changes ACCEPT Processing changes file: lxml_4.3.2-1+deb10u4_s390x-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_sourceonly.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_amd64-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_arm64-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_armel-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_armhf-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_i386-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_mips-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_mips64el-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_mipsel-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_ppc64el-buildd.changes ACCEPT Processing changes file: nss_3.42.1-1+deb10u5_s390x-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_amd64.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_all-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_amd64-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_arm64-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_armel-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_armhf-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_i386-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_mips-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_mips64el-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_mipsel-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_ppc64el-buildd.changes ACCEPT Processing changes file: pillow_5.4.1-2+deb10u3_s390x-buildd.changes ACCEPT Processing changes file: policykit-1_0.105-25+deb10u1_source.changes ACCEPT Processing changes file: policykit-1_0.105-25+deb10u1_all-buildd.changes ACCEPT Processing changes file: policykit-1_0.105-25+deb10u1_amd64-buildd.changes ACCEPT Processing changes file: policykit-1
Re: rakudo permanent tracker and transition
Hi, On 05-02-2022 15:54, Dominique Dumont wrote: On Thursday, 3 February 2022 09:16:54 CET Paul Gevers wrote: I'm slightly surprised that perl6-readline isn't picked up by the tracker. We'll need to check why that is. I've a possible explanation. Thanks for thinking along. perl6-readline depends field is: Depends: libreadline8, raku-api-2021.09 rakudo tracker is set with: Affected: .depends ~ /^raku-api-/ This fails if the regexp is applied to the *whole* Depends field value because the regexp is anchored to the beginning of the string. True, that's why I was pretty sure that ben only considers individual entries. But I just checked the ben documentation [1] and believe you are right. Particularly this: """ Packages fields may contain a list of values comma-separated. Ben splits the list before looking with "…" for a match. """ which suggest that doesn't apply to regular expressions and I see loads of (^|\s) in other ben files. Paul [1] https://debian.pages.debian.net/ben/#_query_language OpenPGP_signature Description: OpenPGP digital signature
NEW changes in stable-new
Processing changes file: flatpak-builder_1.0.12-1+deb11u1_source.changes ACCEPT Processing changes file: flatpak-builder_1.0.12-1+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: flatpak-builder_1.0.12-1+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: flatpak-builder_1.0.12-1+deb11u1_armel-buildd.changes ACCEPT Processing changes file: flatpak-builder_1.0.12-1+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: flatpak-builder_1.0.12-1+deb11u1_i386-buildd.changes ACCEPT Processing changes file: flatpak-builder_1.0.12-1+deb11u1_mips64el-buildd.changes ACCEPT Processing changes file: flatpak-builder_1.0.12-1+deb11u1_mipsel-buildd.changes ACCEPT Processing changes file: flatpak-builder_1.0.12-1+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: flatpak-builder_1.0.12-1+deb11u1_s390x-buildd.changes ACCEPT
Re: rakudo permanent tracker and transition
On Thursday, 3 February 2022 09:16:54 CET Paul Gevers wrote: > I'm slightly surprised that perl6-readline isn't picked up by the > tracker. We'll need to check why that is. I've a possible explanation. perl6-readline depends field is: Depends: libreadline8, raku-api-2021.09 rakudo tracker is set with: Affected: .depends ~ /^raku-api-/ This fails if the regexp is applied to the *whole* Depends field value because the regexp is anchored to the beginning of the string. HTH
Bug#1003176: transition: perl 5.34
On Sat, Feb 05, 2022 at 12:40:53PM +0200, Niko Tyni wrote: > Uploading this afternoon. perl_5.34.0-3 uploaded and accepted. -- Niko
Bug#1005013: bullseye-pu: package cinnamon/4.8.6-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] When an user attempts to add an online account that requires logging in through a web component, such as, Google, Facebook, Microsoft and/or Foursquare, cinnamon-settings crashes and quits without any further prompt or message. [ Impact ] As reported in #1001536 for now is not possible add online account for many services in Bullseye [ Tests ] With the fix add online account that require login account that before was impossible set it correctly and works, I tried the google one on my test, also the user that reported it have tested and reported that with the fix is working: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001536#36 I don't saw regression, other user that tested it also didn't reported regression and I don't saw regression upstream about it. [ Risks ] The patch is small and already tested for long time upstream and other distros who have been using cinnamon 5.2.1 just released, even more than 2 months; on debian has instead delayed a lot due to inability/difficulty to upload packages for a period, the version including the fix has been in experimental since 2021-12-31 and unstable since 2022-01-27 [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Changes to /usr/share/cinnamon/cinnamon-settings/cinnamon-settings.py [ Other info ] n/a diff -Nru cinnamon-4.8.6/debian/changelog cinnamon-4.8.6/debian/changelog --- cinnamon-4.8.6/debian/changelog 2021-02-15 01:12:15.0 +0100 +++ cinnamon-4.8.6/debian/changelog 2022-02-05 13:16:03.0 +0100 @@ -1,3 +1,11 @@ +cinnamon (4.8.6-2+deb11u1) bullseye; urgency=medium + + * d/patches: add upstream patch that solves a crash adding +an online account with login on web component (Closes: #1001536) + * change vcs-git, CI and gbp to bullseye + + -- Fabio Fantoni Sat, 05 Feb 2022 13:16:03 +0100 + cinnamon (4.8.6-2) unstable; urgency=medium [ Fabio Fantoni ] diff -Nru cinnamon-4.8.6/debian/control cinnamon-4.8.6/debian/control --- cinnamon-4.8.6/debian/control 2021-02-15 01:12:15.0 +0100 +++ cinnamon-4.8.6/debian/control 2022-02-05 13:16:03.0 +0100 @@ -40,7 +40,7 @@ Standards-Version: 4.5.0 Homepage: http://cinnamon.linuxmint.com Vcs-Browser: https://salsa.debian.org/cinnamon-team/cinnamon -Vcs-Git: https://salsa.debian.org/cinnamon-team/cinnamon.git +Vcs-Git: https://salsa.debian.org/cinnamon-team/cinnamon.git -b bullseye Package: cinnamon Architecture: any diff -Nru cinnamon-4.8.6/debian/gbp.conf cinnamon-4.8.6/debian/gbp.conf --- cinnamon-4.8.6/debian/gbp.conf 2021-02-15 01:12:15.0 +0100 +++ cinnamon-4.8.6/debian/gbp.conf 2022-02-05 13:16:03.0 +0100 @@ -1,2 +1,3 @@ [DEFAULT] pristine-tar = True +debian-branch = bullseye diff -Nru cinnamon-4.8.6/debian/patches/fix-crash-online-account.patch cinnamon-4.8.6/debian/patches/fix-crash-online-account.patch --- cinnamon-4.8.6/debian/patches/fix-crash-online-account.patch 1970-01-01 01:00:00.0 +0100 +++ cinnamon-4.8.6/debian/patches/fix-crash-online-account.patch 2022-02-05 13:16:03.0 +0100 @@ -0,0 +1,77 @@ +Author: Michael Webster +Date: Fri, 19 Nov 2021 21:33:02 -0500 +Description: [PATCH] Make cinnamon-settings a minimal GApplication to accomodate + webkit. + +GApplication is required for xdg-desktop-portal access in the WebKit sandbox. + +https://forums.fedoraforum.org/showthread.php?327343-Gnome-Online-Accounts-Unusable-In-F35-Cinnamon-GUI-Consistently-Crashes-Vanishes + +Origin: https://github.com/linuxmint/cinnamon/commit/77ed66050f7df889fcb7a10b702c7b8bcdeaa130 +--- + .../cinnamon-settings/cinnamon-settings.py| 21 +-- + 1 file changed, 15 insertions(+), 6 deletions(-) + +--- a/files/usr/share/cinnamon/cinnamon-settings/cinnamon-settings.py b/files/usr/share/cinnamon/cinnamon-settings/cinnamon-settings.py +@@ -163,7 +163,7 @@ + os.utime(fname, times) + + +-class MainWindow: ++class MainWindow(Gio.Application): + # Change pages + def side_view_nav(self, side_view, path, cat): + selected_items = side_view.get_selected_items() +@@ -257,6 +257,9 @@ + + # Create the UI + def __init__(self): ++Gio.Application.__init__(self, ++ application_id="org.cinnamon.Settings_%d" % os.getpid(), ++ flags=Gio.ApplicationFlags.NON_UNIQUE | Gio.ApplicationFlags.HANDLES_OPEN) + self.builder = Gtk.Builder() + self.builder.set_translation_domain('cinnamon') # let it translate! + self.builder.add_from_file(config.currentPath + "/cinnamon-settings.ui") +@@ -294,7 +297,7 @@ + self.search_entry.connect("changed"
Bug#1005010: bullseye-pu: package node-nth-check/2.0.0-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] Regex Denial of Service (CVE-2021-3803) [ Impact ] Medium vulnerability [ Tests ] Test passed [ Risks ] Low risk, patch isn't so complicated and test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace regex with hand-rolled parser Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index b80a144..e2e201b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-nth-check (2.0.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Replace regex with hand-rolled parser (Closes: CVE-2021-3803) + + -- Yadd Sat, 05 Feb 2022 12:42:20 +0100 + node-nth-check (2.0.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-3803.patch b/debian/patches/CVE-2021-3803.patch new file mode 100644 index 000..da4870c --- /dev/null +++ b/debian/patches/CVE-2021-3803.patch @@ -0,0 +1,107 @@ +Description: Replace regex with hand-rolled parser +Author: Felix Böhm <188768+f...@users.noreply.github.com> +Origin: upstream, https://patch-diff.githubusercontent.com/raw/fb55/nth-check/pull/9.patch +Bug: https://github.com/advisories/GHSA-rp65-9cf3-cjxr +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-02-05 + +--- a/src/parse.ts b/src/parse.ts +@@ -1,7 +1,9 @@ + // Following http://www.w3.org/TR/css3-selectors/#nth-child-pseudo + +-// [ ['-'|'+']? INTEGER? {N} [ S* ['-'|'+'] S* INTEGER ]? +-const RE_NTH_ELEMENT = /^([+-]?\d*n)?\s*(?:([+-]?)\s*(\d+))?$/; ++// Whitespace as per https://www.w3.org/TR/selectors-3/#lex is " \t\r\n\f" ++const whitespace = new Set([9, 10, 12, 13, 32]); ++const ZERO = "0".charCodeAt(0); ++const NINE = "9".charCodeAt(0); + + /** + * Parses an expression. +@@ -19,24 +21,72 @@ + return [2, 1]; + } + +-const parsed = formula.match(RE_NTH_ELEMENT); ++// Parse [ ['-'|'+']? INTEGER? {N} [ S* ['-'|'+'] S* INTEGER ]? + +-if (!parsed) { ++let idx = 0; ++ ++let a = 0; ++let sign = readSign(); ++let number = readNumber(); ++ ++if (idx < formula.length && formula.charAt(idx) === "n") { ++idx++; ++a = sign * (number ?? 1); ++ ++skipWhitespace(); ++ ++if (idx < formula.length) { ++sign = readSign(); ++skipWhitespace(); ++number = readNumber(); ++} else { ++sign = number = 0; ++} ++} ++ ++// Throw if there is anything else ++if (number === null || idx < formula.length) { + throw new Error(`n-th rule couldn't be parsed ('${formula}')`); + } + +-let a; ++return [a, sign * number]; + +-if (parsed[1]) { +-a = parseInt(parsed[1], 10); +-if (isNaN(a)) { +-a = parsed[1].startsWith("-") ? -1 : 1; ++function readSign() { ++if (formula.charAt(idx) === "-") { ++idx++; ++return -1; + } +-} else a = 0; + +-const b = +-(parsed[2] === "-" ? -1 : 1) * +-(parsed[3] ? parseInt(parsed[3], 10) : 0); ++if (formula.charAt(idx) === "+") { ++idx++; ++} ++ ++return 1; ++} + +-return [a, b]; ++function readNumber() { ++const start = idx; ++let value = 0; ++ ++while ( ++idx < formula.length && ++formula.charCodeAt(idx) >= ZERO && ++formula.charCodeAt(idx) <= NINE ++) { ++value = value * 10 + (formula.charCodeAt(idx) - ZERO); ++idx++; ++} ++ ++// Return `null` if we didn't read anything. ++return idx === start ? null : value; ++} ++ ++function skipWhitespace() { ++while ( ++idx < formula.length && ++whitespace.has(formula.charCodeAt(idx)) ++) { ++idx++; ++} ++} + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4ac3e54 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-3803.patch
Bug#1005007: bullseye-pu: package node-trim-newlines/3.0.0-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] Regex Denial of Service (CVE-2021-33623) [ Impact ] Medium vulnerability [ Tests ] Test passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace regex by string parse Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index bfe52ab..84d1115 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-trim-newlines (3.0.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix Regex Denial of Service (Closes: CVE-2021-33623) + + -- Yadd Sat, 05 Feb 2022 12:23:20 +0100 + node-trim-newlines (3.0.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-33623.patch b/debian/patches/CVE-2021-33623.patch new file mode 100644 index 000..8ce1174 --- /dev/null +++ b/debian/patches/CVE-2021-33623.patch @@ -0,0 +1,34 @@ +Description: fix ReDoS +Author: upstream +Bug: https://github.com/advisories/GHSA-7p7h-4mm5-852v +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-02-05 + +--- a/index.js b/index.js +@@ -1,4 +1,13 @@ + 'use strict'; + module.exports = string => string.replace(/^[\r\n]+/, '').replace(/[\r\n]+$/, ''); + module.exports.start = string => string.replace(/^[\r\n]+/, ''); +-module.exports.end = string => string.replace(/[\r\n]+$/, ''); ++ ++module.exports.end = string => { ++ let end = string.length; ++ ++ while (end > 0 && (string[end - 1] === '\r' || string[end - 1] === '\n')) { ++ end--; ++ } ++ ++ return end < string.length ? string.slice(0, end) : string; ++}; +--- a/package.json b/package.json +@@ -1,6 +1,6 @@ + { + "name": "trim-newlines", +- "version": "3.0.0", ++ "version": "3.0.1", + "description": "Trim newlines from the start and/or end of a string", + "license": "MIT", + "repository": "sindresorhus/trim-newlines", diff --git a/debian/patches/series b/debian/patches/series index 2cdbeba..2063155 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ replace-ava-by-tape.patch +CVE-2021-33623.patch
Re: rakudo permanent tracker and transition
On Thursday, 3 February 2022 09:16:54 CET Paul Gevers wrote: > I'm slightly surprised that perl6-readline isn't picked up by the > tracker. We'll need to check why that is. For what it's worth, unlike the other raku-* module, perl6-readline 0.1.5-4 is an arch:any package. On the other hand perl6-readline 0.1.5-2 (stable version) is an arch:all package. HTH
Bug#1003176: transition: perl 5.34
On Sat, Feb 05, 2022 at 11:07:19AM +0100, Sebastian Ramacher wrote: > On 2022-02-04 10:52:11, Niko Tyni wrote: > > On Thu, Feb 03, 2022 at 09:49:28PM +0100, Sebastian Ramacher wrote: > > > > On 2022-01-05 17:00:54 +, Niko Tyni wrote: > > > > > we'd like a transition slot for Perl 5.34. > > > ocaml is done, so please go ahead. > > > > Thanks! > > > > My last rebuilds found that graphviz has regressed and doesn't build > > anymore (#1004956). Do we need to get that fixed first? > > libgv-perl does not have any reverse dependencies. None of the other > binaries built by graphviz are affected by this transition. Ack, thanks. > Unless there are any other packages that build perl and php bindings > using swig that would fail to build, I don't think that this bug is a > blocker. No other regressions turned up in my rebuild tests, so I think we should be fine. Uploading this afternoon. -- Niko
Bug#1003176: transition: perl 5.34
On 2022-02-04 10:52:11, Niko Tyni wrote: > On Thu, Feb 03, 2022 at 09:49:28PM +0100, Sebastian Ramacher wrote: > > > On 2022-01-05 17:00:54 +, Niko Tyni wrote: > > > > we'd like a transition slot for Perl 5.34. > > ocaml is done, so please go ahead. > > Thanks! > > My last rebuilds found that graphviz has regressed and doesn't build > anymore (#1004956). Do we need to get that fixed first? libgv-perl does not have any reverse dependencies. None of the other binaries built by graphviz are affected by this transition. Unless there are any other packages that build perl and php bindings using swig that would fail to build, I don't think that this bug is a blocker. Cheers -- Sebastian Ramacher
Bug#1005000: buster-pu: package atftp/0.7.git20120829-3.2~deb10u2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org [ Reason ] Fix of CVE-2021-46671 reported in #1004974. [ Impact ] Potential information leak under special circumstances. [ Tests ] I checked manually that the changes fix the problem. The version in testing contains the fix already for a long time and no problems have been observed. [ Risks ] Risks are rather low, as changes are not complicated and in place for the version in testing since quite some time. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] With the fix applied, options sent to the daemon are better checked to avoid reading past the end of an array. [ Other info ] The same problem exists in bullseye and handled in a separate bullseye-pu. I am going to upload the fixed version already. diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog --- atftp-0.7.git20120829/debian/changelog +++ atftp-0.7.git20120829/debian/changelog @@ -1,3 +1,9 @@ +atftp (0.7.git20120829-3.2~deb10u3) buster; urgency=medium + + * Fix for CVE-2021-46671 (Closes: #1004974) + + -- Andreas B. Mundt Fri, 04 Feb 2022 18:47:25 +0100 + atftp (0.7.git20120829-3.2~deb10u2) buster; urgency=medium * Fix for CVE-2021-41054 (Closes: #994895) diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c --- atftp-0.7.git20120829/options.c +++ atftp-0.7.git20120829/options.c @@ -43,6 +43,12 @@ struct tftphdr *tftp_data = (struct tftphdr *)data; size_t size = data_size - sizeof(tftp_data->th_opcode); + /* sanity check - requests always end in a null byte, + * check to prevent argz_next from reading past the end of + * data, as it doesn't do bounds checks */ + if (data_size == 0 || data[data_size-1] != '\0') + return ERR; + /* read filename */ entry = argz_next(tftp_data->th_stuff, size, entry); if (!entry) @@ -79,6 +85,12 @@ struct tftphdr *tftp_data = (struct tftphdr *)data; size_t size = data_size - sizeof(tftp_data->th_opcode); + /* sanity check - options always end in a null byte, + * check to prevent argz_next from reading past the end of + * data, as it doesn't do bounds checks */ + if (data_size == 0 || data[data_size-1] != '\0') + return ERR; + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) { tmp = entry;
Bug#1004999: bullseye-pu: package atftp/0.7.git20120829-3.3+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org [ Reason ] Fix of CVE-2021-46671 reported in #1004974. [ Impact ] Potential information leak under special circumstances. [ Tests ] I checked manually that the changes fix the problem. The version in testing contains the fix already for a long time and no problems have been observed. [ Risks ] Risks are rather low, as changes are not complicated and in place for the version in testing since quite some time. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] With the fix applied, options sent to the daemon are better checked to avoid reading past the end of an array. [ Other info ] The same problem exists in buster (I'll open a separate buster-pu). I am going to upload the fixed version already. diff -u atftp-0.7.git20120829/debian/changelog atftp-0.7.git20120829/debian/changelog --- atftp-0.7.git20120829/debian/changelog +++ atftp-0.7.git20120829/debian/changelog @@ -1,3 +1,9 @@ +atftp (0.7.git20120829-3.3+deb11u2) bullseye; urgency=medium + + * Fix for CVE-2021-46671 (Closes: #1004974) + + -- Andreas B. Mundt Fri, 04 Feb 2022 18:09:05 +0100 + atftp (0.7.git20120829-3.3+deb11u1) bullseye; urgency=medium * Fix for CVE-2021-41054 (Closes: #994895) diff -u atftp-0.7.git20120829/options.c atftp-0.7.git20120829/options.c --- atftp-0.7.git20120829/options.c +++ atftp-0.7.git20120829/options.c @@ -43,6 +43,12 @@ struct tftphdr *tftp_data = (struct tftphdr *)data; size_t size = data_size - sizeof(tftp_data->th_opcode); + /* sanity check - requests always end in a null byte, + * check to prevent argz_next from reading past the end of + * data, as it doesn't do bounds checks */ + if (data_size == 0 || data[data_size-1] != '\0') + return ERR; + /* read filename */ entry = argz_next(tftp_data->th_stuff, size, entry); if (!entry) @@ -79,6 +85,12 @@ struct tftphdr *tftp_data = (struct tftphdr *)data; size_t size = data_size - sizeof(tftp_data->th_opcode); + /* sanity check - options always end in a null byte, + * check to prevent argz_next from reading past the end of + * data, as it doesn't do bounds checks */ + if (data_size == 0 || data[data_size-1] != '\0') + return ERR; + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) { tmp = entry;