Bug#1070175: RM: salt/3002.6+dfsg1-4+deb11u1
On Wed, May 01, 2024 at 06:29:29PM +0100, Adam D. Barratt wrote: > On Wed, 2024-05-01 at 13:02 +0200, Moritz Muehlenhoff wrote: > > Please remove salt in the next Bullseye point release. > > It was already removed frm unstable for being unsupportable > > and unmaintained (https:://bugs.debian.org/1069654). > > > > There are two related packages which need to be removed > > alongside, since salt-common depends on them (but which > > have no other dependencies outside of salt): > > > > pytest-salt-factories 0.93.0-1 > > pytest-testinfra 6.1.0-1 > > I'm not doubting whether at least the former should be removed, but > "salt-common depends on them" isn't a reason to remove things in > itself. A relationship in the opposite direction certainly would be > (i.e. "they depend on salt-common"). It's actually build dependencies, both pytest-salt-factories and pytest-testinfra build depend on salt-common. Cheers, Moritz
Bug#1070175: RM: salt/3002.6+dfsg1-4+deb11u1
Package: release.debian.org Severity: normal X-Debbugs-Cc: s...@packages.debian.org Control: affects -1 + src:salt User: release.debian@packages.debian.org Usertags: rm Please remove salt in the next Bullseye point release. It was already removed frm unstable for being unsupportable and unmaintained (https:://bugs.debian.org/1069654). There are two related packages which need to be removed alongside, since salt-common depends on them (but which have no other dependencies outside of salt): pytest-salt-factories 0.93.0-1 pytest-testinfra 6.1.0-1 Cheers, Moritz
Bug#1068451: bookworm-pu: package libtommath/1.2.0-6+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libtomm...@packages.debian.org Control: affects -1 + src:libtommath Addresses CVE-2023-36328, debdiff below. Acked by Dominique before. Cheers, Moritz diff -Nru libtommath-1.2.0/debian/changelog libtommath-1.2.0/debian/changelog --- libtommath-1.2.0/debian/changelog 2021-02-07 11:58:15.0 +0100 +++ libtommath-1.2.0/debian/changelog 2024-04-04 22:20:38.0 +0200 @@ -1,3 +1,9 @@ +libtommath (1.2.0-6+deb12u1) bookworm; urgency=medium + + * CVE-2023-36328 (Closes: #1051100) + + -- Moritz Mühlenhoff Thu, 04 Apr 2024 22:20:38 +0200 + libtommath (1.2.0-6) unstable; urgency=medium [ Helmut Grohne ] diff -Nru libtommath-1.2.0/debian/patches/CVE-2023-36328.patch libtommath-1.2.0/debian/patches/CVE-2023-36328.patch --- libtommath-1.2.0/debian/patches/CVE-2023-36328.patch1970-01-01 01:00:00.0 +0100 +++ libtommath-1.2.0/debian/patches/CVE-2023-36328.patch2024-04-04 22:20:38.0 +0200 @@ -0,0 +1,121 @@ +From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 +From: czurnieden +Date: Tue, 9 May 2023 17:17:12 +0200 +Subject: [PATCH] Fix possible integer overflow + +--- + bn_mp_2expt.c| 4 + bn_mp_grow.c | 4 + bn_mp_init_size.c| 5 + + bn_mp_mul_2d.c | 4 + bn_s_mp_mul_digs.c | 4 + bn_s_mp_mul_digs_fast.c | 4 + bn_s_mp_mul_high_digs.c | 4 + bn_s_mp_mul_high_digs_fast.c | 4 + 8 files changed, 33 insertions(+) + +--- libtommath-1.2.0.orig/bn_mp_2expt.c libtommath-1.2.0/bn_mp_2expt.c +@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) + { +mp_errerr; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ +/* zero a as per default */ +mp_zero(a); + +--- libtommath-1.2.0.orig/bn_mp_grow.c libtommath-1.2.0/bn_mp_grow.c +@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) +int i; +mp_digit *tmp; + ++ if (size < 0) { ++ return MP_VAL; ++ } ++ +/* if the alloc size is smaller alloc more ram */ +if (a->alloc < size) { + /* reallocate the array a->dp +--- libtommath-1.2.0.orig/bn_mp_init_size.c libtommath-1.2.0/bn_mp_init_size.c +@@ -6,6 +6,11 @@ + /* init an mp_init for a given size */ + mp_err mp_init_size(mp_int *a, int size) + { ++ ++ if (size < 0) { ++ return MP_VAL; ++ } ++ +size = MP_MAX(MP_MIN_PREC, size); + +/* alloc mem */ +--- libtommath-1.2.0.orig/bn_mp_mul_2d.c libtommath-1.2.0/bn_mp_mul_2d.c +@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, +mp_digit d; +mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ +/* copy */ +if (a != c) { + if ((err = mp_copy(a, c)) != MP_OKAY) { +--- libtommath-1.2.0.orig/bn_s_mp_mul_digs.c libtommath-1.2.0/bn_s_mp_mul_digs.c +@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, co +mp_word r; +mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ +/* can we use the fast multiplier? */ +if ((digs < MP_WARRAY) && +(MP_MIN(a->used, b->used) < MP_MAXFAST)) { +--- libtommath-1.2.0.orig/bn_s_mp_mul_digs_fast.c libtommath-1.2.0/bn_s_mp_mul_digs_fast.c +@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int * +mp_digit W[MP_WARRAY]; +mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ +/* grow the destination as required */ +if (c->alloc < digs) { + if ((err = mp_grow(c, digs)) != MP_OKAY) { +--- libtommath-1.2.0.orig/bn_s_mp_mul_high_digs.c libtommath-1.2.0/bn_s_mp_mul_high_digs.c +@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int * +mp_word r; +mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ +/* can we use the fast multiplier? */ +if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) +&& ((a->used + b->used + 1) < MP_WARRAY) +--- libtommath-1.2.0.orig/bn_s_mp_mul_high_digs_fast.c libtommath-1.2.0/bn_s_mp_mul_high_digs_fast.c +@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_ +mp_digit W[MP_WARRAY]; +mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ +/* grow the destination as required */ +pa = a->used + b->used; +if (c->alloc < pa) { diff -Nru libtommath-1.2.0/debian/patches/series libtommath-1.2.0/debian/patches/series --- libtommath-1.2.0/debian/patches/series 2021-02-07 11:58:15.0 +0100 +++ libtommath-1.2.0/debian/patches/series 2024-04-04 22:20:38.0 +0200 @@ -2,3 +2,4 @@ remove-undefined-macro fix-shift-count-overflow-on-x32 use-utc-timezone +CVE-2023-36328.patch
Re: Security releases for ecosystems that use static linking
Thorsten Alteholz wrote: [ Adding DSA to the CC list ] > On Mon, 18 Mar 2024, Emilio Pozuelo Monfort wrote: > > > One solution which has been discussed in the past is to import a full copy > > > of stable towards stable-security at the beginning of each release cycle, > > > but that is currently not possible since security-master is a Ganeti VM > > > and the disk requirements for a full archive copy would rather require > > > a baremetal host. > > > (... suggestion of Emilio ...) > > > > Thoughts? > > The idea is nice, but needs someone to implement it. > > Anyway, the problem is not really new. Since many years, not to say decades, > I hear that there is not enough space on security-master. > I also hear that Debian has so much money and problems to spend it. > So why not solve this problem by buying new hardware? This can not be that > difficult. Is there any reason why security-master needs to be a Ganeti VM? The obvious reason is to avoid hardware refreshes and better redundancy, but I agree it would be really great to move forward with a solution for security-master. The current setup where security.d.o only holds a subset of the archive has long-standing issues which cause a lot of toil for FTP masters and people making security uploads: - Every initial upload of a package using Built-Using needs manual FTP master interaction - The need to inclucde full source into the initial upload leads to unneeded roundtrips when people forget it (and there's also even crazier cornercases like a new foo.tar.gz for oldstable-security and stable-security at the same time) - No possibility for binNMUs, leading to a need for sourceful uploads if needed Cheers, Moritz
Re: Security releases for ecosystems that use static linking
On Mon, Mar 18, 2024 at 01:13:15PM +0100, Emilio Pozuelo Monfort wrote: > [ Adding debian-dak@ to Cc ] > > One solution which has been discussed in the past is to import a full copy > > of stable towards stable-security at the beginning of each release cycle, > > but that is currently not possible since security-master is a Ganeti VM > > and the disk requirements for a full archive copy would rather require > > a baremetal host. > > What if the overrides list was updated regularly but the sources were only > imported on-demand? e.g. upon a new upload > - trigger override update from ftp-master > - if upload is sourceless and source is not present: > - try to import source from ftp-master > > This would also solve the current problem that an update on security-master > may have the same version but different orig tarball than the one on > ftp-master. We'd need an estimate which percentage of a given release sees an update via foo-security over the five year period (plus some wiggle room for a potentially increased rate of updates for rust/go) to make sure that disk space on security-master supports such a setup. But the approach per se seems solid to me. Cheers, Moritz
Bug#1063736: snort removal from bullseye (Re: Bug#1063736: RM: snort -- RoQA; security issues, unmaintained)
On Mon, Feb 12, 2024 at 06:16:48PM +, Jonathan Wiltshire wrote: > On Mon, Feb 12, 2024 at 09:24:47AM +, Holger Levsen wrote: > > hi, > > > > On Sun, Feb 11, 2024 at 09:44:18PM +, Jonathan Wiltshire wrote: > > > Requested by security team. Not in stable or testing. > > > > once this has happened we should communicate this to our users via > > debian-security-upload to bullseye. > > Looping in security in case security support should be withdrawn earlier. > (The removal won't happen until the next and final point release.) That's fine, all current bugs are addressed in bullseye, except a minor logrotate issue. Cheers, Moritz
Bug#1061572: bullseye-pu: package unadf/0.7.11a-4+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: un...@packages.debian.org Control: affects -1 + src:unadf Addresses two no-dsa security issues, same fix already rolled out for Bookworm. Debdiff below. Cheers, Moritz diff -Nru unadf-0.7.11a/debian/changelog unadf-0.7.11a/debian/changelog --- unadf-0.7.11a/debian/changelog 2016-09-24 17:43:06.0 +0200 +++ unadf-0.7.11a/debian/changelog 2023-11-24 16:39:48.0 +0100 @@ -1,3 +1,9 @@ +unadf (0.7.11a-4+deb11u1) bullseye; urgency=medium + + * CVE-2016-1243 / CVE-2016-1244 (Closes: #838248) + + -- Moritz Mühlenhoff Fri, 24 Nov 2023 18:34:16 +0100 + unadf (0.7.11a-4) unstable; urgency=high * Orphan package with security issues. diff -Nru unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244 unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244 --- unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12441970-01-01 01:00:00.0 +0100 +++ unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12442023-11-24 16:38:37.0 +0100 @@ -0,0 +1,146 @@ +Description: Fix unsafe extraction by using mkdir() instead of shell command + This commit fixes following vulnerabilities: + + - CVE-2016-1243: stack buffer overflow caused by blindly trusting on +pathname lengths of archived files + +Stack allocated buffer sysbuf was filled with sprintf() without any +bounds checking in extracTree() function. + + - CVE-2016-1244: execution of unsanitized input + +Shell command used for creating directory paths was constructed by +concatenating names of archived files to the end of the command +string. + + So, if the user was tricked to extract a specially crafted .adf file, + the attacker was able to execute arbitrary code with privileges of the + user. + + This commit fixes both issues by + +1) replacing mkdir shell commands with mkdir() function calls +2) removing redundant sysbuf buffer + +Author: Tuomas Räsänen +Last-Update: 2016-09-20 +-- +--- a/Demo/unadf.c b/Demo/unadf.c +@@ -24,6 +24,8 @@ + + #define UNADF_VERSION "1.0" + ++#include ++#include + + #include + #include +@@ -31,17 +33,15 @@ + + #include "adflib.h" + +-/* The portable way used to create a directory is to call the MKDIR command via the +- * system() function. +- * It is used to create the 'dir1' directory, like the 'dir1/dir11' directory ++/* The portable way used to create a directory is to call mkdir() ++ * which is defined by following standards: SVr4, BSD, POSIX.1-2001 ++ * and POSIX.1-2008 + */ + + /* the portable way to check if a directory 'dir1' already exists i'm using is to + * do fopen('dir1','rb'). NULL is returned if 'dir1' doesn't exists yet, an handle instead + */ + +-#define MKDIR "mkdir" +- + #ifdef WIN32 + #define DIRSEP '\\' + #else +@@ -51,6 +51,13 @@ + #define EXTBUFL 1024*8 + + ++static void mkdirOrLogErr(const char *const path) ++{ ++ if (mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO)) ++ fprintf(stderr, "mkdir: cannot create directory '%s': %s\n", ++ path, strerror(errno)); ++} ++ + void help() + { + puts("unadf [-lrcsp -v n] dumpname.adf [files-with-path] [-d extractdir]"); +@@ -152,7 +159,6 @@ void extractTree(struct Volume *vol, str + { + struct Entry* entry; + char *buf; +-char sysbuf[200]; + + while(tree) { + entry = (struct Entry*)tree->content; +@@ -162,16 +168,14 @@ void extractTree(struct Volume *vol, str + buf=(char*)malloc(strlen(path)+1+strlen(entry->name)+1); + if (!buf) return; + sprintf(buf,"%s%c%s",path,DIRSEP,entry->name); +-sprintf(sysbuf,"%s %s",MKDIR,buf); + if (!qflag) printf("x - %s%c\n",buf,DIRSEP); ++if (!pflag) mkdirOrLogErr(buf); + } + else { +-sprintf(sysbuf,"%s %s",MKDIR,entry->name); + if (!qflag) printf("x - %s%c\n",entry->name,DIRSEP); ++if (!pflag) mkdirOrLogErr(entry->name); + } + +-if (!pflag) system(sysbuf); +- + if (tree->subdir!=NULL) { + if (adfChangeDir(vol,entry->name)==RC_OK) { + if (buf!=NULL) +@@ -301,21 +305,20 @@ void processFile(struct Volume *vol, cha + extractFile(vol, name, path, extbuf, pflag, qflag); + } + else { +-/* the all-in-one string : to call system(), to find the filename, the convert dir sep char ... */ +-bigstr=(char*)malloc(strlen(MKDIR)+1+strlen(path)+1+strlen(name)+1); ++bigstr=(char*)malloc(strlen(path)+1+strlen(name)+1); + if (!bigstr) { fprintf(stderr,"processFile : malloc"); return; } + + /* to build to extract path */ + if (strlen(path)>0) { +-sprintf(bigstr,"%s %s%c%s",MKDIR,path,DIRSEP,name); +-cdstr =
Re: openjdk-8 vs. nvidia-openjdk-8-jre
On Fri, Jan 19, 2024 at 02:38:32AM +, Thorsten Glaser wrote: > Hi > > TIL about the existence of nvidia-openjdk-8-jre. > > Would it not be better to drop that and remove the bug deliberately > blocking openjdk-8 from entering testing/stable? No, we have enough OpenJDK releases to look after already. nvidia-openjdk-8-jre is on non-free (bundled with cuda) and not covered by security support. Cheers, Moritz
Bug#1059426: bookworm-pu: package haproxy/2.6.12-1+deb12u1
On Mon, Dec 25, 2023 at 10:32:41AM +0100, Tobias Frost wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: hapr...@packages.debian.org > X-Debbugs-Cc: t...@security.debian.org > Control: affects -1 + src:haproxy > > Hi, > > For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539, > and I also like to fix those for stable and oldstable. Please don't just go ahead and prepare updates for bullseye/bookworm without prior coordination. haproxy is listed in data/dsa-needed.txt as Salvatore as working on it (and in fact updates are already uploaded/built on security-master) Cheers, Moritz
Re: Security releases for ecosystems that use static linking
On Fri, Dec 22, 2023 at 10:19:15AM -0300, Santiago Ruano Rincón wrote: > El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió: > > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote: > > > So let me ask you: are you interested in addressing the infrastructure > > > limitations to handle those kind of packages? and having some help for > > > that? > > > > Foremost this is an infrastructure limitation that needs to be resolved: > > security-master and ftp-master use separate dak installations, which makes > > binNMUs in the current form untenable since every package would need a > > source-fule upload first (the same reason why currently the first upload > > of a package to foo-security needs a sourceful upload). > > > > One solution which has been discussed in the past is to import a full copy > > of stable towards stable-security at the beginning of each release cycle, > > but that is currently not possible since security-master is a Ganeti VM > > and the disk requirements for a full archive copy would rather require > > a baremetal host. > > If a baremetal host would be the first requirement, may I volunteer to > try to find one? If yes, do you have any idea of the required space and > HDD setup? These hosts are managed by the DSA team, this all needs to be discussed/sorted out with them. Cheers, Moritz
Re: Security releases for ecosystems that use static linking
On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote: > So let me ask you: are you interested in addressing the infrastructure > limitations to handle those kind of packages? and having some help for > that? Foremost this is an infrastructure limitation that needs to be resolved: security-master and ftp-master use separate dak installations, which makes binNMUs in the current form untenable since every package would need a source-fule upload first (the same reason why currently the first upload of a package to foo-security needs a sourceful upload). One solution which has been discussed in the past is to import a full copy of stable towards stable-security at the beginning of each release cycle, but that is currently not possible since security-master is a Ganeti VM and the disk requirements for a full archive copy would rather require a baremetal host. Cheers, Moritz
Re: Bug#1057755: Qt WebEngine Security Support In Stable
On Fri, Dec 15, 2023 at 10:39:04AM +0200, Adrian Bunk wrote: > > That is a good point. However, I consider full coverage of security support > > for stable to be an improvement over the current situation. Explicitly > > stating that security support is not shipped for oldstable does not do any > > more harm to users than what we currently do by explicitly stating that > > security support is not shipped for either stable or oldstable. > > >From a policy point of view, the duration of security support is a > Debian-wide policy and not a per-package policy. > > >From a user point of view, an organization/company running Debian on > their user/employee desktops would not schedule upgrades to a new > stable on release day - 1 year of migration time is really necessary. We already set some tighter deadlines, Chromium security support will also end six months after the release of the next stable release. But I agree with the general sentiment that this too much work to directly commit to full security support. A first step would be to initially commit to rebase to the latest LTS release in every point release. That would already be an improvement. Cheers, Moritz
Bug#1056696: bookworm-pu: package unadf/0.7.11a-5+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: un...@packages.debian.org Control: affects -1 + src:unadf Fixes two minor security issues. These have actually been in past releases (wheezy/jessie), but the patch wasn't actually applied to unstable in -4, so it regressed for later releases. Debdiff below. Cheers, Moritz diff -Nru unadf-0.7.11a/debian/changelog unadf-0.7.11a/debian/changelog --- unadf-0.7.11a/debian/changelog 2021-12-22 18:05:25.0 +0100 +++ unadf-0.7.11a/debian/changelog 2023-11-24 16:23:25.0 +0100 @@ -1,3 +1,9 @@ +unadf (0.7.11a-5+deb12u1) bookworm; urgency=medium + + * CVE-2016-1243 / CVE-2016-1244 (Closes: #838248) + + -- Moritz Mühlenhoff Fri, 24 Nov 2023 18:20:14 +0100 + unadf (0.7.11a-5) unstable; urgency=medium * QA upload. diff -Nru unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244 unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244 --- unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12441970-01-01 01:00:00.0 +0100 +++ unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12442023-11-24 16:25:05.0 +0100 @@ -0,0 +1,146 @@ +Description: Fix unsafe extraction by using mkdir() instead of shell command + This commit fixes following vulnerabilities: + + - CVE-2016-1243: stack buffer overflow caused by blindly trusting on +pathname lengths of archived files + +Stack allocated buffer sysbuf was filled with sprintf() without any +bounds checking in extracTree() function. + + - CVE-2016-1244: execution of unsanitized input + +Shell command used for creating directory paths was constructed by +concatenating names of archived files to the end of the command +string. + + So, if the user was tricked to extract a specially crafted .adf file, + the attacker was able to execute arbitrary code with privileges of the + user. + + This commit fixes both issues by + +1) replacing mkdir shell commands with mkdir() function calls +2) removing redundant sysbuf buffer + +Author: Tuomas Räsänen +Last-Update: 2016-09-20 +-- +--- a/Demo/unadf.c b/Demo/unadf.c +@@ -24,6 +24,8 @@ + + #define UNADF_VERSION "1.0" + ++#include ++#include + + #include + #include +@@ -31,17 +33,15 @@ + + #include "adflib.h" + +-/* The portable way used to create a directory is to call the MKDIR command via the +- * system() function. +- * It is used to create the 'dir1' directory, like the 'dir1/dir11' directory ++/* The portable way used to create a directory is to call mkdir() ++ * which is defined by following standards: SVr4, BSD, POSIX.1-2001 ++ * and POSIX.1-2008 + */ + + /* the portable way to check if a directory 'dir1' already exists i'm using is to + * do fopen('dir1','rb'). NULL is returned if 'dir1' doesn't exists yet, an handle instead + */ + +-#define MKDIR "mkdir" +- + #ifdef WIN32 + #define DIRSEP '\\' + #else +@@ -51,6 +51,13 @@ + #define EXTBUFL 1024*8 + + ++static void mkdirOrLogErr(const char *const path) ++{ ++ if (mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO)) ++ fprintf(stderr, "mkdir: cannot create directory '%s': %s\n", ++ path, strerror(errno)); ++} ++ + void help() + { + puts("unadf [-lrcsp -v n] dumpname.adf [files-with-path] [-d extractdir]"); +@@ -152,7 +159,6 @@ void extractTree(struct Volume *vol, str + { + struct Entry* entry; + char *buf; +-char sysbuf[200]; + + while(tree) { + entry = (struct Entry*)tree->content; +@@ -162,16 +168,14 @@ void extractTree(struct Volume *vol, str + buf=(char*)malloc(strlen(path)+1+strlen(entry->name)+1); + if (!buf) return; + sprintf(buf,"%s%c%s",path,DIRSEP,entry->name); +-sprintf(sysbuf,"%s %s",MKDIR,buf); + if (!qflag) printf("x - %s%c\n",buf,DIRSEP); ++if (!pflag) mkdirOrLogErr(buf); + } + else { +-sprintf(sysbuf,"%s %s",MKDIR,entry->name); + if (!qflag) printf("x - %s%c\n",entry->name,DIRSEP); ++if (!pflag) mkdirOrLogErr(entry->name); + } + +-if (!pflag) system(sysbuf); +- + if (tree->subdir!=NULL) { + if (adfChangeDir(vol,entry->name)==RC_OK) { + if (buf!=NULL) +@@ -301,21 +305,20 @@ void processFile(struct Volume *vol, cha + extractFile(vol, name, path, extbuf, pflag, qflag); + } + else { +-/* the all-in-one string : to call system(), to find the filename, the convert dir sep char ... */ +-bigstr=(char*)malloc(strlen(MKDIR)+1+strlen(path)+1+strlen(name)+1); ++bigstr=(char*)malloc(strlen(path)+1+strlen(name)+1); + if (!bigstr) { fprintf(stderr,"processFile : malloc"); return; } + + /* to build to extract path */ + if (strlen(path)>0) { +-
Bug#1052288: bullseye-pu: package qemu/1:5.2+dfsg-11+deb11u3
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: q...@packages.debian.org, m...@tls.msk.ru Control: affects -1 + src:qemu Various low severity security issues in qemu, debdiff below. I've tested this on a Bullseye ganeti cluster using the updated qemu. Cheers, Moritz diff -Nru qemu-5.2+dfsg/debian/changelog qemu-5.2+dfsg/debian/changelog --- qemu-5.2+dfsg/debian/changelog 2022-05-04 21:50:01.0 +0200 +++ qemu-5.2+dfsg/debian/changelog 2023-09-04 16:11:35.0 +0200 @@ -1,3 +1,19 @@ +qemu (1:5.2+dfsg-11+deb11u3) bullseye; urgency=medium + + * CVE-2021-20196 (Closes: #984453) + * CVE-2023-0330 (Closes: #1029155) + * CVE-2023-1544 (Closes: #1034179) + * CVE-2023-3354 + * CVE-2021-3930 + * CVE-2023-3180 + * CVE-2021-20203 (Closes: #984452) + * CVE-2021-3507 (Closes: #987410) + * CVE-2020-14394 (Closes: #979677) + * CVE-2023-3301 + * CVE-2022-0216 (Closes: #1014590) + + -- Moritz Mühlenhoff Mon, 04 Sep 2023 16:11:35 +0200 + qemu (1:5.2+dfsg-11+deb11u2) bullseye-security; urgency=medium * virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch --- qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch 1970-01-01 01:00:00.0 +0100 +++ qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch 2023-08-22 12:42:56.0 +0200 @@ -0,0 +1,67 @@ +From effaf5a240e03020f4ae953e10b764622c3e87cc Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 4 Aug 2022 15:13:00 +0200 +Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in + xhci_ring_chain_length() (CVE-2020-14394) + +The loop condition in xhci_ring_chain_length() is under control of +the guest, and additionally the code does not check for failed DMA +transfers (e.g. if reaching the end of the RAM), so the loop there +could run for a very long time or even forever. Fix it by checking +the return value of dma_memory_read() and by introducing a maximum +loop length. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646 +Message-Id: <20220804131300.96368-1-th...@redhat.com> +Reviewed-by: Mauro Matteo Cascella +Acked-by: Gerd Hoffmann +Signed-off-by: Thomas Huth +--- + hw/usb/hcd-xhci.c | 23 +++ + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- qemu-5.2+dfsg.orig/hw/usb/hcd-xhci.c qemu-5.2+dfsg/hw/usb/hcd-xhci.c +@@ -21,6 +21,7 @@ + + #include "qemu/osdep.h" + #include "qemu/timer.h" ++#include "qemu/log.h" + #include "qemu/module.h" + #include "qemu/queue.h" + #include "migration/vmstate.h" +@@ -720,9 +721,13 @@ static int xhci_ring_chain_length(XHCISt + bool control_td_set = 0; + uint32_t link_cnt = 0; + +-while (1) { ++do { + TRBType type; +-dma_memory_read(xhci->as, dequeue, , TRB_SIZE); ++if (dma_memory_read(xhci->as, dequeue, , TRB_SIZE) != MEMTX_OK) { ++qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n", ++ __func__); ++return -1; ++} + le64_to_cpus(); + le32_to_cpus(); + le32_to_cpus(); +@@ -756,7 +761,17 @@ static int xhci_ring_chain_length(XHCISt + if (!control_td_set && !(trb.control & TRB_TR_CH)) { + return length; + } +-} ++ ++/* ++ * According to the xHCI spec, Transfer Ring segments should have ++ * a maximum size of 64 kB (see chapter "6 Data Structures") ++ */ ++} while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE); ++ ++qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n", ++ __func__); ++ ++return -1; + } + + static void xhci_er_reset(XHCIState *xhci, int v) diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch --- qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch 1970-01-01 01:00:00.0 +0100 +++ qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch 2023-09-04 16:11:35.0 +0200 @@ -0,0 +1,61 @@ +Combined backport of + +From 1ab95af033a419e7a64e2d58e67dd96b20af5233 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:35 +0100 +Subject: [PATCH] hw/block/fdc: Kludge missing floppy drive to fix + CVE-2021-20196 + +and + +From b154791e7b6d4ca5cdcd54443484d97360bd7ad2 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:34 +0100 +Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive() + +--- qemu-5.2+dfsg.orig/hw/block/fdc.c qemu-5.2+dfsg/hw/block/fdc.c +@@ -61,6 +61,12 @@ + } while (0) + + ++/* Anonymous BlockBackend for empty drive */ ++static BlockBackend *blk_create_empty_drive(void) ++{ ++return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL); ++} ++ +
Bug#1051232: bookworm-pu: package 7zip/23.01+dfsg-3~deb12u1
On Tue, Sep 05, 2023 at 04:04:27AM +0900, YOKOTA Hiroshi wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: 7...@packages.debian.org, yokota.h...@gmail.com, > b...@debian.org, t...@security.debian.org > Control: affects -1 + src:7zip > > [ Reason ] > 1. Fix security issue > CVE-2023-31102: https://www.zerodayinitiative.com/advisories/ZDI-23-1165/ > CVE-2023-40481: https://www.zerodayinitiative.com/advisories/ZDI-23-1164/ > > 2. Use 7zip-rar package for RAR archives. >7zip-rar requires 7zip >= 22.01-9 What are the isolated fixes for CVE-2023-40481 and CVE-2023-31102, is there some kind of public upstream VCS or can you ask upstream about it? Cheers, Moritz
Bug#1051169: RM: nomad/0.12.10+dfsg1-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hashicorp switched to the non-free BSL and security fixes will only be made available until December 31 2023, so we should remove it with the Bullseye 11.8 point release: https://www.hashicorp.com/license-faq#products-covered-by-bsl (nomad-driver-lxc is related, will file a separate RM bug for it) Cheers, Moritz
Bug#1051170: RM: nomad-driver-lxc/0.3.0-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Needs to be removed alongside with nomad. Cheers, Moritz
Bug#1041498: bookworm-pu: package testng7/7.5-2~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: test...@packages.debian.org, d...@debian.org, vladimir.pe...@canonical.com Control: affects -1 + src:testng7 We need to introduce a backport of testng7 in the version found in trixie to bookworm (and TBD, also for bullseye). It's needed for the latest versions of openjdk-17 LTS (as part of the test suite). The debdiff below is against the version of testng7 in trixie (since the package is new in bookworm). Cheers, Moritz diff -Nru testng7-7.5/debian/changelog testng7-7.5/debian/changelog --- testng7-7.5/debian/changelog2023-06-15 20:21:39.0 +0200 +++ testng7-7.5/debian/changelog2023-07-19 21:03:12.0 +0200 @@ -1,3 +1,9 @@ +testng7 (7.5-2~deb12u1) bookworm; urgency=medium + + * Build for Bookworm, needed by latest OpenJDK 17 LTS releases + + -- Moritz Mühlenhoff Wed, 19 Jul 2023 21:03:12 +0200 + testng7 (7.5-2) unstable; urgency=medium * Source-only upload.
Bug#1041397: bookworm-pu: package asmtools/7.0-b09-2~deb11u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: asmto...@packages.debian.org, ebo...@apache.org Control: affects -1 + src:asmtools We need to introduce a backport of asmtools in the version found in bookworm to bullseye. It's needed for the latest versions of openjdk-11 LTS (as part of the test suite). The debdiff below is against the version of asmtools in bookworm (since the package is new in bullseye). Cheers, Moritz diff -Nru asmtools-7.0-b09/debian/changelog asmtools-7.0-b09/debian/changelog --- asmtools-7.0-b09/debian/changelog 2023-02-06 21:22:12.0 +0100 +++ asmtools-7.0-b09/debian/changelog 2023-07-16 15:58:23.0 +0200 @@ -1,3 +1,9 @@ +asmtools (7.0-b09-2~deb11u1) bullseye; urgency=medium + + * Rebuild for Bullseye, needed for latest openjdk-11 + + -- Moritz Mühlenhoff Sun, 16 Jul 2023 15:58:23 +0200 + asmtools (7.0-b09-2) unstable; urgency=medium * Source only upload
Re: tomcat9 should not be released with Bookworm
On Fri, May 26, 2023 at 12:10:18AM +0200, Markus Koschany wrote: > First of all trapperkeeper-webserver-jetty9-clojure should add a build- > dependency on logback to detect such regressions in advance. > > #1036250 is mainly a logback problem, not a tomcat problem. I still would like > to hear Emmanuel's opinion. We still could revert to libtomcat9-java, if we > don't find a solution though. > > The tomcatjss / dogtag-pki situation is simple too. If there is no way to make > the application work with Tomcat 10, then there are three options: > > 1. Embed Tomcat 9 in your application by creating a standalone jar > > 2. Continue to use the current Tomcat 9 package as is but make sure that > nobody > else than dogtag-pki uses it. (Package descriptions should be adjusted, and > the > binary tomcat9 package should be probably removed too) Nobody should think > that > we support two major Tomcat versions. > > In any case the dogtag-pki maintainers must commit to at least three years of > security support, web application + Tomcat 9. Otherwise this is pointless. > > 3. Remove dogtag-pki and tomcatjss from testing and prepare backports as soon > as dogtag-pki and Co support Tomcat 10. Can't we just do the pragmatic fix of updating src:tomcat9 to only ship libtomcat9-java and libtomcat9-embed-java? The maintenance burden for security updates lies within the server stack, the percentage of issues affecting the libtomcat9-java binary packages as used by rdeps will be small to none? Cheers, Moritz
Bug#1034798: RM: gpac/2.0.0+dfsg1-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: g...@packages.debian.org, siret...@tauware.de, sramac...@debian.org Control: affects -1 + src:gpac In priot discussion between Reinhard, Sebastian and the Security team we've come to the conclusion that gpac isn't suitable to be included in a stable release. The massive influx of security issues makes that untenable (and there's no suitable LTS branch we could use, which e.g. makes ffmpeg manageable). This removal hint needs to wait until x264 is unblocked (#1034653). The only other rdep in ccextractor, which is already out of testing due to a lack of support for ffmpeg 5. Cheers, Moritz
Bug#1032977: unblock: apache2/2.4.56-1
On Sat, Mar 18, 2023 at 09:17:25AM +0100, Sebastian Ramacher wrote: > Control: tags -1 moreinfo > > Hi security team > > On 2023-03-15 06:46:32 +0400, Yadd wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: apac...@packages.debian.org > > Control: affects -1 + src:apache2 > > > > Please unblock package apache2 > > > > [ Reason ] > > Apache2 < 2.4.56 is vulnerable to 2 CVE, the major is CVE-2023-25690 > > (bypass access control using HTTP Request Smuggling attack) > > What's the plan regarding apache2 in bookworm? Will future DSAs update > apache2 with update bugfix releases? Indeed, that's also what was done for bullseye as well, e.g. DSA 4982 moved to 2.4.51 or DSA 5035 moved to 2.4.52. As such, it would be good to age apache to 10 days; we'd like to release 2.4.56 for bullseye-security and otherwise the higher version in stable over testing might cause upgrade issues. Cheers, Moritz
Bug#1032885: unblock: debian-security-support/1:12+2023.03.05
On Mon, Mar 13, 2023 at 03:07:34PM +, Holger Levsen wrote: > On Mon, Mar 13, 2023 at 03:58:45PM +0100, Moritz Mühlenhoff wrote: > > Am Mon, Mar 13, 2023 at 01:43:11PM +0100 schrieb Holger Levsen: > > > * security-support-limited: > > > - for golang and openjdk-17, point to the bookworm manual instead the > > > one > > > for bullseye. > > That's wrong, though. (And the release notes need updating to, I'll file > > a bug soonish): In Bookworm openjdk-17 is the default Java and fully > > supported, but we need the equivalent note for openjdk-21 now. > > thanks, Moritz. I'll happily update d-s-s once the release manual is updated. > or i could update d-s-s now too, if it's really just about replacing 17 with > 21 in this line from security-support-limited : > > openjdk-17See > https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#openjdk-17 > > Are there any further updates expected from the security team's POV? Let me comb through past two years of issues, I'll get back to in the next days. Cheers, Moritz
Re: testing security uploads to bookworm-security
On Mon, Mar 06, 2023 at 10:17:04PM +0100, Paul Gevers wrote: > Dear security team, > > It's the time of the season to ask you to consider testing that the next > security suite is working as intended. In our checklist [1] it's mentioned > to coordinate with you an upload to bookworm-security to confirm the build > happens as expected. The checklist goes on to suggest a check that also a > package needing signing works. > > I recall Ivo and Salvatore coordinated that on IRC for bullseye although I > can't find it in the logs. Can I be of any assistance? For bookworm-security I could prepare an update for CVE-2021-26825/CVE-2021-26826, it's fixed in sid, but the current version is blocked by FTBFS errors (#1031132). The security fixes don't matter that much, but it would be a fine test. For the signed infra, not sure what we used for bullseye, we could do a linux upload maybe, have it built and get signed in the private queue and then reject it? That would test the whole signing workflow, and the release part after that is the same as for a non-signed update. Salvatore, thoughts? Cheers, Moritz
Bug#1031635: bullseye-pu: package snakeyaml/1.28-1
On Fri, Feb 24, 2023 at 10:29:07PM +0100, Markus Koschany wrote: > Hi, > > Am Freitag, dem 24.02.2023 um 16:01 +0100 schrieb Moritz Mühlenhoff: > [...] > > Could we also ship the README.Debian.security that was recently added > > in unstable to bullseye/buster? > > I've just uploaded a new revision of snakeyaml, 1.28.1+deb11u2. This one > includes the README file. There have been no further changes to my previous > upload. Excellent, thanks. Cheers, Moritz
Bug#1004441: unblocking chromium?
On Fri, Jan 06, 2023 at 08:41:50AM +0100, Paul Gevers wrote: > Dear Chromium team, Security team, > > On 27-01-2022 17:15, Moritz Muehlenhoff wrote: > > On Wed, Jan 26, 2022 at 09:38:42PM +0100, Paul Gevers wrote: > > > > So, I'm proposing the following: we unblock chromium from > > > > testing, with the understanding that prior to bookworm's release, we > > > > have a discussion with the release team about whether chromium will > > > > be allowed in the stable release. This will allow testing users to > > > > upgrade for now, and then at bookworm freeze time we can figure out what > > > > will happen with chromium (and prepare the appropriate release notes if > > > > it will no longer be in stable/testing). What does the release team & > > > > others think of this? > > > > Sounds good! > > > > > If the security team agrees with the message this is sending, > > > I propose the following. We create an RC bug against release.debian.org > > > (to > > > make sure this issue is not forgotten, but not directly blocks chromium) > > > with an "Affects: chromium", that clearly states that we postpone the > > > decision. The decision will depend on how chromium updates (both in sid > > > and > > > supported releases) are handled between now and approximately the freeze. > > > If > > > we do this, don't get me wrong, I'll kick chromium out of bookworm again > > > if > > > there's no good track record before we release. > > > > Sounds good! > > It's about time we start discussing this. In your opinion, did the Chromium > Team show enough track record to warrant chromium in bookworm during its > stable cycle? From the raw number of uploads my first impression is yes, but > I have no idea of the quality, how the communication went and those kind of > details. Andres's work has been top notch and it seems recently someone else has joined the effort as well, so if they are up for continuing with Chromium's pace, that's perfectly fine to continue to do so for bookworm. We might consider to set some expectation for oldstable-security, though e.g state that oldstable-security updates stop three months after the release of stable or so. Chromium is very fast-paced in toolchain changes (e.g. in the past new C++ features become incompatible with GCC and we might see something similar with LLVM (which is used these days) as well. Cheers, Moritz
Bug#1025205: bullseye-pu: package mplayer/2:1.4+ds1-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu This updates fixes various minor crashes in mplayer, which don't warrant a DSA by itself. I've run the PoCs against the updated build where applicable and also tested various random media files. Note this isn't fixed in unstable, since mplayer FTBFSes with ffmpeg 5.0 and won't be in bookworm (#1005899). Cheers, Moritz diff -Nru mplayer-1.4+ds1/debian/changelog mplayer-1.4+ds1/debian/changelog --- mplayer-1.4+ds1/debian/changelog2020-10-15 00:13:44.0 +0200 +++ mplayer-1.4+ds1/debian/changelog2022-11-28 21:31:43.0 +0100 @@ -1,3 +1,19 @@ +mplayer (2:1.4+ds1-1+deb11u1) bullseye; urgency=medium + + * Backport the following commits: +d19ea1ce173e95c31b0e8acbe471ea26c292be2b (CVE-2022-38850) +58db9292a414ebf13a2cacdb3ffa967fb9036935 (CVE-2022-38851) +2f6e69e59e2614acdde5505b049c48f80a3d0eb7 (CVE-2022-38855) +92e0d0b1a04dfdd4ac741e0d07005e3ece2c92ca (CVE-2022-38858) +62fe0c63cf4fba91efd29bbc85309280e1a99a47 (CVE-2022-38860) +2622e7fbe3605a2f3b4f74900197fefeedc0d2e1 (CVE-2022-38861) +b5e745b4bfab2835103a060094fae3c6cc1ba17d (CVE-2022-38863) +36546389ef9fb6b0e0540c5c3f212534c34b0e94 (CVE-2022-38864) +33d9295663c37a37216633d7e3f07e7155da6144 (CVE-2022-38865) +373517da3bb5781726565eb3114a2697b13f00f2 (CVE-2022-38866) + + -- Moritz Mühlenhoff Mon, 28 Nov 2022 21:31:43 +0100 + mplayer (2:1.4+ds1-1) unstable; urgency=medium * Team upload diff -Nru mplayer-1.4+ds1/debian/patches/CVE-2022-38850_CVE-2022-38851_CVE-2022-38855_CVE-2022-38858_CVE-2022-38860_CVE-2022-38861_CVE-2022-38863_CVE-2022-38864_CVE-2022-38865_CVE-2022-38866.patch mplayer-1.4+ds1/debian/patches/CVE-2022-38850_CVE-2022-38851_CVE-2022-38855_CVE-2022-38858_CVE-2022-38860_CVE-2022-38861_CVE-2022-38863_CVE-2022-38864_CVE-2022-38865_CVE-2022-38866.patch --- mplayer-1.4+ds1/debian/patches/CVE-2022-38850_CVE-2022-38851_CVE-2022-38855_CVE-2022-38858_CVE-2022-38860_CVE-2022-38861_CVE-2022-38863_CVE-2022-38864_CVE-2022-38865_CVE-2022-38866.patch 1970-01-01 01:00:00.0 +0100 +++ mplayer-1.4+ds1/debian/patches/CVE-2022-38850_CVE-2022-38851_CVE-2022-38855_CVE-2022-38858_CVE-2022-38860_CVE-2022-38861_CVE-2022-38863_CVE-2022-38864_CVE-2022-38865_CVE-2022-38866.patch 2022-11-28 21:31:07.0 +0100 @@ -0,0 +1,235 @@ +Backports of the following commits: + +d19ea1ce173e95c31b0e8acbe471ea26c292be2b (CVE-2022-38850) +[PATCH] vd.c: sanity-check aspect adjustment + +58db9292a414ebf13a2cacdb3ffa967fb9036935 (CVE-2022-38851) +PATCH] asfheader.c: Fix CHECKDEC macro. + +2f6e69e59e2614acdde5505b049c48f80a3d0eb7 (CVE-2022-38855) +[PATCH] demux_mov.c: Add bounds checks to debug prints. + +92e0d0b1a04dfdd4ac741e0d07005e3ece2c92ca (CVE-2022-38858) +[PATCH] demux_mov.c: robustness fixes. + +62fe0c63cf4fba91efd29bbc85309280e1a99a47 (CVE-2022-38860) +[PATCH] demux_avi.c: check that sh->wf exists before using it. + +2622e7fbe3605a2f3b4f74900197fefeedc0d2e1 (CVE-2022-38861) +[PATCH] mp_image.c: fix allocation size for formats with odd width. + +b5e745b4bfab2835103a060094fae3c6cc1ba17d (CVE-2022-38863) +[PATCH] mpeg_hdr.c: Allocate 0xff initialized padding. + +36546389ef9fb6b0e0540c5c3f212534c34b0e94 (CVE-2022-38864) +[PATCH] mpeg_hdr.c: Fix unescape code. + +33d9295663c37a37216633d7e3f07e7155da6144 (CVE-2022-38865) +[PATCH] demux_avi.c: Fixup invalid audio block size. + +373517da3bb5781726565eb3114a2697b13f00f2 (CVE-2022-38866) +[PATCH] aviheader.c: Fix allocation size for vprp + + +--- mplayer-1.4+ds1.orig/libmpcodecs/mp_image.c mplayer-1.4+ds1/libmpcodecs/mp_image.c +@@ -51,8 +51,12 @@ void mp_image_alloc_planes(mp_image_t *m + } + mpi->planes[0]=av_malloc(mpi->bpp*mpi->width*(mpi->height+2)/8+ + mpi->chroma_width*mpi->chroma_height); +- } else +-mpi->planes[0]=av_malloc(mpi->bpp*mpi->width*(mpi->height+2)/8); ++ } else { ++// for odd width round up to be on the safe side, ++// required in particular for planar formats ++int alloc_w = mpi->width + (mpi->width & 1); ++mpi->planes[0]=av_malloc(mpi->bpp*alloc_w*(mpi->height+2)/8); ++ } + if (mpi->flags_IMGFLAG_PLANAR) { + int bpp = IMGFMT_IS_YUVP16(mpi->imgfmt)? 2 : 1; + // YV12/I420/YVU9/IF09. feel free to add other planar formats here... +--- mplayer-1.4+ds1.orig/libmpcodecs/vd.c mplayer-1.4+ds1/libmpcodecs/vd.c +@@ -332,7 +332,7 @@ int mpcodecs_config_vo(sh_video_t *sh, i + screen_size_y = screen_size_xy * sh->disp_h / sh->disp_w; + } + } +-if (sh->aspect >= 0.01) { ++if (sh->aspect >= 0.01 && sh->aspect <= 100) { + int w; + mp_msg(MSGT_CPLAYER, MSGL_INFO, MSGTR_MovieAspectIsSet, +sh->aspect); +@@ -350,6 +350,8 @@ int mpcodecs_config_vo(sh_video_t *sh, i + } else { + mp_msg(MSGT_CPLAYER, MSGL_INFO, MSGTR_MovieAspectUndefined); +
Bug#1025010: bullseye-pu: package jtreg6/6.1+2-1~deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: d...@debian.org openjdk bumped the requirements for the test suite within their 11.x branch (which is what we ship in Bullseye), it now needs jtreg6. The debdiff is relative to the version in bookworm: Cheers, Moritz diff -Nru jtreg6-6.1+2/debian/changelog jtreg6-6.1+2/debian/changelog --- jtreg6-6.1+2/debian/changelog 2022-07-20 12:40:06.0 +0200 +++ jtreg6-6.1+2/debian/changelog 2022-11-25 17:18:42.0 +0100 @@ -1,3 +1,9 @@ +jtreg6 (6.1+2-1~deb11u1) bullseye; urgency=medium + + * Rebuild for bullseye, needed for latest OpenJDK 11.x release + + -- Moritz Mühlenhoff Fri, 25 Nov 2022 17:18:42 +0100 + jtreg6 (6.1+2-1) unstable; urgency=medium * New upstream version.
Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
On Mon, Aug 22, 2022 at 02:50:41PM +0530, Abhijith PA wrote: > Hello Moritz, > > I've prepared a qemu build months back fixing pending CVEs then. I > have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your > diff and backported a new CVE, fixing total of ~35 CVEs. > > I've tested on my setup and seems fine. Can you please test with > latest build[1]. I can't, the cluster in question is now running Bullseye (but it was running just fine with my original debdiff in a Ganeti/KVM/qemu setup). Cheers, Moritz
Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: m...@tls.msk.ru Various low severity qemu issues, but since quite a few of those have piled up, it makes sense to move to an update. Debdiff below. Cheers, Moritz diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog --- qemu-3.1+dfsg/debian/changelog 2020-07-24 14:00:34.0 +0200 +++ qemu-3.1+dfsg/debian/changelog 2022-02-15 18:53:24.0 +0100 @@ -1,3 +1,34 @@ +qemu (1:3.1+dfsg-8+deb10u9) buster; urgency=medium + + * CVE-2021-3930 + * CVE-2021-3748 (Closes: #993401) + * CVE-2021-3713 (Closes: #992727) + * CVE-2021-3682 (Closes: #991911) + * CVE-2021-3608 (Closes: #990563) + * CVE-2021-3607 (Closes: #990564) + * CVE-2021-3582 (Closes: #990565) + * CVE-2021-3527 (Closes: #988157) + * CVE-2021-3392 (Closes: #984449) + * CVE-2021-20257 (Closes: #984450) + * CVE-2021-20221 + * CVE-2021-20203 (Closes: #984452) + * CVE-2021-20196 (Closes: #984453) + * CVE-2021-20181 + * CVE-2020-35505 (Closes: #979679) + * CVE-2020-35504 (Closes: #979679) + * CVE-2020-27617 (Closes: #973324) + * CVE-2020-25723 (Closes: #975276) + * CVE-2020-25624 (Closes: #970541) + * CVE-2020-25625 (Closes: #970542) + * CVE-2020-25085 (Closes: #970540) + * CVE-2020-25084 (Closes: #970539) + * CVE-2020-15859 (Closes: #965978) + * CVE-2020-13253 (Closes: #961297) + * None of the slirp changes got backported to 3.1, if you use it you should +really upgrade to the version of qemu in bullseye + + -- Moritz Mühlenhoff Tue, 15 Feb 2022 18:53:24 +0100 + qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium * mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6 diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch --- qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 1970-01-01 01:00:00.0 +0100 +++ qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 2022-02-01 16:26:24.0 +0100 @@ -0,0 +1,80 @@ +790762e54871143415bffcec4cb3c022c3cd / CVE-2020-13253 + +--- qemu-3.1+dfsg.orig/hw/sd/sd.c qemu-3.1+dfsg/hw/sd/sd.c +@@ -1149,12 +1149,14 @@ static sd_rsp_type_t sd_normal_command(S + case 17: /* CMD17: READ_SINGLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_sendingdata_state; + sd->data_start = addr; + sd->data_offset = 0; +- +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + return sd_r1; + + default: +@@ -1165,12 +1167,14 @@ static sd_rsp_type_t sd_normal_command(S + case 18: /* CMD18: READ_MULTIPLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_sendingdata_state; + sd->data_start = addr; + sd->data_offset = 0; +- +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + return sd_r1; + + default: +@@ -1210,13 +1214,17 @@ static sd_rsp_type_t sd_normal_command(S + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + if (sd_wp_addr(sd, sd->data_start)) + sd->card_status |= WP_VIOLATION; + if (sd->csd[14] & 0x30) +@@ -1234,13 +1242,17 @@ static sd_rsp_type_t sd_normal_command(S + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + if (sd_wp_addr(sd, sd->data_start)) + sd->card_status |= WP_VIOLATION; + if (sd->csd[14] & 0x30) diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch
Bug#1007920: buster-pu: package flac/1.3.3-2+deb11u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: fab...@debian.org Fixes a minor security issue, debdiff below (and was just uploaded). Tested with a few sample files. Cheers, Moritz diff -Nru flac-1.3.3/debian/changelog flac-1.3.3/debian/changelog --- flac-1.3.3/debian/changelog 2020-12-21 16:39:34.0 +0100 +++ flac-1.3.3/debian/changelog 2022-03-14 10:51:59.0 +0100 @@ -1,3 +1,9 @@ +flac (1.3.3-2+deb11u1) bullseye; urgency=medium + + * CVE-2021-0561 (Closes: #1006339) + + -- Moritz Mühlenhoff Mon, 14 Mar 2022 10:51:59 +0100 + flac (1.3.3-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch --- flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch 1970-01-01 01:00:00.0 +0100 +++ flac-1.3.3/debian/patches/0021-CVE-2021-0561.patch 2022-03-14 10:50:51.0 +0100 @@ -0,0 +1,30 @@ +From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001 +From: Neelkamal Semwal +Date: Fri, 18 Dec 2020 22:28:36 +0530 +Subject: [PATCH] libFlac: Exit at EOS in verify mode + +When verify mode is enabled, once decoder flags end of stream, +encode processing is considered complete. + +CVE-2021-0561 + +Signed-off-by: Ralph Giles +--- + src/libFLAC/stream_encoder.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c +index 4c91247fe8..7109802c27 100644 +--- a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c +@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC + encoder->private_->verify.needs_magic_hack = true; + } + else { +- if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) { ++ if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder) ++ || (!is_last_block ++ && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) { + FLAC__bitwriter_release_buffer(encoder->private_->frame); + FLAC__bitwriter_clear(encoder->private_->frame); + if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA) diff -Nru flac-1.3.3/debian/patches/series flac-1.3.3/debian/patches/series --- flac-1.3.3/debian/patches/series2020-12-21 16:38:15.0 +0100 +++ flac-1.3.3/debian/patches/series2022-03-14 10:51:25.0 +0100 @@ -2,3 +2,4 @@ privacy-breach-logo.patch 0001-remove-build-path-from-generated-FLAC.tag-file.patch 0020-libFLAC-bitreader.c-Fix-out-of-bounds-read.patch +0021-CVE-2021-0561.patch \ Kein Zeilenumbruch am Dateiende.
Re: unblocking chromium?
On Wed, Jan 26, 2022 at 09:38:42PM +0100, Paul Gevers wrote: > > So, I'm proposing the following: we unblock chromium from > > testing, with the understanding that prior to bookworm's release, we > > have a discussion with the release team about whether chromium will > > be allowed in the stable release. This will allow testing users to > > upgrade for now, and then at bookworm freeze time we can figure out what > > will happen with chromium (and prepare the appropriate release notes if > > it will no longer be in stable/testing). What does the release team & > > others think of this? Sounds good! > If the security team agrees with the message this is sending, > I propose the following. We create an RC bug against release.debian.org (to > make sure this issue is not forgotten, but not directly blocks chromium) > with an "Affects: chromium", that clearly states that we postpone the > decision. The decision will depend on how chromium updates (both in sid and > supported releases) are handled between now and approximately the freeze. If > we do this, don't get me wrong, I'll kick chromium out of bookworm again if > there's no good track record before we release. Sounds good! Cheers, Moritz
Re: chromium: Update to version 94.0.4606.61 (security-fixes)
On Sat, Jan 01, 2022 at 01:23:09PM -0500, Andres Salomon wrote: > How should I handle this? NMU to sid, let people try it out, and then > deal with buster/bullseye? Yeah, let's proceed with unstable first in any case. > Upload everything all at once? I'm also > going to try building for buster, unless the security team doesn't > think I should bother. I saw https://salsa.debian.org/dilinger/chromium/-/commit/5c05f430e192961527ec9a64bbaa64401dc14d95 , but buster now also includes LLVM/clang 11 (it was introduced to support a more recent Rust toolchain needed for Firefox), so you might be reduce complexity here further: https://tracker.debian.org/pkg/llvm-toolchain-11 It's in buster-proposed-updates since there hasn't been a point release since, but for the purposes of buster-security builds, it doesn't matter (they chroots have been modified to includen buster-proposed-updates temporarily): I'd say if it works out without additional overhead, let's also update buster-security, but it's also important not to overstretch the time/resources, so focusing on bullseye and EOLing buster is also an option for sure. Cheers, Moritz
Re: chromium: Update to version 94.0.4606.61 (security-fixes)
On Sun, Jan 02, 2022 at 06:53:51PM +0100, Mattia Rizzolo wrote: > Correlated, do you know how long do they plan on keeping using python2? > That's plainly unsuitable, it really is not going to last much longer in > debian. Current state of the Python 3 upstream migration can be found here: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/python3_migration.md So it sounds like it's almost ready except tests. But the migration doesn't seem like a top priority either, https://bugs.chromium.org/p/chromium/issues/detail?id=941669 dates back to March 2019... Cheers, Moritz
Re: chromium: Update to version 94.0.4606.61 (security-fixes)
On Sun, Dec 12, 2021 at 08:11:00PM -0500, Andres Salomon wrote: > On 12/5/21 6:41 AM, Moritz Mühlenhoff wrote: > > Am Sun, Dec 05, 2021 at 10:53:56AM +0100 schrieb Paul Gevers: > > Exactly that. > > > > I'd suggest anyone who's interested in seeing Chromium supported to first > > update it in unstable (and then work towards updated in bullseye-security). > > I started doing just that: https://salsa.debian.org/dilinger/chromium (v96 > and misc-fixes branches). As a side note: If any of the system/* patches cause issues, feel free to switch to the vendored copies. Vendoring in general is frowned upon since it requires that a fix in a libraries spreads out to all vendored copies, but for Chromium there's a steady stream of Chromium-internal security issues anyway, so for all practical purposes it doesn't make a difference if the Chromium security releases also include a fix for a vendored lib like ICU. Cheers, Moritz
Re: multiple RPKI-related vulnerabilities in stable
Hi Marco, On Sun, Nov 28, 2021 at 11:57:09PM +0100, SEEWEB - Marco d'Itri wrote: > https://rpki.exposed/ lists a long number of vulnerabilities affecting Ironically this website is unreachable since at least yesterday :-) > It is not really practical to extract and backport all these patches, so Let's fix these via bullseye-security, version numbers would be: rpki-client 7.5-1~deb11u1 fort-validator 1.5.3-1~deb11u1 cfrpki 1.4.2-1~deb11u1 Note that the dak installations on security.debian.org and ftp.debian.org don't share tarballs, so these need to be rebuild with -sa to include the orig tarballs in the changes file. Cheers, Moritz
Bug#1000480: buster-pu: package jtharness/6.0-b15-1~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ebo...@apache.org, d...@debian.org The build requirements for openjdk-11 were bumped, starting with 11.0.13 jtreg 5 (and along with it a jtharness 6) are required to run the test suite. Since we need to follow 11.0.x releases for security updates, this blocks an update of 11.0.13 for buster-security. Attached are debdiffs against the versions relative to what's in bullseye. Fortunately openjdk is the only reverse dep of jtreg/jtharness. That's not great, but still less worse than firefox/rust :-) Debdiff below. diff -Nru jtharness-6.0-b15/debian/changelog jtharness-6.0-b15/debian/changelog --- jtharness-6.0-b15/debian/changelog 2021-01-21 15:33:45.0 + +++ jtharness-6.0-b15/debian/changelog 2021-11-19 16:17:12.0 + @@ -1,3 +1,10 @@ +jtharness (6.0-b15-1~deb10u1) buster; urgency=medium + + * Rebuild for buster, needed for latest OpenJDK 11.x release +- Switch to debhelper 12 + + -- Moritz Muehlenhoff Fri, 19 Nov 2021 16:17:12 + + jtharness (6.0-b15-1) unstable; urgency=medium * Team upload. diff -Nru jtharness-6.0-b15/debian/compat jtharness-6.0-b15/debian/compat --- jtharness-6.0-b15/debian/compat 1970-01-01 00:00:00.0 + +++ jtharness-6.0-b15/debian/compat 2021-11-19 16:17:12.0 + @@ -0,0 +1 @@ +12 diff -Nru jtharness-6.0-b15/debian/control jtharness-6.0-b15/debian/control --- jtharness-6.0-b15/debian/control2021-01-21 15:18:46.0 + +++ jtharness-6.0-b15/debian/control2021-11-19 16:17:12.0 + @@ -5,7 +5,7 @@ Uploaders: Guillaume Mazoyer Build-Depends: ant, - debhelper-compat (= 13), + debhelper, default-jdk, javahelper, junit4,
Bug#1000479: buster-pu: package jtreg/5.1-b01-2~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ebo...@apache.org, d...@debian.org The build requirements for openjdk-11 were bumped, starting with 11.0.13 jtreg 5 (and along with it a jtharness 6) are required to run the test suite. Since we need to follow 11.0.x releases for security updates, this blocks an update of 11.0.13 for buster-security. Attached are debdiffs against the versions relative to what's in bullseye. Fortunately openjdk is the only reverse dep of jtreg/jtharness. That's not great, but still less worse than firefox/rust :-) Debdiff below. diff -Nru jtreg-5.1-b01/debian/changelog jtreg-5.1-b01/debian/changelog --- jtreg-5.1-b01/debian/changelog 2020-07-15 04:28:47.0 + +++ jtreg-5.1-b01/debian/changelog 2021-11-19 16:26:05.0 + @@ -1,3 +1,10 @@ +jtreg (5.1-b01-2~deb10u1) buster; urgency=medium + + * Rebuild for buster, needed for latest OpenJDK 11.x release +- Switch to debhelper 12 + + -- Moritz Muehlenhoff Fri, 19 Nov 2021 16:26:05 + + jtreg (5.1-b01-2) unstable; urgency=medium * Team upload. diff -Nru jtreg-5.1-b01/debian/compat jtreg-5.1-b01/debian/compat --- jtreg-5.1-b01/debian/compat 1970-01-01 00:00:00.0 + +++ jtreg-5.1-b01/debian/compat 2021-11-19 16:26:05.0 + @@ -0,0 +1 @@ +12 diff -Nru jtreg-5.1-b01/debian/control jtreg-5.1-b01/debian/control --- jtreg-5.1-b01/debian/control2020-07-15 04:28:47.0 + +++ jtreg-5.1-b01/debian/control2021-11-19 16:26:05.0 + @@ -5,7 +5,7 @@ Uploaders: Guillaume Mazoyer Build-Depends: ant, - debhelper-compat (= 13), + debhelper, default-jdk, help2man, javahelp2,
Bug#991827: RM: libgrokj2k/7.6.6-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: boxe...@gmail.com Please remove libgrokj2k/7.6.6-3 from testing (as discussed with the maintainer, also CCed). libgrokj2k is still in rapid development (upstream is already at 9.3), there are no reverse deps and it can enter bookworm as a stable release. Cheers, Moritz
Bug#991716: unblock: neomutt/20201127+dfsg.1-1.2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package neomutt. It fixes a security issue, which was already fixed in buster. Debdiff below. unblock neomutt/20201127+dfsg.1-1.2 Cheers, Moritz diff -Nru neomutt-20201127+dfsg.1/debian/changelog neomutt-20201127+dfsg.1/debian/changelog --- neomutt-20201127+dfsg.1/debian/changelog2021-03-16 20:37:31.0 +0100 +++ neomutt-20201127+dfsg.1/debian/changelog2021-07-29 23:13:20.0 +0200 @@ -1,3 +1,10 @@ +neomutt (20201127+dfsg.1-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2021-32055 (Closes: #988107) + + -- Moritz Muehlenhoff Thu, 29 Jul 2021 23:13:20 +0200 + neomutt (20201127+dfsg.1-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru neomutt-20201127+dfsg.1/debian/patches/series neomutt-20201127+dfsg.1/debian/patches/series --- neomutt-20201127+dfsg.1/debian/patches/series 2021-03-16 20:37:31.0 +0100 +++ neomutt-20201127+dfsg.1/debian/patches/series 2021-07-29 23:13:12.0 +0200 @@ -4,3 +4,4 @@ misc/smime.rc.patch upstream/981306-mime-forwarding.patch upstream/redraw-on-sigwinch.patch +upstream/CVE-2021-32055.patch diff -Nru neomutt-20201127+dfsg.1/debian/patches/upstream/CVE-2021-32055.patch neomutt-20201127+dfsg.1/debian/patches/upstream/CVE-2021-32055.patch --- neomutt-20201127+dfsg.1/debian/patches/upstream/CVE-2021-32055.patch 1970-01-01 01:00:00.0 +0100 +++ neomutt-20201127+dfsg.1/debian/patches/upstream/CVE-2021-32055.patch 2021-07-29 23:12:31.0 +0200 @@ -0,0 +1,34 @@ +From fa1db5785e5cfd9d3cd27b7571b9fe268d2ec2dc Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy +Date: Mon, 3 May 2021 13:11:30 -0700 +Subject: [PATCH] Fix seqset iterator when it ends in a comma + +If the seqset ended with a comma, the substr_end marker would be just +before the trailing nul. In the next call, the loop to skip the +marker would iterate right past the end of string too. + +The fix is simple: place the substr_end marker and skip past it +immediately. +--- + imap/util.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/imap/util.c b/imap/util.c +index 52aff7da0a..27fb862954 100644 +--- a/imap/util.c b/imap/util.c +@@ -1119,13 +1119,11 @@ int mutt_seqset_iterator_next(struct SeqsetIterator *iter, unsigned int *next) + if (iter->substr_cur == iter->eostr) + return 1; + +-while (!*(iter->substr_cur)) +- iter->substr_cur++; + iter->substr_end = strchr(iter->substr_cur, ','); + if (!iter->substr_end) + iter->substr_end = iter->eostr; + else +- *(iter->substr_end) = '\0'; ++ *(iter->substr_end++) = '\0'; + + char *range_sep = strchr(iter->substr_cur, ':'); + if (range_sep)
Bug#990754: unblock: wpewebkit/2.32.1-1
On Tue, Jul 06, 2021 at 10:11:36PM +0200, Sebastian Ramacher wrote: > Control: tags -1 moreinfo > > On 2021-07-06 11:20:10 +0200, Alberto Garcia wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > > > Please unblock package wpewebkit > > > > webkit2gtk was unblocked last month, testing has the most recent > > stable version and we will provide security updates during the > > lifetime of bullseye, as we already did during buster. > > > > wpewebkit is another official port of webkit. It's maintained by the > > same team, follows a very similar release schedule and numbering > > system, shares most of the code and almost all CVEs fixes apply to > > both ports. > > > > Because of this it won't take me too much effort to prepare security > > updates for wpewebkit so the Debian security team is proposing that we > > also provide them. > > > > If we do this we should unblock the package and put the latest stable > > version in testing. At the moment the only user of wpewebkit in Debian > > is cog, which is a simple, single-window web browser, developed and > > released by the same team. So we should also unblock cog and the two > > other libraries that are part of the wpewebkit releases: libwpe and > > wpebackend-fdo (I don't know if you need separate bugs to unblock > > those). > > > > If we don't do this then it's probably a good idea to mention in the > > release notes that wpewebkit is not covered by security updates. > > What's the security team's take on this? Will browsers other than firefox, > chromium and webkit2gtk itself be security supported throughout bullseye's > lifetime? We synced up with this before; wpewebkit is closely related to webkit and Alberto will keep both updated in stable. > The concern also extends to web rendering engines not explicitly > mentioned here, with the exception of role="source">webkit2gtk. Good point wrt the releases notes part. I guess we should simply make this "with the exception of webkit2gtk/wpewebkit". Alberto, could you file a bug against the release notes? Cheers, Moritz
Re: Bug#989839: Thunderbird 1:78.11.0-1 in testing lacks full functionality
On Sat, Jun 19, 2021 at 09:33:37PM +0200, Sebastian Ramacher wrote: > Hallo Carsten > > On 2021-06-19 09:00:13 +0200, Carsten Schoenert wrote: > > Hello Kevin, hello Sebastian, > > > > thanks for working on this issue in between times, I wasn't able to do > > anything practically the last days. > > > > Am 18.06.21 um 23:31 schrieb Kevin Locke: > > > Hi Sebastian, > > > > > > On Fri, 2021-06-18 at 22:26 +0200, Sebastian Ramacher wrote: > > >> Thanks for this detailed analysis. That actually means that the symbol > > >> file for libnss3 2:3.67-1 is broken. It would need to bump the minimum > > >> version requirement for all symbols that works with SSLChannelInfo. From > > >> your description, at least the version for SSL_GetChannelInfo would need > > >> to be bumped. If thunderbird would then be built against a libnss3 > > >> version with a fixed symbol files, it would pick up tight enought > > >> dependencies. > > >> > > >> So ideally the bug against thunderbird would be reassigned to libnss3 > > >> 2:3.67-1 and its severits raised to serious. Once fixed, we can rebuild > > >> thunderbird to pick up the correct depedencies. > > > > > > Good point. Fixing the libnss3 symbol file sounds like the right fix to > > > me. As far as I can tell SSL_GetChannelInfo is the only symbol which > > > takes SSLChannelInfo. I've opened https://bugs.debian.org/990058 with > > > the proposed fix. > > > > Fixing libnss3 is obviously the correct thing anyway. But this will take > > its time to get it landed into bullseye. > > > > >> But since that version of libnss3 is not in bullseye, the rebuild would > > >> not be abile to migrate. Ideally libnss3 would be reverted to the > > >> version in bullseye to avoid this issue. Otherwise I can schedule > > >> binNMUs of thunderbird in tpu, but that means that we would need to do > > >> that for any thunderbird upload that we want in bullseye until the > > >> release. That is suboptimal - it's more work with less testing. > > > > > > That may be tricky. firefox 88.0.1-1 in unstable depends on > > > libnss3 (>= 2:3.63~). If the maintainers are willing to upload an NSS > > > version between 2:3.63 and 2:3.65, I believe that would solve the issue > > > without breaking firefox. (2:3.63-1 is the only suitable version > > > in debian/changelog.) I've opened https://bugs.debian.org/990059 to > > > discuss. > > > > To prevent quite a lot of work on all involved parties with not that > > much gain in the end I'd suggest to go back to my option B that was to > > (re)build Thunderbird with it's internal shipped NSS version. > > If that's fine with the security team -- thunderbird updates in stable > releases have been performed via DSAs so far -- it's fine with me. > Adding the security team to CC. No problem at all, this happened for firefox/thunderbird in the past before already. Cheers, Moritz
Bug#989618: unblock: libwebp/0.6.1-2.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: j...@debian.org Please unblock libwebp and age it to five days. It fixes all open security issues. There is RC #914315 about updating to a new version, but bumping to 1.2.0 is obviously not a solution at this time of the freeze. Still I think the RC bugs should stay open (bookworm definitely must not release with 0.6 :-), so please tag it bullseye-ignore. unblock libwebp/0.6.1-2.1 Cheers, Moritz Debdiff: diff -Nru libwebp-0.6.1/debian/changelog libwebp-0.6.1/debian/changelog --- libwebp-0.6.1/debian/changelog 2018-03-01 21:51:06.0 +0100 +++ libwebp-0.6.1/debian/changelog 2021-06-05 19:35:57.0 +0200 @@ -1,3 +1,12 @@ +libwebp (0.6.1-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix multiple security issues: CVE-2018-25009, CVE-2018-25010, CVE-2018-25011 +CVE-2020-36328, CVE-2018-25013, CVE-2018-25014, CVE-2020-36329, CVE-2020-36330 +CVE-2020-36331, CVE-2020-36332 + + -- Moritz Muehlenhoff Sat, 05 Jun 2021 19:35:57 +0200 + libwebp (0.6.1-2) unstable; urgency=medium * Fix lintian warning on manpage diff -Nru libwebp-0.6.1/debian/patches/security-fixes.patch libwebp-0.6.1/debian/patches/security-fixes.patch --- libwebp-0.6.1/debian/patches/security-fixes.patch 1970-01-01 01:00:00.0 +0100 +++ libwebp-0.6.1/debian/patches/security-fixes.patch 2021-06-05 19:34:56.0 +0200 @@ -0,0 +1,355 @@ +Patches for the following CVE IDs: + +CVE-2018-25009 +CVE-2018-25010 +CVE-2018-25011 +CVE-2020-36328 +CVE-2018-25013 +CVE-2018-25014 +CVE-2020-36329 +CVE-2020-36330 +CVE-2020-36331 +CVE-2020-36332 + +Comprised of the following upstream commits: +1344a2e947c749d231141a295327e5b99b444d63 +2c70ad76c94db5427d37ab4b85dc89b94dd75e01 +39cb9aad85ca7bb1d193013460db1f8cc6bff109 +569001f19fc81fcb5ab358f587a54c62e7c4665c +907208f97ead639bd521cf355a2f203f462eade6 +95fd65070662e01cc9170cf5c0859a710097 +be738c6d396fa5a272c1b209be4379a7532debfe +dad31750e374eff8e02fb467eb562d4bf236ed6e +dce5d7643177633ebe3513af492ea8c08c299cf3 +eb82ce76ddca13ad6fb13376bb58b9fd3f850e9e + +--- libwebp-0.6.1.orig/src/dec/buffer_dec.c libwebp-0.6.1/src/dec/buffer_dec.c +@@ -74,7 +74,8 @@ static VP8StatusCode CheckDecBuffer(cons + } else {// RGB checks + const WebPRGBABuffer* const buf = >u.RGBA; + const int stride = abs(buf->stride); +-const uint64_t size = MIN_BUFFER_SIZE(width, height, stride); ++const uint64_t size = ++MIN_BUFFER_SIZE(width * kModeBpp[mode], height, stride); + ok &= (size <= buf->size); + ok &= (stride >= width * kModeBpp[mode]); + ok &= (buf->rgba != NULL); +--- libwebp-0.6.1.orig/src/dec/idec_dec.c libwebp-0.6.1/src/dec/idec_dec.c +@@ -283,10 +283,8 @@ static void RestoreContext(const MBConte + + static VP8StatusCode IDecError(WebPIDecoder* const idec, VP8StatusCode error) { + if (idec->state_ == STATE_VP8_DATA) { +-VP8Io* const io = >io_; +-if (io->teardown != NULL) { +- io->teardown(io); +-} ++// Synchronize the thread, clean-up and check for errors. ++VP8ExitCritical((VP8Decoder*)idec->dec_, >io_); + } + idec->state_ = STATE_ERROR; + return error; +@@ -473,6 +471,12 @@ static VP8StatusCode DecodeRemaining(Web + MemDataSize(>mem_) > MAX_MB_SIZE) { + return IDecError(idec, VP8_STATUS_BITSTREAM_ERROR); + } ++// Synchronize the threads. ++if (dec->mt_method_ > 0) { ++ if (!WebPGetWorkerInterface()->Sync(>worker_)) { ++return IDecError(idec, VP8_STATUS_BITSTREAM_ERROR); ++ } ++} + RestoreContext(, dec, token_br); + return VP8_STATUS_SUSPENDED; + } +--- libwebp-0.6.1.orig/src/dec/vp8l_dec.c libwebp-0.6.1/src/dec/vp8l_dec.c +@@ -362,12 +362,19 @@ static int ReadHuffmanCodes(VP8LDecoder* + VP8LMetadata* const hdr = >hdr_; + uint32_t* huffman_image = NULL; + HTreeGroup* htree_groups = NULL; ++ // When reading htrees, some might be unused, as the format allows it. ++ // We will still read them but put them in this htree_group_bogus. ++ HTreeGroup htree_group_bogus; + HuffmanCode* huffman_tables = NULL; ++ HuffmanCode* huffman_tables_bogus = NULL; + HuffmanCode* next = NULL; + int num_htree_groups = 1; ++ int num_htree_groups_max = 1; + int max_alphabet_size = 0; + int* code_lengths = NULL; + const int table_size = kTableSize[color_cache_bits]; ++ int* mapping = NULL; ++ int ok = 0; + + if (allow_recursion && VP8LReadBits(br, 1)) { + // use meta Huffman codes. +@@ -384,10 +391,42 @@ static int ReadHuffmanCodes(VP8LDecoder* + // The huffman data is stored in red and green bytes. + const int group = (huffman_image[i] >> 8) & 0x; + huffman_image[i] = group; +- if (group >= num_htre
Bug#988746: RM: jodd/3.8.6-1.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: ebo...@apache.org Please remove jodd from bullseye, it has open security issues and there are currently no rdeps (it was uploaded for jmeter 3, which didn't enter the archive yet). Acked by Emmanuel in #961298. Cheers, Moritz
Bug#983531: buster-pu: package python2.7/2.7.16-2+deb10u2
On Fri, Feb 26, 2021 at 07:49:38AM +0100, Matthias Klose wrote: > On 2/25/21 7:41 PM, Moritz Muehlenhoff wrote: > > + * CVE-2021-3177 > > are all the ctypes tests passing with this patch? See #983516. I'll have a look at Marc' updated patch and revise if needed. Cheers, Moritz
Bug#983531: buster-pu: package python2.7/2.7.16-2+deb10u2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: d...@debian.org debdiff below fixes three security issues, which don't warrant a DSA by itself. Update has been tested on a Buster few systems (and verified with the PoCs). Cheers, Moritz diff -u python2.7-2.7.16/debian/changelog python2.7-2.7.16/debian/changelog --- python2.7-2.7.16/debian/changelog +++ python2.7-2.7.16/debian/changelog @@ -1,3 +1,11 @@ +python2.7 (2.7.16-2+deb10u2) buster; urgency=medium + + * CVE-2020-8492 (Closes: #970099) + * CVE-2019-20907 (Closes: #970099) + * CVE-2021-3177 + + -- Moritz Mühlenhoff Wed, 24 Feb 2021 20:33:20 +0200 + python2.7 (2.7.16-2+deb10u1) buster; urgency=medium * CVE-2018-20852 diff -u python2.7-2.7.16/debian/patches/series.in python2.7-2.7.16/debian/patches/series.in --- python2.7-2.7.16/debian/patches/series.in +++ python2.7-2.7.16/debian/patches/series.in @@ -80,0 +81,3 @@ +CVE-2019-20907.diff +CVE-2020-8492.diff +CVE-2021-3177.diff only in patch2: unchanged: --- python2.7-2.7.16.orig/debian/patches/CVE-2019-20907.diff +++ python2.7-2.7.16/debian/patches/CVE-2019-20907.diff @@ -0,0 +1,26 @@ +From 47a2955589bdb1a114d271496ff803ad73f954b8 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-isling...@users.noreply.github.com> +Date: Wed, 15 Jul 2020 05:36:36 -0700 +Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module + (GH-21454) (#21485) + +Avoid infinite loop when reading specially crafted TAR files using the tarfile module +(CVE-2019-20907). +(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) + +Co-authored-by: Rishi + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index adf91d5..574a6bb 100644 +--- a/Lib/tarfile.py b/Lib/tarfile.py +@@ -1400,6 +1400,8 @@ class TarInfo(object): + + length, keyword = match.groups() + length = int(length) ++if length == 0: ++raise InvalidHeaderError("invalid header") + value = buf[match.end(2) + 1:match.start(1) + length - 1] + + keyword = keyword.decode("utf8") only in patch2: unchanged: --- python2.7-2.7.16.orig/debian/patches/CVE-2020-8492.diff +++ python2.7-2.7.16/debian/patches/CVE-2020-8492.diff @@ -0,0 +1,26 @@ +Backport of 0b297d4ff1c0e4480ad33acae793fbaf4bf015b4, trimmed down to the +fix for CVE-2020-8492 + +Co-Authored-By: Serhiy Storchaka +diff --git a/Lib/urllib2.py b/Lib/urllib2.py +index 8b634ad..11a62a4 100644 +--- a/Lib/urllib2.py b/Lib/urllib2.py +@@ -856,8 +856,15 @@ class AbstractBasicAuthHandler: + + # allow for double- and single-quoted realm values + # (single quotes are a violation of the RFC, but appear in the wild) +-rx = re.compile('(?:.*,)*[ \t]*([^ \t]+)[ \t]+' +-'realm=(["\']?)([^"\']*)\\2', re.I) ++rx = re.compile('(?:^|,)' # start of the string or ',' ++'[ \t]*'# optional whitespaces ++'([^ \t]+)' # scheme like "Basic" ++'[ \t]+'# mandatory whitespaces ++# realm=xxx ++# realm='xxx' ++# realm="xxx" ++'realm=(["\']?)([^"\']*)\\2', ++re.I) + + # XXX could pre-emptively send auth info already accepted (RFC 2617, + # end of section 2, and section 1.2 immediately after "credentials" only in patch2: unchanged: --- python2.7-2.7.16.orig/debian/patches/CVE-2021-3177.diff +++ python2.7-2.7.16/debian/patches/CVE-2021-3177.diff @@ -0,0 +1,149 @@ +bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. +--- a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +@@ -206,6 +206,49 @@ + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++def test_parameter_repr(self): ++from ctypes import ( ++c_bool, ++c_char, ++c_wchar, ++c_byte, ++c_ubyte, ++c_short, ++c_ushort, ++c_int, ++c_uint, ++c_long, ++c_ulong, ++c_longlong, ++c_ulonglong, ++c_float, ++c_double, ++c_longdouble, ++c_char_p, ++c_wchar_p, ++c_void_p, ++) ++self.assertRegexpMatches(repr(c_bool.from_param(True)), r"^$") ++self.assertEqual(repr(c_char.from_param('a')), "") ++self.assertRegexpMatches(repr(c_wchar.from_param('a')), r"^$") ++self.assertEqual(repr(c_byte.from_param(98)), "") ++self.assertEqual(repr(c_ubyte.from_param(98)), "") ++self.assertEqual(repr(c_short.from_param(511)), "") ++self.assertEqual(repr(c_ushort.from_param(511)), "") ++self.assertRegexpMatches(repr(c_int.from_param(2)), r"^$") ++
Bug#983134: buster-pu: package python3.7/3.7.3-2+deb10u3
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: d...@debian.org debdiff below fixes two security issues, which don't warrant a DSA by itself. Update has been tested on a Buster few systems (and verified with the PoC). Cheers, Moritz diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog --- python3.7-3.7.3/debian/changelog2020-07-25 15:00:39.0 +0200 +++ python3.7-3.7.3/debian/changelog2021-01-22 20:05:45.0 +0100 @@ -1,3 +1,10 @@ +python3.7 (3.7.3-2+deb10u3) buster; urgency=medium + + * CVE-2020-26116 + * CVE-2021-3177 + + -- Moritz Mühlenhoff Fri, 22 Jan 2021 21:04:44 +0100 + python3.7 (3.7.3-2+deb10u2) buster; urgency=medium * CVE-2019-20907 diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-26116.patch python3.7-3.7.3/debian/patches/CVE-2020-26116.patch --- python3.7-3.7.3/debian/patches/CVE-2020-26116.patch 1970-01-01 01:00:00.0 +0100 +++ python3.7-3.7.3/debian/patches/CVE-2020-26116.patch 2021-01-22 15:32:43.0 +0100 @@ -0,0 +1,84 @@ +Fixes CVE-2020-26116: + +From ca75fec1ed358f7324272608ca952b2d8226d11a Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-isling...@users.noreply.github.com> +Date: Sun, 19 Jul 2020 02:27:35 -0700 +Subject: [PATCH] bpo-39603: Prevent header injection in http methods + (GH-18485) (GH-21538) + +reject control chars in http method in http.client.putrequest to prevent http header injection +(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e) + +Co-authored-by: AMIR <31338382+amiremoham...@users.noreply.github.com> + +--- python3.7-3.7.3.orig/Lib/http/client.py python3.7-3.7.3/Lib/http/client.py +@@ -150,6 +150,10 @@ _contains_disallowed_url_pchar_re = re.c + # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$") + # We are more lenient for assumed real world compatibility purposes. + ++# These characters are not allowed within HTTP method names ++# to prevent http header injection. ++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]') ++ + # We always set the Content-Length header for these methods because some + # servers will otherwise respond with a 411 + _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'} +@@ -1107,6 +,8 @@ class HTTPConnection: + else: + raise CannotSendRequest(self.__state) + ++self._validate_method(method) ++ + # Save the method we use, we need it later in the response phase + self._method = method + if not url: +@@ -1197,6 +1203,16 @@ class HTTPConnection: + # For HTTP/1.0, the server will assume "not chunked" + pass + ++def _validate_method(self, method): ++"""Validate a method name for putrequest.""" ++# prevent http header injection ++match = _contains_disallowed_method_pchar_re.search(method) ++if match: ++raise ValueError( ++f"method can't contain control characters. {method!r} " ++f"(found at least {match.group()!r})") ++ ++ + def putheader(self, header, *values): + """Send a request header line to the server. + +--- python3.7-3.7.3.orig/Lib/test/test_httplib.py python3.7-3.7.3/Lib/test/test_httplib.py +@@ -360,6 +360,28 @@ class HeaderTests(TestCase): + self.assertEqual(lines[2], "header: Second: val") + + ++class HttpMethodTests(TestCase): ++def test_invalid_method_names(self): ++methods = ( ++'GET\r', ++'POST\n', ++'PUT\n\r', ++'POST\nValue', ++'POST\nHOST:abc', ++'GET\nrHost:abc\n', ++'POST\rRemainder:\r', ++'GET\rHOST:\n', ++'\nPUT' ++) ++ ++for method in methods: ++with self.assertRaisesRegex( ++ValueError, "method can't contain control characters"): ++conn = client.HTTPConnection('example.com') ++conn.sock = FakeSocket(None) ++conn.request(method=method, url="/") ++ ++ + class TransferEncodingTest(TestCase): + expected_body = b"It's just a flesh wound" + diff -Nru python3.7-3.7.3/debian/patches/CVE-2021-3177.patch python3.7-3.7.3/debian/patches/CVE-2021-3177.patch --- python3.7-3.7.3/debian/patches/CVE-2021-3177.patch 1970-01-01 01:00:00.0 +0100 +++ python3.7-3.7.3/debian/patches/CVE-2021-3177.patch 2021-01-22 15:33:44.0 +0100 @@ -0,0 +1,169 @@ +Fixes CVE-2021-3177: + +From d9b8f138b7df3b455b54653ca59f491b4840d6fa Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson +Date: Mon, 18 Jan 2021 15:24:02 -0600 +Subject: [PATCH] [3.7] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24249) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson + +---
Bug#976811: transition: php8.0
On Sat, Feb 06, 2021 at 09:26:39PM +0100, Salvatore Bonaccorso wrote: > Otherwise there will be > expectation that both php7.4 and php8.0 will be covered by (security) > support in bullseye if we release with php8.0 included. Yeah, let's drop 8.0 then. Cheers, Moritz
Bug#981292: buster-pu: package cairo/1.16.0-4+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: po...@debian.org Low severity security fix, synched up with Emilio on IRC for the upload. Cheers, Moritz diff -Nru cairo-1.16.0/debian/changelog cairo-1.16.0/debian/changelog --- cairo-1.16.0/debian/changelog 2019-03-15 08:57:56.0 +0100 +++ cairo-1.16.0/debian/changelog 2021-01-22 00:02:52.0 +0100 @@ -1,3 +1,9 @@ +cairo (1.16.0-4+deb10u1) buster; urgency=medium + + * CVE-2020-35492 (Closes: #CVE-2020-35492) + + -- Moritz Mühlenhoff Fri, 22 Jan 2021 00:02:52 +0100 + cairo (1.16.0-4) unstable; urgency=medium * Team upload diff -Nru cairo-1.16.0/debian/patches/CVE-2020-35492.patch cairo-1.16.0/debian/patches/CVE-2020-35492.patch --- cairo-1.16.0/debian/patches/CVE-2020-35492.patch1970-01-01 01:00:00.0 +0100 +++ cairo-1.16.0/debian/patches/CVE-2020-35492.patch2021-01-22 00:02:52.0 +0100 @@ -0,0 +1,47 @@ +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +[trimmed test case, since not used in Debian build] + +--- + src/cairo-image-compositor.c| 8 ++-- + +--- cairo-1.16.0.orig/src/cairo-image-compositor.c cairo-1.16.0/src/cairo-image-compositor.c +@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_rende + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +-uint8_t *m; ++uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +-m = r->_buf; ++m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_rende + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_rende + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; diff -Nru cairo-1.16.0/debian/patches/series cairo-1.16.0/debian/patches/series --- cairo-1.16.0/debian/patches/series 2019-03-15 08:57:56.0 +0100 +++ cairo-1.16.0/debian/patches/series 2021-01-22 00:02:52.0 +0100 @@ -4,3 +4,4 @@ 06_hurd-map-noreserve.patch git-pdf-add-missing-flush.patch ft-Use-FT_Done_MM_Var-instead-of-free-when-available-in-c.patch +CVE-2020-35492.patch
Re: Bug#975016: Python 2 / OpenJDK 15 support state for Bullseye
On Wed, Nov 18, 2020 at 12:20:37PM +0100, Matthias Klose wrote: > [removed the Python 2 bits] > > On 11/17/20 11:08 PM, Moritz Muehlenhoff wrote: > > Package: debian-security-support > > Severity: normal > > X-Debbugs-Cc: d...@debian.org, t...@security.debian.org > > > openjdk-15 will be included, but not covered by support > > (as it's only needed to bootstrap openjdk-16 and eventually > > openjdk-17, the next LTS release of Java). > > > > How about the following for "security-support-limited"? > > > > > > openjdk-15Only included for bootstrapping later OpenJDK > > releases > > > > > > One important thing: These only applies to Bullseye and > > security-support-limited is currently independent of releases, so this > > needs to be fixed or alternatively we need to stop rebuilding the current > > unstable package for older releases and instead branch of per distro. > > As background: OpenJDK 12 can only be built with 11, 13 with 12, 14 with 13, > 15 > with 14, 16 with 15. Only having 11 in bullseye would make backports more > "interesting". > > For OpenJDK there are two other possibilities, which would require approval by > release managers / stable release managers. If the whole "buildlibs" (or however it gets called in the end) infrastructure is ready for bullseye it would also be an option to include openjdk-15/openjdk-16 in there? As such, it would be non-available to users by default, but present for bootstraps. Cheers, Moritz
Bug#974695: buster-pu: package libxml2/2.9.4+dfsg1-7+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: mattiadebian.org This fixes a few low severity security fixes affecting libxml2, I've tested the package on a buster system with a few rdeps. Cheers, Moritz diff -Nru libxml2-2.9.4+dfsg1/debian/changelog libxml2-2.9.4+dfsg1/debian/changelog --- libxml2-2.9.4+dfsg1/debian/changelog2018-05-26 12:03:44.0 +0200 +++ libxml2-2.9.4+dfsg1/debian/changelog2020-11-06 18:13:19.0 +0100 @@ -1,3 +1,14 @@ +libxml2 (2.9.4+dfsg1-7+deb10u1) buster; urgency=medium + + * CVE-2017-18258 (Closes: #895245) + * CVE-2018-14404 (Closes: #901817) + * CVE-2018-14567 + * CVE-2019-19956 + * CVE-2019-20388 (Closes: #949583) + * CVE-2020-7595 (Closes: #949582) + + -- Moritz Mühlenhoff Fri, 06 Nov 2020 18:35:40 +0100 + libxml2 (2.9.4+dfsg1-7) unstable; urgency=medium * Team upload. diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch --- libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch 1970-01-01 01:00:00.0 +0100 +++ libxml2-2.9.4+dfsg1/debian/patches/0020-CVE-2017-18258.patch 2018-08-10 20:29:49.0 +0200 @@ -0,0 +1,25 @@ +From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 7 Sep 2017 18:36:01 +0200 +Subject: [PATCH] Set memory limit for LZMA decompression + +Otherwise malicious LZMA compressed files could consume large amounts +of memory when decompressed. + +According to the xz man page, files compressed with `xz -9` currently +require 65 MB to decompress, so set the limit to 100 MB. + +Should fix bug 786696. +diff --git a/xzlib.c b/xzlib.c +index 782957f..f43632b 100644 +--- a/xzlib.c b/xzlib.c +@@ -408,7 +408,7 @@ xz_head(xz_statep state) + state->strm = init; + state->strm.avail_in = 0; + state->strm.next_in = NULL; +-if (lzma_auto_decoder(>strm, UINT64_MAX, 0) != LZMA_OK) { ++if (lzma_auto_decoder(>strm, 1, 0) != LZMA_OK) { + xmlFree(state->out); + xmlFree(state->in); + state->size = 0; diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch --- libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch 1970-01-01 01:00:00.0 +0100 +++ libxml2-2.9.4+dfsg1/debian/patches/0021-CVE-2018-14404.patch 2018-08-10 20:30:01.0 +0200 @@ -0,0 +1,47 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +diff --git a/xpath.c b/xpath.c +index 1787be1..13e0812 100644 +--- a/xpath.c b/xpath.c +@@ -13320,9 +13320,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +-arg1 = valuePop(ctxt); +-arg1->boolval &= arg2->boolval; +-valuePush(ctxt, arg1); ++if (ctxt->value != NULL) ++ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13346,9 +13345,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +-arg1 = valuePop(ctxt); +-arg1->boolval |= arg2->boolval; +-valuePush(ctxt, arg1); ++if (ctxt->value != NULL) ++ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch --- libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch 1970-01-01 01:00:00.0 +0100 +++ libxml2-2.9.4+dfsg1/debian/patches/0022-CVE-2018-14567.patch 2018-08-10 20:30:14.0 +0200 @@ -0,0 +1,43 @@ +From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 13:14:11 +0200 +Subject: [PATCH] Fix infinite loop in LZMA decompression
Bug#972183: buster-pu: package libjpeg-turbo/1:1.5.2-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ond...@debian.org, sunwea...@debian.org This fixes a number of security issues in libjpeg, which don't warrant a DSA. Package has been tested on a buster system. Cheers, Moritz diff -Nru libjpeg-turbo-1.5.2/debian/changelog libjpeg-turbo-1.5.2/debian/changelog --- libjpeg-turbo-1.5.2/debian/changelog2017-08-25 10:27:48.0 +0200 +++ libjpeg-turbo-1.5.2/debian/changelog2020-10-07 22:25:43.0 +0200 @@ -1,3 +1,12 @@ +libjpeg-turbo (1:1.5.2-2+deb10u1) buster; urgency=medium + + * CVE-2018-1152 (Closes: #902950) + * CVE-2018-14498 (Closes: #924678) + * CVE-2019-2201 + * CVE-2020-13790 (Closes: #962829) + + -- Moritz Mühlenhoff Wed, 07 Oct 2020 22:25:43 +0200 + libjpeg-turbo (1:1.5.2-2) unstable; urgency=medium * Drop env declaration patch on mips to fix FTBFS on mips diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch --- libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch 1970-01-01 01:00:00.0 +0100 +++ libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch 2020-10-07 22:25:25.0 +0200 @@ -0,0 +1,19 @@ +https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61bc6 + +Index: libjpeg-turbo-1.5.2/rdbmp.c +=== +--- libjpeg-turbo-1.5.2.orig/rdbmp.c 2018-07-05 14:47:54.525745754 -0400 libjpeg-turbo-1.5.2/rdbmp.c2018-07-05 14:47:54.521745700 -0400 +@@ -434,6 +434,12 @@ start_input_bmp (j_compress_ptr cinfo, c + progress->total_extra_passes++; /* count file input as separate pass */ + } + ++ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum ++ value of the JDIMENSION type. This is only a danger with BMP files, since ++ their width and height fields are 32-bit integers. */ ++ if ((unsigned long long)biWidth * ++ (unsigned long long)cinfo->input_components > 0xULL) ++ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); + /* Allocate one-row buffer for returned data */ + source->pub.buffer = (*cinfo->mem->alloc_sarray) + ((j_common_ptr) cinfo, JPOOL_IMAGE, diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch --- libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch 1970-01-01 01:00:00.0 +0100 +++ libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch 2020-10-07 22:25:25.0 +0200 @@ -0,0 +1,117 @@ +https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55 + +diff --git a/cderror.h b/cderror.h +index 63de498..bb093b8 100644 +--- a/cderror.h b/cderror.h +@@ -49,6 +49,8 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB") + JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported") + JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image") + JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM") ++JMESSAGE(JERR_BMP_TOOLARGE, "Integer value too large in BMP file") ++JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file") + JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image") + JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image") + JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image") +@@ -75,8 +77,8 @@ JMESSAGE(JWRN_GIF_NOMOREDATA, "Ran out of GIF bits") + #ifdef PPM_SUPPORTED + JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB") + JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file") +-JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file") + JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file") ++JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file") + JMESSAGE(JTRC_PGM, "%ux%u PGM image") + JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image") + JMESSAGE(JTRC_PPM, "%ux%u PPM image") +diff --git a/rdbmp.c b/rdbmp.c +index 4104b68..9ca4a26 100644 +--- a/rdbmp.c b/rdbmp.c +@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct { + JDIMENSION row_width; /* Physical width of scanlines in file */ + + int bits_per_pixel; /* remembers 8- or 24-bit format */ ++ int cmap_length; /* colormap length */ + } bmp_source_struct; + + +@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + { + bmp_source_ptr source = (bmp_source_ptr) sinfo; + register JSAMPARRAY colormap = source->colormap; ++ int cmaplen = source->cmap_length; + JSAMPARRAY image_ptr; + register int t; + register JSAMPROW inptr, outptr; +@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + outptr = source->pub.buffer[0]; + for (col = cinfo->image_width; col > 0; col--) { + t = GETJSAMPLE(*inptr++); ++if ( t >= cmaplen) ++ ERREXIT(cinfo, JERR_BMP_TOOLARGE); + *outptr++ =
Bug#972115: buster-pu: package sqlite3/3.27.2-3+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: g...@debian.org A number of security fixes in sqlite, which don't warrant a DSA. This has been tested on a Buster system (along with validating included test cases that issues are correctly fixed). Cheers, Moritz diff -Nru sqlite3-3.27.2/debian/changelog sqlite3-3.27.2/debian/changelog --- sqlite3-3.27.2/debian/changelog 2019-06-01 17:38:52.0 +0200 +++ sqlite3-3.27.2/debian/changelog 2020-10-05 22:53:55.0 +0200 @@ -1,3 +1,18 @@ +sqlite3 (3.27.2-3+deb10u1) buster; urgency=medium + + * CVE-2019-19923 + * CVE-2019-19925 + * CVE-2019-19959 + * CVE-2019-20218 + * CVE-2020-13434 + * CVE-2020-13435 + * CVE-2020-13630 + * CVE-2020-13632 + * CVE-2020-15358 + * CVE-2019-16168 + + -- Moritz Mühlenhoff Mon, 05 Oct 2020 22:53:55 +0200 + sqlite3 (3.27.2-3) unstable; urgency=high * Backport security related patches: diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch --- sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch 1970-01-01 01:00:00.0 +0100 +++ sqlite3-3.27.2/debian/patches/CVE-2019-16168.patch 2020-10-05 22:53:55.0 +0200 @@ -0,0 +1,66 @@ +From 725dd72400872da94dcfb6af48128905b93d57fe Mon Sep 17 00:00:00 2001 +From: drh +Date: Thu, 15 Aug 2019 14:35:45 + +Subject: [PATCH] Ensure that the optional "sz=N" parameter that can be + manually added to the end of an sqlite_stat1 entry does not have an N value + that is too small. Ticket [e4598ecbdd18bd82] + +FossilOrigin-Name: 98357d8c1263920b33a3648ef9214a63c99728bafa7a8d3dd6a1241b2303fd42 +--- + src/analyze.c | 4 +++- + src/where.c| 1 + + test/analyzeC.test | 14 ++ + 5 files changed, 28 insertions(+), 11 deletions(-) + +diff --git a/src/analyze.c b/src/analyze.c +index 31fb6f5b5..1904b9be0 100644 +--- a/src/analyze.c b/src/analyze.c +@@ -1450,7 +1450,9 @@ static void decodeIntArray( + if( sqlite3_strglob("unordered*", z)==0 ){ + pIndex->bUnordered = 1; + }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){ +-pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3)); ++int sz = sqlite3Atoi(z+3); ++if( sz<2 ) sz = 2; ++pIndex->szIdxRow = sqlite3LogEst(sz); + }else if( sqlite3_strglob("noskipscan*", z)==0 ){ + pIndex->noSkipScan = 1; + } +diff --git a/src/where.c b/src/where.c +index 65c92863a..a37a810a2 100644 +--- a/src/where.c b/src/where.c +@@ -2670,6 +2670,7 @@ static int whereLoopAddBtreeIndex( + ** it to pNew->rRun, which is currently set to the cost of the index + ** seek only. Then, if this is a non-covering index, add the cost of + ** visiting the rows in the main table. */ ++assert( pSrc->pTab->szTabRow>0 ); + rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow; + pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx); + if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){ +diff --git a/test/analyzeC.test b/test/analyzeC.test +index 02faa9c7e..2a0a89781 100644 +--- a/test/analyzeC.test b/test/analyzeC.test +@@ -132,6 +132,20 @@ do_execsql_test 4.3 { + SELECT count(a) FROM t1; + } {/.*INDEX t1ca.*/} + ++# 2019-08-15. ++# Ticket https://www.sqlite.org/src/tktview/e4598ecbdd18bd82945f602901 ++# The sz=N parameter in the sqlite_stat1 table needs to have a value of ++# 2 or more to avoid a division by zero in the query planner. ++# ++do_execsql_test 4.4 { ++ DROP TABLE IF EXISTS t44; ++ CREATE TABLE t44(a PRIMARY KEY); ++ INSERT INTO sqlite_stat1 VALUES('t44',null,'sz=0'); ++ ANALYZE sqlite_master; ++ SELECT 0 FROM t44 WHERE a IN(1,2,3); ++} {} ++ ++ + + # The sz=NNN parameter works even if there is other extraneous text + # in the sqlite_stat1.stat column. diff -Nru sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch --- sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch 1970-01-01 01:00:00.0 +0100 +++ sqlite3-3.27.2/debian/patches/CVE-2019-19923.patch 2020-10-02 16:43:04.0 +0200 @@ -0,0 +1,62 @@ +From 396afe6f6aa90a31303c183e11b2b2d4b7956b35 Mon Sep 17 00:00:00 2001 +From: drh +Date: Wed, 18 Dec 2019 20:51:58 + +Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of + check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer + query is DISTINCT. Without this fix, if an index scan is run on the table + within the view on the right-hand side of the LEFT JOIN, stale result + registers might be accessed yielding incorrect results, and/or an + OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a + NULL-pointer dereference. This problem was found by the Yongheng and Rui + fuzzer. + +FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e +--- + src/select.c | 8 ++-- + test/join.test |
Bug#972007: RM: sieve-extension/0.3.0+dfsg-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Please remove sieve-extension in the next Buster point release, it's broken with Thunderbird 78 (the addon interface has been removed) and has already removed from unstable. Cheers, Moritz
Bug#972005: RM: nostalgy/0.2.36-1.2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: a...@sigxcpu.org Please remove nostalgy in the next Buster point release, it's incompatible with Thunderbird 78 (it has already removed from unstable) Cheers, Moritz
Bug#971915: buster-pu: package transmission/2.94-2+deb10u2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: mo...@debian.org [ Reason ] Fixes a memory leak when running Transmission in daemon mode. [ Tests ] Have been using the package since a few weeks and the user who reported the leak (running an affected setup) confirmed that it fixes the leak. Cheers, Moritz diff -Nru transmission-2.94/debian/changelog transmission-2.94/debian/changelog --- transmission-2.94/debian/changelog 2020-05-29 00:05:53.0 +0200 +++ transmission-2.94/debian/changelog 2020-08-31 20:43:20.0 +0200 @@ -1,3 +1,9 @@ +transmission (2.94-2+deb10u2) buster; urgency=medium + + * Fix mem leak (Closes: #968097) + + -- Moritz Mühlenhoff Mon, 31 Aug 2020 20:43:20 +0200 + transmission (2.94-2+deb10u1) buster; urgency=medium * CVE-2018-10756 (Closes: #961461) diff -Nru transmission-2.94/debian/patches/CVE-2018-10756-2.patch transmission-2.94/debian/patches/CVE-2018-10756-2.patch --- transmission-2.94/debian/patches/CVE-2018-10756-2.patch 1970-01-01 01:00:00.0 +0100 +++ transmission-2.94/debian/patches/CVE-2018-10756-2.patch 2020-08-31 20:43:15.0 +0200 @@ -0,0 +1,16 @@ +Fixes mem leak introduced in backport for CVE-2018-10756 + +--- transmission-2.94.orig/libtransmission/variant.c transmission-2.94/libtransmission/variant.c +@@ -873,7 +873,10 @@ static void + nodeDestruct (struct SaveNode * node) + { + if (node->v == node->sorted) +-tr_free (node->sorted->val.l.vals); ++{ ++ tr_free (node->sorted->val.l.vals); ++ tr_free (node->sorted); ++} + } + + /** diff -Nru transmission-2.94/debian/patches/series transmission-2.94/debian/patches/series --- transmission-2.94/debian/patches/series 2020-05-29 00:05:53.0 +0200 +++ transmission-2.94/debian/patches/series 2020-08-31 20:42:50.0 +0200 @@ -5,3 +5,4 @@ ayatana-indicators.patch patch-vendored-libdht.patch CVE-2018-10756.patch +CVE-2018-10756-2.patch
Bug#971869: buster-pu: package freecol/0.11.6+dfsg2-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org Low severity bugfix for freecol, which doesn't warrant a DSA. The (identical) patch has been in unstable for half a year, also doublechecked by playing for half an hour :-) Cheers, Moritz diff -Nru freecol-0.11.6+dfsg2/debian/changelog freecol-0.11.6+dfsg2/debian/changelog --- freecol-0.11.6+dfsg2/debian/changelog 2018-08-31 19:22:57.0 +0200 +++ freecol-0.11.6+dfsg2/debian/changelog 2020-10-07 22:20:46.0 +0200 @@ -1,3 +1,9 @@ +freecol (0.11.6+dfsg2-2+deb10u1) buster; urgency=medium + + * CVE-2018-1000825 (Closes: #917023) + + -- Moritz Mühlenhoff Wed, 07 Oct 2020 22:20:46 +0200 + freecol (0.11.6+dfsg2-2) unstable; urgency=medium * Declare compliance with Debian Policy 4.2.1. diff -Nru freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch --- freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch 1970-01-01 01:00:00.0 +0100 +++ freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch 2020-10-07 22:20:40.0 +0200 @@ -0,0 +1,142 @@ +From: Markus Koschany +Date: Mon, 24 Feb 2020 12:33:58 +0100 +Subject: CVE-2018-1000825 + +Bug-Debian: https://bugs.debian.org/917023 +Origin: https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3 +--- + src/net/sf/freecol/common/io/FreeColXMLReader.java | 19 +-- + src/net/sf/freecol/common/model/FreeColObject.java | 3 +++ + src/net/sf/freecol/common/networking/Connection.java | 3 +++ + src/net/sf/freecol/common/networking/DOMMessage.java | 3 +++ + src/net/sf/freecol/tools/GenerateDocumentation.java | 3 +++ + 5 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/src/net/sf/freecol/common/io/FreeColXMLReader.java b/src/net/sf/freecol/common/io/FreeColXMLReader.java +index dd78a40..abbaba6 100644 +--- a/src/net/sf/freecol/common/io/FreeColXMLReader.java b/src/net/sf/freecol/common/io/FreeColXMLReader.java +@@ -88,7 +88,7 @@ public class FreeColXMLReader extends StreamReaderDelegate + super(); + + try { +-XMLInputFactory xif = XMLInputFactory.newInstance(); ++XMLInputFactory xif = newXMLInputFactory(); + setParent(xif.createXMLStreamReader(inputStream, "UTF-8")); + } catch (XMLStreamException e) { + throw new IOException(e); +@@ -109,7 +109,7 @@ public class FreeColXMLReader extends StreamReaderDelegate + super(); + + try { +-XMLInputFactory xif = XMLInputFactory.newInstance(); ++XMLInputFactory xif = newXMLInputFactory(); + setParent(xif.createXMLStreamReader(reader)); + } catch (XMLStreamException e) { + throw new IOException(e); +@@ -118,6 +118,21 @@ public class FreeColXMLReader extends StreamReaderDelegate + this.readScope = ReadScope.NORMAL; + } + ++/** ++ * Create a new XMLInputFactory. ++ * ++ * Respond to CVE 2018-1000825. ++ * ++ * @return A new XMLInputFactory. ++ */ ++private static XMLInputFactory newXMLInputFactory() { ++XMLInputFactory xif = XMLInputFactory.newInstance(); ++// This disables DTDs entirely for that factory ++xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); ++// disable external entities ++xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false); ++return xif; ++} + + /** + * Should reads from this stream intern their objects into the +diff --git a/src/net/sf/freecol/common/model/FreeColObject.java b/src/net/sf/freecol/common/model/FreeColObject.java +index 01c9887..d8f3754 100644 +--- a/src/net/sf/freecol/common/model/FreeColObject.java b/src/net/sf/freecol/common/model/FreeColObject.java +@@ -49,6 +49,7 @@ import javax.xml.transform.TransformerException; + import javax.xml.transform.TransformerFactory; + import javax.xml.transform.dom.DOMSource; + import javax.xml.transform.stream.StreamResult; ++import javax.xml.XMLConstants; + + import net.sf.freecol.common.ObjectWithId; + import net.sf.freecol.common.io.FreeColXMLReader; +@@ -895,6 +896,8 @@ public abstract class FreeColObject + public void readFromXMLElement(Element element) { + try { + TransformerFactory factory = TransformerFactory.newInstance(); ++factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer xmlTransformer = factory.newTransformer(); + StringWriter stringWriter = new StringWriter(); + xmlTransformer.transform(new DOMSource(element), +diff --git a/src/net/sf/freecol/common/networking/Connection.java b/src/net/sf/freecol/common/networking/Connection.java +index f88d2ed..48954bd 100644
Bug#971866: buster-pu: package okular/4:17.12.2-2.2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: p...@debian.org Low severity fix for Okular, which doesn't warrant a DSA. I've tested with the reproducerand a number of other PDF files that everything works as expected. Cheers, Moritz diff -Nru okular-17.12.2/debian/changelog okular-17.12.2/debian/changelog --- okular-17.12.2/debian/changelog 2019-03-24 13:05:50.0 +0100 +++ okular-17.12.2/debian/changelog 2020-10-07 22:57:59.0 +0200 @@ -1,3 +1,9 @@ +okular (4:17.12.2-2.2+deb10u1) buster; urgency=medium + + * CVE-2020-9359 (Closes: #954891) + + -- Moritz Mühlenhoff Wed, 07 Oct 2020 22:57:59 +0200 + okular (4:17.12.2-2.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru okular-17.12.2/debian/patches/CVE-2020-9359.patch okular-17.12.2/debian/patches/CVE-2020-9359.patch --- okular-17.12.2/debian/patches/CVE-2020-9359.patch 1970-01-01 01:00:00.0 +0100 +++ okular-17.12.2/debian/patches/CVE-2020-9359.patch 2020-10-07 22:57:20.0 +0200 @@ -0,0 +1,27 @@ +From 6a93a033b4f9248b3cd4d04689b8391df754e244 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 10 Mar 2020 23:07:24 +0100 +Subject: [PATCH] Document::processAction: If the url points to a binary, don't + run it + +--- + core/document.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/core/document.cpp b/core/document.cpp +index 3215a1abc..0aa5b6980 100644 +--- a/core/document.cpp b/core/document.cpp +@@ -4388,7 +4388,8 @@ void Document::processAction( const Action * action ) + { + const QUrl realUrl = KIO::upUrl(d->m_url).resolved(url); + // KRun autodeletes +-new KRun( realUrl, d->m_widget ); ++KRun *r = new KRun( realUrl, d->m_widget ); ++r->setRunExecutables(false); + } + } + } break; +-- +GitLab + diff -Nru okular-17.12.2/debian/patches/series okular-17.12.2/debian/patches/series --- okular-17.12.2/debian/patches/series2018-12-02 12:25:04.0 +0100 +++ okular-17.12.2/debian/patches/series2020-10-07 22:57:50.0 +0200 @@ -1 +1,2 @@ Fix-path-traversal-issue-when-extracting-an-.okular-.patch +CVE-2020-9359.patch
Bug#970584: buster-pu: package inetutils/2:1.9.4-7+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: guil...@debian.org Fix for CVE-2020-10188, which doesn' really warrant a DSA. (The numbering in debian/patches/series is the following what's in unstable, the same patch is present there since a few months already) Debdiff attached. Cheers, Moritz diff -Nru inetutils-1.9.4/debian/changelog inetutils-1.9.4/debian/changelog --- inetutils-1.9.4/debian/changelog2019-02-16 18:09:37.0 +0100 +++ inetutils-1.9.4/debian/changelog2020-09-18 20:06:42.0 +0200 @@ -1,3 +1,9 @@ +inetutils (2:1.9.4-7+deb10u1) buster; urgency=medium + + * CVE-2020-10188 (Closes: #956084) + + -- Moritz Mühlenhoff Fri, 18 Sep 2020 20:06:42 +0200 + inetutils (2:1.9.4-7) unstable; urgency=medium * Remove debian/tmp prefix from man pages paths in debhelper fragment files. diff -Nru inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch --- inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch 1970-01-01 01:00:00.0 +0100 +++ inetutils-1.9.4/debian/patches/0053-telnetd-Fix-arbitrary-remote-code-execution-via-shor.patch 2020-09-18 15:58:19.0 +0200 @@ -0,0 +1,130 @@ +From 99afdd5ecd787e40f06473304125eee93139031a Mon Sep 17 00:00:00 2001 +From: Michal Ruprich +Date: Sun, 12 Apr 2020 22:41:50 +0200 +Subject: [PATCH 53/60] telnetd: Fix arbitrary remote code execution via short + writes or urgent data + +Fixes: CVE-2020-10188 +Closes: #956084 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10188 +Patch-Origin: Fedora / RedHat +Patch-URL: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch +--- + telnetd/telnetd.h | 2 +- + telnetd/utility.c | 35 ++- + 2 files changed, 23 insertions(+), 14 deletions(-) + +diff --git a/telnetd/telnetd.h b/telnetd/telnetd.h +index 044025d2..fa970e24 100644 +--- a/telnetd/telnetd.h b/telnetd/telnetd.h +@@ -271,7 +271,7 @@ void io_drain (void); + + int stilloob (int s); + void ptyflush (void); +-char *nextitem (char *current); ++char *nextitem (char *current, const char *endp); + void netclear (void); + void netflush (void); + +diff --git a/telnetd/utility.c b/telnetd/utility.c +index db93c205..c9df8a79 100644 +--- a/telnetd/utility.c b/telnetd/utility.c +@@ -484,10 +484,14 @@ stilloob (int s) + * character. + */ + char * +-nextitem (char *current) ++nextitem (char *current, const char *endp) + { ++ if (current >= endp) ++return NULL; + if ((*current & 0xff) != IAC) + return current + 1; ++ if (current + 1 >= endp) ++return NULL; + + switch (*(current + 1) & 0xff) + { +@@ -495,19 +499,20 @@ nextitem (char *current) + case DONT: + case WILL: + case WONT: +- return current + 3; ++ return current + 3 <= endp ? current + 3 : NULL; + + case SB: /* loop forever looking for the SE */ + { + char *look = current + 2; + +- for (;;) +-if ((*look++ & 0xff) == IAC && (*look++ & 0xff) == SE) ++ while (look < endp) ++if ((*look++ & 0xff) == IAC && look < endp && (*look++ & 0xff) == SE) + return look; + +- default: +- return current + 2; ++ return NULL; + } ++default: ++ return current + 2 <= endp ? current + 2 : NULL; + } + } /* end of nextitem */ + +@@ -529,8 +534,9 @@ nextitem (char *current) + * us in any case. + */ + #define wewant(p) \ +- ((nfrontp > p) && ((*p&0xff) == IAC) && \ +- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)) ++ ((nfrontp > p) && ((*p & 0xff) == IAC) && \ ++ (nfrontp > p + 1 && (((*(p + 1) & 0xff) != EC) && \ ++((*(p + 1)&0xff) != EL + + + void +@@ -545,7 +551,7 @@ netclear (void) + thisitem = netobuf; + #endif /* ENCRYPTION */ + +- while ((next = nextitem (thisitem)) <= nbackp) ++ while ((next = nextitem (thisitem, nbackp)) != NULL && next <= nbackp) + thisitem = next; + + /* Now, thisitem is first before/at boundary. */ +@@ -556,15 +562,18 @@ netclear (void) + good = netobuf; /* where the good bytes go */ + #endif /* ENCRYPTION */ + +- while (nfrontp > thisitem) ++ while (thisitem != NULL && nfrontp > thisitem) + { + if (wewant (thisitem)) + { + int length; + +-for (next = thisitem; wewant (next) && nfrontp > next; +- next = nextitem (next)) ++for (next = thisitem; ++ next != NULL && wewant (next) && nfrontp > next; ++ next = nextitem (next, nfrontp)) + ; ++if (next == NULL) ++ next = nfrontp; + + length = next -
Bug#970583: buster-pu: package chocolate-doom/3.0.0-4+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: fab...@debian.org Fix for CVE-2020-14983, which doesn't really warrant a DSA. Debdiff attached. Cheers, Moritz diff -Nru chocolate-doom-3.0.0/debian/changelog chocolate-doom-3.0.0/debian/changelog --- chocolate-doom-3.0.0/debian/changelog 2018-02-14 22:16:30.0 +0100 +++ chocolate-doom-3.0.0/debian/changelog 2020-09-18 20:26:53.0 +0200 @@ -1,3 +1,9 @@ +chocolate-doom (3.0.0-4+deb10u1) buster; urgency=medium + + * CVE-2020-14983 + + -- Moritz Mühlenhoff Fri, 18 Sep 2020 20:26:53 +0200 + chocolate-doom (3.0.0-4) unstable; urgency=medium * Backport patch from upstream GIT to build bash-completion diff -Nru chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch --- chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch 1970-01-01 01:00:00.0 +0100 +++ chocolate-doom-3.0.0/debian/patches/0019-CVE-2020-14983.patch 2020-09-18 17:25:58.0 +0200 @@ -0,0 +1,70 @@ +From f1a8d991aa8a14afcb605cf2f65cd15fda204c56 Mon Sep 17 00:00:00 2001 +From: Fabian Greffrath +Date: Wed, 24 Jun 2020 12:45:03 +0200 +Subject: [PATCH 1/2] net: fix missing server-side num_players validation + (CVE-2020-14983) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't +validate the user-controlled num_players value, leading to a buffer +overflow. A malicious user can overwrite the server's stack. + +Fixes CVE-2020-14983, found by Michał Dardas from LogicalTrust. + +Fixes: #1293. +--- + src/net_structrw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/net_structrw.c b/src/net_structrw.c +index 437bc71a5..2dbd2740a 100644 +--- a/src/net_structrw.c b/src/net_structrw.c +@@ -116,7 +116,7 @@ boolean NET_ReadSettings(net_packet_t *packet, net_gamesettings_t *settings) + return false; + } + +-for (i = 0; i < settings->num_players; ++i) ++for (i = 0; i < settings->num_players && i < NET_MAXPLAYERS; ++i) + { + if (!NET_ReadInt8(packet, + (unsigned int *) >player_classes[i])) + +From 54fb12eeaa7d527defbe65e7e00e37d5feb7c597 Mon Sep 17 00:00:00 2001 +From: Fabian Greffrath +Date: Wed, 24 Jun 2020 12:49:14 +0200 +Subject: [PATCH 2/2] net: fix missing client-side ticdup validation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The client does not validate settings coming from the server. The +ticdup value is used as a divider in arithmetic operations. If the +server sends this value equal to zero, the client will crash with a +Floating Pointer Exception. + +Found by Michał Dardas from LogicalTrust. + +Fixes: #1292. +--- + src/d_loop.c | 5 + + 1 file changed, 5 insertions(+) + +diff --git a/src/d_loop.c b/src/d_loop.c +index 61a42d546..b963054a4 100644 +--- a/src/d_loop.c b/src/d_loop.c +@@ -413,6 +413,11 @@ void D_StartNetGame(net_gamesettings_t *settings, + ticdup = settings->ticdup; + new_sync = settings->new_sync; + ++if (ticdup < 1) ++{ ++I_Error("D_StartNetGame: invalid ticdup value (%d)", ticdup); ++} ++ + // TODO: Message disabled until we fix new_sync. + //if (!new_sync) + //{ diff -Nru chocolate-doom-3.0.0/debian/patches/series chocolate-doom-3.0.0/debian/patches/series --- chocolate-doom-3.0.0/debian/patches/series 2018-02-14 21:20:05.0 +0100 +++ chocolate-doom-3.0.0/debian/patches/series 2020-09-18 17:26:46.0 +0200 @@ -17,3 +17,4 @@ 0018-hexen-Remove-test-code-mistakenly-added.patch 0017-hexen-Fix-spelling-error.patch 0001-bash-completion-Build-from-actual-shell-script-templ.patch +0019-CVE-2020-14983.patch
Bug#970564: buster-pu: package milkytracker/1.02.00+dfsg-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jcowg...@debian.org Attached debdiff fixes a few security issues in milkytracker which don't warrant a DSA. I've verified all reproducers and the (identical) patches have been in unstable for quite a bit. Cheers, Moritz diff -Nru milkytracker-1.02.00+dfsg/debian/changelog milkytracker-1.02.00+dfsg/debian/changelog --- milkytracker-1.02.00+dfsg/debian/changelog 2018-02-25 11:15:54.0 +0100 +++ milkytracker-1.02.00+dfsg/debian/changelog 2020-09-18 15:32:18.0 +0200 @@ -1,3 +1,10 @@ +milkytracker (1.02.00+dfsg-1+deb10u1) buster; urgency=medium + + * CVE-2020-15569 (Closes: #964797) + * CVE-2019-14464, CVE-2019-14496, CVE-2019-14497 (Closes: #933964) + + -- Moritz Mühlenhoff Fri, 18 Sep 2020 20:30:05 +0200 + milkytracker (1.02.00+dfsg-1) unstable; urgency=medium * New upstream version. diff -Nru milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch --- milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch 1970-01-01 01:00:00.0 +0100 +++ milkytracker-1.02.00+dfsg/debian/patches/0001-Fix-use-after-free-in-PlayerGeneric-destructor.patch 2020-09-18 15:30:01.0 +0200 @@ -0,0 +1,36 @@ +From d6f07ee05fe114ed843aad5f1a2492a73c2b9183 Mon Sep 17 00:00:00 2001 +From: Jeremy Clarke +Date: Mon, 13 Apr 2020 23:53:51 +0100 +Subject: Fix use-after-free in PlayerGeneric destructor + +--- + src/milkyplay/PlayerGeneric.cpp | 7 --- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp +index 8df2c13..59f7cba 100644 +--- a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp +@@ -202,15 +202,16 @@ PlayerGeneric::PlayerGeneric(mp_sint32 frequency, AudioDriverInterface* audioDri + + PlayerGeneric::~PlayerGeneric() + { +- if (mixer) +- delete mixer; + + if (player) + { +- if (mixer->isActive() && !mixer->isDeviceRemoved(player)) ++ if (mixer && mixer->isActive() && !mixer->isDeviceRemoved(player)) + mixer->removeDevice(player); + delete player; + } ++ ++ if (mixer) ++ delete mixer; + + delete[] audioDriverName; + +-- +2.20.1 + diff -Nru milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch --- milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch 1970-01-01 01:00:00.0 +0100 +++ milkytracker-1.02.00+dfsg/debian/patches/CVE-2019-144{64,96,97}.patch 2020-09-18 15:30:01.0 +0200 @@ -0,0 +1,118 @@ +Description: This patch fixes the stack-based buffer overflow + and a heap-based buffer overflow. +Author: Christopher O'Neill +Author: Utkarsh Gupta +Bug-Debian: https://bugs.debian.org/933964 +Origin: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7 +Origin: https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34 +Bug: https://github.com/milkytracker/MilkyTracker/issues/182 +Bug: https://github.com/milkytracker/MilkyTracker/issues/183 +Bug: https://github.com/milkytracker/MilkyTracker/issues/184 +Last-Update: 2019-10-28 + +--- a/src/milkyplay/LoaderS3M.cpp b/src/milkyplay/LoaderS3M.cpp +@@ -340,7 +340,11 @@ + return MP_OUT_OF_MEMORY; + + header->insnum = f.readWord(); // number of instruments +- header->patnum = f.readWord(); // number of patterns ++if (header->insnum > MP_MAXINS) ++return MP_LOADER_FAILED; ++header->patnum = f.readWord(); // number of patterns ++if (header->patnum > 256) ++return MP_LOADER_FAILED; + + mp_sint32 flags = f.readWord(); // st3 flags + +--- a/src/milkyplay/LoaderXM.cpp b/src/milkyplay/LoaderXM.cpp +@@ -63,8 +63,8 @@ + mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module) + { + mp_ubyte insData[230]; +- mp_sint32 smpReloc[96]; +- mp_ubyte nbu[96]; ++ mp_sint32 smpReloc[MP_MAXINSSAMPS]; ++ mp_ubyte nbu[MP_MAXINSSAMPS]; + mp_uint32 fileSize = 0; + + module->cleanUp(); +@@ -117,6 +117,8 @@ + memcpy(header->ord, hdrBuff+16, 256); + if(header->ordnum > MP_MAXORDERS) + header->ordnum = MP_MAXORDERS; ++if(header->insnum > MP_MAXINS) ++return MP_LOADER_FAILED; + + delete[] hdrBuff; + +@@ -143,7 +145,7 @@ + f.read([y].type,1,1); + mp_uword numSamples = 0; + f.readWords(,1); +- if(numSamples >
Bug#970563: buster-pu: package libx11/2:1.6.7-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jcris...@debian.org, tjaal...@debian.org This updates fixes a few security issues in libx11, which don't warrant a DSA. Debdiff attached. Cheers, Moritz diff -u libx11-1.6.7/debian/changelog libx11-1.6.7/debian/changelog --- libx11-1.6.7/debian/changelog +++ libx11-1.6.7/debian/changelog @@ -1,3 +1,10 @@ +libx11 (2:1.6.7-1+deb10u1) buster; urgency=medium + + * CVE-2020-14344 + * CVE-2020-14363 (Closes: #969008) + + -- Moritz Mühlenhoff Fri, 11 Sep 2020 19:38:11 +0200 + libx11 (2:1.6.7-1) unstable; urgency=medium * New upstream release. diff -u libx11-1.6.7/debian/patches/series libx11-1.6.7/debian/patches/series --- libx11-1.6.7/debian/patches/series +++ libx11-1.6.7/debian/patches/series @@ -5,0 +6,2 @@ +CVE-2020-14344.diff +CVE-2020-14363.diff only in patch2: unchanged: --- libx11-1.6.7.orig/debian/patches/CVE-2020-14344.diff +++ libx11-1.6.7/debian/patches/CVE-2020-14344.diff @@ -0,0 +1,296 @@ +Backport of the following upstream commits to address CVE-2020-14344: + +0e6561efcfaa0ae7b5c74eac7e064b76d687544e +1703b9f3435079d3c6021e1ee2ec34fd4978103d +1a566c9e00e5f35c1f9e7f3d741a02e5170852b2 +2fcfcc49f3b1be854bb9085993a01d17c62acf60 +388b303c62aa35a245f1704211a023440ad2c488 +93fce3f4e79cbc737d6468a4f68ba3de1b83953b + +diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imDefIc.c libx11-1.6.7/modules/im/ximcp/imDefIc.c +--- libx11-1.6.7.orig/modules/im/ximcp/imDefIc.c 2018-10-09 16:27:08.0 +0200 libx11-1.6.7/modules/im/ximcp/imDefIc.c2020-09-11 17:30:58.689814672 +0200 +@@ -350,7 +350,7 @@ ++ sizeof(INT16) ++ XIM_PAD(2 + buf_size); + +-if (!(buf = Xmalloc(buf_size))) ++if (!(buf = Xcalloc(buf_size, 1))) + return arg->name; + buf_s = (CARD16 *)[XIM_HEADER_SIZE]; + +@@ -708,6 +708,7 @@ + #endif /* XIM_CONNECTABLE */ + + _XimGetCurrentICValues(ic, _values); ++memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + + sizeof(CARD16) + sizeof(CARD16) + sizeof(INT16) + sizeof(CARD16); +@@ -730,7 +731,7 @@ + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return tmp_name; + } + memcpy(tmp, buf, buf_size); +@@ -740,6 +741,7 @@ + Xfree(buf); + return tmp_name; + } ++memset([buf_size], 0, data_len); + buf = tmp; + } + } +diff -Naur libx11-1.6.7.orig/modules/im/ximcp/imDefIm.c libx11-1.6.7/modules/im/ximcp/imDefIm.c +--- libx11-1.6.7.orig/modules/im/ximcp/imDefIm.c 2018-10-09 16:27:08.0 +0200 libx11-1.6.7/modules/im/ximcp/imDefIm.c2020-09-11 17:30:58.689814672 +0200 +@@ -62,6 +62,7 @@ + #include "XimTrInt.h" + #include "Ximint.h" + ++#include + + int + _XimCheckDataSize( +@@ -809,12 +810,16 @@ + intbuf_size; + intret_code; + char *locale_name; ++size_t locale_len; + + locale_name = im->private.proto.locale_name; +-len = strlen(locale_name); +-buf_b[0] = (BYTE)len;/* length of locale name */ +-(void)strcpy((char *)_b[1], locale_name); /* locale name */ +-len += sizeof(BYTE); /* sizeof length */ ++locale_len = strlen(locale_name); ++if (locale_len > UCHAR_MAX) ++ return False; ++memset(buf32, 0, sizeof(buf32)); ++buf_b[0] = (BYTE)locale_len; /* length of locale name */ ++memcpy(_b[1], locale_name, locale_len); /* locale name */ ++len = (INT16)(locale_len + sizeof(BYTE));/* sizeof length */ + XIM_SET_PAD(buf_b, len); /* pad */ + + _XimSetHeader((XPointer)buf, XIM_OPEN, 0, ); +@@ -1289,6 +1294,7 @@ + #endif /* XIM_CONNECTABLE */ + + _XimGetCurrentIMValues(im, _values); ++memset(tmp_buf, 0, sizeof(tmp_buf32)); + buf = tmp_buf; + buf_size = XIM_HEADER_SIZE + sizeof(CARD16) + sizeof(INT16); + data_len = BUFSIZE - buf_size; +@@ -1311,7 +1317,7 @@ + + buf_size += ret_len; + if (buf == tmp_buf) { +- if (!(tmp = Xmalloc(buf_size + data_len))) { ++ if (!(tmp = Xcalloc(buf_size + data_len, 1))) { + return arg->name; + } + memcpy(tmp, buf, buf_size); +@@ -1321,6 +1327,7 @@ + Xfree(buf); + return arg->name; + } ++memset([buf_size], 0, data_len); + buf = tmp; + } + } +@@ -1462,7 +1469,7 @@ ++ sizeof(INT16) ++ XIM_PAD(buf_size); + +-if (!(buf = Xmalloc(buf_size))) ++if (!(buf = Xcalloc(buf_size, 1))) + return arg->name; + buf_s = (CARD16 *)[XIM_HEADER_SIZE]; + +@@ -1724,7
Re: Go issues wrt. Debian infrastructure: moving forward
On Thu, Aug 27, 2020 at 11:31:36AM +0200, Clément Hermann wrote: > >>> On Wed, Aug 26, 2020 at 12:39:36PM +0200, Clément Hermann wrote: > >>> > - a way for dak to get the orig tarball from main archive when > >>> it's not > >>> > already in the security archive (or at least, as a workaround, a > >>> way to > >>> > find and upload all needed source easily) > >>> > >>> As soon as you stop emitting Built-Using, this problem is gone. > >>> Except > >>> of course for the cases that actually needs them, which is mainly GPL > >>> and Apache licensed software. It is still needed even if you stop using Built-Using. If a Go library is updated (and similar for Rust) reverse dependencies needs to be rebuilt and security-master and ftp-master don't share tarballs. The first time a package is built for a suite (e.g. buster-security) it currently needs an uplaod with includes the orig tarball (i.e. building with -sa). Obviously this doesn't scale at all for binNMUing lots of rdeps. So we need a fix in dak/security-master so that it fetches the orig source from ftp-master (or a similar solution). Quoting from the original mail: > Can we take opportunity of Debconf20 to set up an ad-hoc session and > talk about the best way forward to fix this ? I think an IRC session would work best, but not sure what exact input you need? For dak implementation questions this needs some FTP master input. Cheers, Moritz
Bug#966454: RM: golang-github-unknwon-cae/0.0~git20160715.0.c6aac99-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Please remove 0.0~git20160715.0.c6aac99-4 from stable. There are open security issues, upstream development has stopped and there are no reverse deps. Cheers, Moritz
Bug#966272: buster-pu: package python3.7/3.7.3-2+deb10u2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Fixes three minor security issues, debdiff attached. Cheers, Moritz diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog --- python3.7-3.7.3/debian/changelog2019-12-20 18:01:46.0 +0100 +++ python3.7-3.7.3/debian/changelog2020-07-25 15:00:39.0 +0200 @@ -1,3 +1,11 @@ +python3.7 (3.7.3-2+deb10u2) buster; urgency=medium + + * CVE-2019-20907 + * CVE-2020-14422 + * CVE-2020-8492 + + -- Moritz Mühlenhoff Sat, 25 Jul 2020 15:03:44 +0200 + python3.7 (3.7.3-2+deb10u1) buster; urgency=medium * CVE-2019-9740 diff -Nru python3.7-3.7.3/debian/patches/CVE-2019-20907.diff python3.7-3.7.3/debian/patches/CVE-2019-20907.diff --- python3.7-3.7.3/debian/patches/CVE-2019-20907.diff 1970-01-01 01:00:00.0 +0100 +++ python3.7-3.7.3/debian/patches/CVE-2019-20907.diff 2020-07-22 18:02:59.0 +0200 @@ -0,0 +1,26 @@ +From 79c6b602efc9a906c8496f3d5f4d54c54b48fa06 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-isling...@users.noreply.github.com> +Date: Wed, 15 Jul 2020 05:35:08 -0700 +Subject: [PATCH] bpo-39017: Avoid infinite loop in the tarfile module + (GH-21454) (GH-21484) + +Avoid infinite loop when reading specially crafted TAR files using the tarfile module +(CVE-2019-20907). +(cherry picked from commit 5a8d121a1f3ef5ad7c105ee378cc79a3eac0c7d4) + +Co-authored-by: Rishi + +diff --git a/Lib/tarfile.py b/Lib/tarfile.py +index 3b596cbf49d27..3be5188c8b0a2 100755 +--- a/Lib/tarfile.py b/Lib/tarfile.py +@@ -1233,6 +1233,8 @@ def _proc_pax(self, tarfile): + + length, keyword = match.groups() + length = int(length) ++if length == 0: ++raise InvalidHeaderError("invalid header") + value = buf[match.end(2) + 1:match.start(1) + length - 1] + + # Normally, we could just use "utf-8" as the encoding and "strict" diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-14422.diff python3.7-3.7.3/debian/patches/CVE-2020-14422.diff --- python3.7-3.7.3/debian/patches/CVE-2020-14422.diff 1970-01-01 01:00:00.0 +0100 +++ python3.7-3.7.3/debian/patches/CVE-2020-14422.diff 2020-07-22 18:02:59.0 +0200 @@ -0,0 +1,62 @@ +From b98e7790c77a4378ec4b1c71b84138cb930b69b7 Mon Sep 17 00:00:00 2001 +From: Tapas Kundu <39723251+tapak...@users.noreply.github.com> +Date: Wed, 1 Jul 2020 00:50:21 +0530 +Subject: [PATCH] [3.7] bpo-41004: Resolve hash collisions for IPv4Interface + and IPv6Interface (GH-21033) (GH-21231) + +CVE-2020-14422 +The __hash__() methods of classes IPv4Interface and IPv6Interface had issue +of generating constant hash values of 32 and 128 respectively causing hash collisions. +The fix uses the hash() function to generate hash values for the objects +instead of XOR operation +(cherry picked from commit b30ee26e366bf509b7538d79bfec6c6d38d53f28) + +Co-authored-by: Ravi Teja P + +Signed-off-by: Tapas Kundu +--- + +diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py +index 80249288d73ab..54882934c3dc1 100644 +--- a/Lib/ipaddress.py b/Lib/ipaddress.py +@@ -1442,7 +1442,7 @@ def __lt__(self, other): + return False + + def __hash__(self): +-return self._ip ^ self._prefixlen ^ int(self.network.network_address) ++return hash((self._ip, self._prefixlen, int(self.network.network_address))) + + __reduce__ = _IPAddressBase.__reduce__ + +@@ -2088,7 +2088,7 @@ def __lt__(self, other): + return False + + def __hash__(self): +-return self._ip ^ self._prefixlen ^ int(self.network.network_address) ++return hash((self._ip, self._prefixlen, int(self.network.network_address))) + + __reduce__ = _IPAddressBase.__reduce__ + +diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py +index 455b893fb126f..1fb6a929dc2d9 100644 +--- a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py +@@ -2091,6 +2091,17 @@ def testsixtofour(self): + sixtofouraddr.sixtofour) + self.assertFalse(bad_addr.sixtofour) + ++# issue41004 Hash collisions in IPv4Interface and IPv6Interface ++def testV4HashIsNotConstant(self): ++ipv4_address1 = ipaddress.IPv4Interface("1.2.3.4") ++ipv4_address2 = ipaddress.IPv4Interface("2.3.4.5") ++self.assertNotEqual(ipv4_address1.__hash__(), ipv4_address2.__hash__()) ++ ++# issue41004 Hash collisions in IPv4Interface and IPv6Interface ++def testV6HashIsNotConstant(self): ++ipv6_address1 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:1") ++ipv6_address2 = ipaddress.IPv6Interface("2001:658:22a:cafe:200:0:0:2") ++self.assertNotEqual(ipv6_address1.__hash__(), ipv6_address2.__hash__()) + + if __name__ == '__main__': + unittest.main() diff -Nru python3.7-3.7.3/debian/patches/CVE-2020-8492.diff
Bug#966247: buster-pu: package commons-configuration2/2.2-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Fixes a minor security issue, debdiff below. Cheers, Moritz diff -Nru commons-configuration2-2.2/debian/changelog commons-configuration2-2.2/debian/changelog --- commons-configuration2-2.2/debian/changelog 2017-12-29 23:12:51.0 +0100 +++ commons-configuration2-2.2/debian/changelog 2020-07-13 18:19:38.0 +0200 @@ -1,3 +1,9 @@ +commons-configuration2 (2.2-1+deb10u1) buster; urgency=medium + + * CVE-2020-1953 (Closes: #954713) + + -- Moritz Mühlenhoff Mon, 13 Jul 2020 19:18:37 +0200 + commons-configuration2 (2.2-1) unstable; urgency=medium * New upstream release diff -Nru commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch --- commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch 1970-01-01 01:00:00.0 +0100 +++ commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch 2020-07-13 18:06:19.0 +0200 @@ -0,0 +1,179 @@ +Backport to 2.2 of the following upstream commit: + +From add7375cf37fd316d4838c6c56b054fc293b4641 Mon Sep 17 00:00:00 2001 +From: oheger +Date: Wed, 4 Mar 2020 21:33:22 +0100 +Subject: [PATCH] Prevent object creation when loading YAML files. + +When creating a new Yaml instance from SnakeYaml to read in a +configuration file the instance is now configured that no objects are +created automatically. + +--- commons-configuration2-2.2.orig/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java commons-configuration2-2.2/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java +@@ -18,11 +18,14 @@ + package org.apache.commons.configuration2; + + import org.apache.commons.configuration2.ex.ConfigurationException; ++import org.apache.commons.configuration2.ex.ConfigurationRuntimeException; + import org.apache.commons.configuration2.io.InputStreamSupport; + import org.apache.commons.configuration2.tree.ImmutableNode; + import org.yaml.snakeyaml.DumperOptions; + import org.yaml.snakeyaml.LoaderOptions; + import org.yaml.snakeyaml.Yaml; ++import org.yaml.snakeyaml.constructor.Constructor; ++import org.yaml.snakeyaml.representer.Representer; + + import java.io.IOException; + import java.io.InputStream; +@@ -65,7 +68,7 @@ public class YAMLConfiguration extends A + { + try + { +-Yaml yaml = new Yaml(); ++Yaml yaml = createYamlForReading(new LoaderOptions()); + Map map = (Map) yaml.load(in); + load(map); + } +@@ -80,7 +83,7 @@ public class YAMLConfiguration extends A + { + try + { +-Yaml yaml = new Yaml(options); ++Yaml yaml = createYamlForReading(options); + Map map = (Map) yaml.load(in); + load(map); + } +@@ -117,7 +120,7 @@ public class YAMLConfiguration extends A + { + try + { +-Yaml yaml = new Yaml(); ++Yaml yaml = createYamlForReading(new LoaderOptions()); + Map map = (Map) yaml.load(in); + load(map); + } +@@ -132,7 +135,7 @@ public class YAMLConfiguration extends A + { + try + { +-Yaml yaml = new Yaml(options); ++Yaml yaml = createYamlForReading(options); + Map map = (Map) yaml.load(in); + load(map); + } +@@ -142,4 +145,34 @@ public class YAMLConfiguration extends A + } + } + ++/** ++ * Creates a {@code Yaml} object for reading a Yaml file. The object is ++ * configured with some default settings. ++ * ++ * @param options options for loading the file ++ * @return the {@code Yaml} instance for loading a file ++ */ ++private static Yaml createYamlForReading(LoaderOptions options) ++{ ++return new Yaml(createClassLoadingDisablingConstructor(), new Representer(), new DumperOptions(), options); ++} ++ ++/** ++ * Returns a {@code Constructor} object for the YAML parser that prevents ++ * all classes from being loaded. This effectively disables the dynamic ++ * creation of Java objects that are declared in YAML files to be loaded. ++ * ++ * @return the {@code Constructor} preventing object creation ++ */ ++private static Constructor createClassLoadingDisablingConstructor() ++{ ++return new Constructor() ++{ ++@Override ++protected Class getClassForName(String name) ++{ ++throw new ConfigurationRuntimeException("Class loading is disabled."); ++} ++}; ++} + } +--- commons-configuration2-2.2.orig/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java commons-configuration2-2.2/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java +@@ -20,26 +20,36 @@ package
Bug#966213: buster-pu: package pillow/5.4.1-2+deb10u2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu A few non-severe security issues, debdiff below. Cheers, Moritz diff -Nru pillow-5.4.1/debian/changelog pillow-5.4.1/debian/changelog --- pillow-5.4.1/debian/changelog 2020-02-06 20:47:20.0 +0100 +++ pillow-5.4.1/debian/changelog 2020-07-22 17:25:31.0 +0200 @@ -1,3 +1,9 @@ +pillow (5.4.1-2+deb10u2) buster; urgency=medium + + * CVE-2020-11538 CVE-2020-10378 CVE-2020-10177 + + -- Moritz Mühlenhoff Wed, 22 Jul 2020 19:23:16 +0200 + pillow (5.4.1-2+deb10u1) buster-security; urgency=medium * CVE-2019-16865 CVE-2019-19911 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 diff -Nru pillow-5.4.1/debian/patches/CVE-2020-10177.patch pillow-5.4.1/debian/patches/CVE-2020-10177.patch --- pillow-5.4.1/debian/patches/CVE-2020-10177.patch1970-01-01 01:00:00.0 +0100 +++ pillow-5.4.1/debian/patches/CVE-2020-10177.patch2020-07-22 17:19:07.0 +0200 @@ -0,0 +1,154 @@ +Backport the following commits: +c66d8aa75436f334f686fe32bca8e414bcdd18e6 +f6926a041b4b544fd2ced3752542afb6c8c19405 +b4e439d6d7fd986cd6b4c7f9ca18830d79dacd44 +c88b0204d7c930e3bd72626ae6ea078571cc0ea7 +c5edc361fd6450f805a6a444723b0f68190b1d0c +8d4f3c0c5f2fecf175aeb895e9c2d6d06d85bdc9 +088ce4df981b70fbec140ee54417bcb49a7dffca +5b490fc413dfab2d52de46a58905c25d9badb650 + +--- pillow-5.4.1.orig/src/libImaging/FliDecode.c pillow-5.4.1/src/libImaging/FliDecode.c +@@ -24,7 +24,12 @@ + #define I32(ptr)\ + ((ptr)[0] + ((ptr)[1] << 8) + ((ptr)[2] << 16) + ((ptr)[3] << 24)) + +- ++#define ERR_IF_DATA_OOB(offset) \ ++ if ((data + (offset)) > ptr + bytes) {\ ++state->errcode = IMAGING_CODEC_OVERRUN; \ ++return -1; \ ++ } ++ + int + ImagingFliDecode(Imaging im, ImagingCodecState state, UINT8* buf, int bytes) + { +@@ -78,10 +83,12 @@ ImagingFliDecode(Imaging im, ImagingCode + break; /* ignored; handled by Python code */ + case 7: + /* FLI SS2 chunk (word delta) */ ++ /* OOB ok, we've got 4 bytes min on entry */ + lines = I16(data); data += 2; + for (l = y = 0; l < lines && y < state->ysize; l++, y++) { +- UINT8* buf = (UINT8*) im->image[y]; ++ UINT8* local_buf = (UINT8*) im->image[y]; + int p, packets; ++ ERR_IF_DATA_OOB(2) + packets = I16(data); data += 2; + while (packets & 0x8000) { + /* flag word */ +@@ -91,29 +98,33 @@ ImagingFliDecode(Imaging im, ImagingCode + state->errcode = IMAGING_CODEC_OVERRUN; + return -1; + } +- buf = (UINT8*) im->image[y]; ++ local_buf = (UINT8*) im->image[y]; + } else { + /* store last byte (used if line width is odd) */ +- buf[state->xsize-1] = (UINT8) packets; ++ local_buf[state->xsize-1] = (UINT8) packets; + } ++ ERR_IF_DATA_OOB(2) + packets = I16(data); data += 2; + } + for (p = x = 0; p < packets; p++) { ++ ERR_IF_DATA_OOB(2) + x += data[0]; /* pixel skip */ + if (data[1] >= 128) { ++ ERR_IF_DATA_OOB(4) + i = 256-data[1]; /* run */ + if (x + i + i > state->xsize) + break; + for (j = 0; j < i; j++) { +- buf[x++] = data[2]; +- buf[x++] = data[3]; ++ local_buf[x++] = data[2]; ++ local_buf[x++] = data[3]; + } + data += 2 + 2; + } else { + i = 2 * (int) data[1]; /* chunk */ + if (x + i > state->xsize) + break; +- memcpy(buf + x, data + 2, i); ++ ERR_IF_DATA_OOB(2+i) ++ memcpy(local_buf + x, data + 2, i); + data += 2 + i; + x += i; + } +@@ -129,22 +140,27 @@ ImagingFliDecode(Imaging im, ImagingCode + break; + case 12: + /* FLI LC chunk (byte delta) */ ++ /* OOB Check ok, we have 4 bytes min here */ + y = I16(data); ymax = y + I16(data+2); data += 4; + for (; y < ymax && y < state->ysize; y++) { + UINT8* out = (UINT8*) im->image[y]; ++ERR_IF_DATA_OOB(1) + int p, packets = *data++; + for (p = x = 0; p < packets; p++, x += i) { ++ ERR_IF_DATA_OOB(2) + x += data[0]; /* skip pixels */ + if (data[1] & 0x80) { + i =
Bug#964868: stretch-pu: package transmission/2.94-2+deb10u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Fixes a security issue in Transmission, which doesn't warrant a DSA, but still good to fix in stable. I've tested the update extensively (I had prepared the update for 10.4, but it fell through the cracks) Debdiff attached. Cheers, Moritz diff -Nru transmission-2.94/debian/changelog transmission-2.94/debian/changelog --- transmission-2.94/debian/changelog 2019-01-01 00:07:49.0 +0100 +++ transmission-2.94/debian/changelog 2020-05-29 00:05:53.0 +0200 @@ -1,3 +1,9 @@ +transmission (2.94-2+deb10u1) buster; urgency=medium + + * CVE-2018-10756 (Closes: #961461) + + -- Moritz Muehlenhoff Fri, 29 May 2020 00:05:53 +0200 + transmission (2.94-2) unstable; urgency=medium [ Ondřej Nový ] diff -Nru transmission-2.94/debian/patches/CVE-2018-10756.patch transmission-2.94/debian/patches/CVE-2018-10756.patch --- transmission-2.94/debian/patches/CVE-2018-10756.patch 1970-01-01 01:00:00.0 +0100 +++ transmission-2.94/debian/patches/CVE-2018-10756.patch 2020-05-29 00:05:53.0 +0200 @@ -0,0 +1,66 @@ +Backport to 2.94 of + +From 2123adf8e5e1c2b48791f9d22fc8c747e974180e Mon Sep 17 00:00:00 2001 +From: Mike Gelfand +Date: Sun, 28 Apr 2019 11:27:33 +0300 +Subject: [PATCH] CVE-2018-10756: Fix heap-use-after-free in tr_variantWalk + +In libtransmission/variant.c, function tr_variantWalk, when the variant +stack is reallocated, a pointer to the previously allocated memory +region is kept. This address is later accessed (heap use-after-free) +while walking back down the stack, causing the application to crash. +The application can be any application which uses libtransmission, such +as transmission-daemon, transmission-gtk, transmission-show, etc. + +Reported-by: Tom Richards + +--- transmission-2.94.orig/libtransmission/variant.c transmission-2.94/libtransmission/variant.c +@@ -820,7 +820,7 @@ compareKeyIndex (const void * va, const + struct SaveNode + { + const tr_variant * v; +- tr_variant sorted; ++ tr_variant* sorted; + size_t childIndex; + bool isVisited; + }; +@@ -849,26 +849,31 @@ nodeConstruct (struct SaveNode * node, + + qsort (tmp, n, sizeof (struct KeyIndex), compareKeyIndex); + +- tr_variantInitDict (>sorted, n); ++ node->sorted = tr_new(tr_variant, 1); ++ tr_variantInitDict(node->sorted, n); ++ + for (i=0; isorted.val.l.vals[i] = *tmp[i].val; +- node->sorted.val.l.count = n; ++node->sorted->val.l.vals[i] = *tmp[i].val; ++ node->sorted->val.l.count = n; + + tr_free (tmp); + +- node->v = >sorted; ++ v = node->sorted; ++ + } + else + { +- node->v = v; ++ node->sorted = NULL; + } ++ ++ node->v = v; + } + + static void + nodeDestruct (struct SaveNode * node) + { +- if (node->v == >sorted) +-tr_free (node->sorted.val.l.vals); ++ if (node->v == node->sorted) ++tr_free (node->sorted->val.l.vals); + } + + /** diff -Nru transmission-2.94/debian/patches/series transmission-2.94/debian/patches/series --- transmission-2.94/debian/patches/series 2019-01-01 00:07:49.0 +0100 +++ transmission-2.94/debian/patches/series 2020-05-29 00:05:53.0 +0200 @@ -4,3 +4,4 @@ transmission-daemon_execstop_service.patch ayatana-indicators.patch patch-vendored-libdht.patch +CVE-2018-10756.patch
Bug#964574: buster-pu: package file-roller/3.30.1-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Low severity issue in file-roller, I've verified with a reproducer that the issue is fixed and did various tests to ensure that nothing breaks functionality-wise. debdiff below. Cheers, Moritz diff -Nru file-roller-3.30.1/debian/changelog file-roller-3.30.1/debian/changelog --- file-roller-3.30.1/debian/changelog 2018-12-24 02:34:26.0 +0100 +++ file-roller-3.30.1/debian/changelog 2020-07-08 20:12:00.0 +0200 @@ -1,3 +1,9 @@ +file-roller (3.30.1-2+deb10u1) buster; urgency=medium + + * CVE-2020-11736 (Closes: #956638) + + -- Moritz Muehlenhoff Wed, 08 Jul 2020 20:12:00 +0200 + file-roller (3.30.1-2) unstable; urgency=medium * Restore -Wl,-O1 to our LDFLAGS diff -Nru file-roller-3.30.1/debian/patches/02_CVE-2020-11736.patch file-roller-3.30.1/debian/patches/02_CVE-2020-11736.patch --- file-roller-3.30.1/debian/patches/02_CVE-2020-11736.patch 1970-01-01 01:00:00.0 +0100 +++ file-roller-3.30.1/debian/patches/02_CVE-2020-11736.patch 2020-07-08 20:12:00.0 +0200 @@ -0,0 +1,201 @@ +--- file-roller-3.30.1.orig/src/fr-archive-libarchive.c file-roller-3.30.1/src/fr-archive-libarchive.c +@@ -603,6 +603,149 @@ _g_output_stream_add_padding (ExtractDat + } + + ++static gboolean ++_symlink_is_external_to_destination (GFile *file, ++ const char *symlink, ++ GFile *destination, ++ GHashTable *external_links); ++ ++ ++static gboolean ++_g_file_is_external_link (GFile *file, ++GFile *destination, ++GHashTable *external_links) ++{ ++ GFileInfo *info; ++ gboolean external; ++ ++ if (g_hash_table_lookup (external_links, file) != NULL) ++ return TRUE; ++ ++ info = g_file_query_info (file, ++G_FILE_ATTRIBUTE_STANDARD_IS_SYMLINK "," G_FILE_ATTRIBUTE_STANDARD_SYMLINK_TARGET, ++G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, ++NULL, ++NULL); ++ ++ if (info == NULL) ++ return FALSE; ++ ++ external = FALSE; ++ ++ if (g_file_info_get_is_symlink (info)) { ++ if (_symlink_is_external_to_destination (file, ++ g_file_info_get_symlink_target (info), ++ destination, ++ external_links)) ++ { ++ g_hash_table_insert (external_links, g_object_ref (file), GINT_TO_POINTER (1)); ++ external = TRUE; ++ } ++ } ++ ++ g_object_unref (info); ++ ++ return external; ++} ++ ++ ++static gboolean ++_symlink_is_external_to_destination (GFile *file, ++ const char *symlink, ++ GFile *destination, ++ GHashTable *external_links) ++{ ++ gboolean external = FALSE; ++ GFile*parent; ++ char**components; ++ int i; ++ ++ if ((file == NULL) || (symlink == NULL)) ++ return FALSE; ++ ++ if (symlink[0] == '/') ++ return TRUE; ++ ++ parent = g_file_get_parent (file); ++ components = g_strsplit (symlink, "/", -1); ++ for (i = 0; components[i] != NULL; i++) { ++ char *name = components[i]; ++ GFile *tmp; ++ ++ if ((name[0] == 0) || ((name[0] == '.') && (name[1] == 0))) ++ continue; ++ ++ if ((name[0] == '.') && (name[1] == '.') && (name[2] == 0)) { ++ if (g_file_equal (parent, destination)) { ++ external = TRUE; ++ break; ++ } ++ else { ++ tmp = g_file_get_parent (parent); ++ g_object_unref (parent); ++ parent = tmp; ++ } ++ } ++ else { ++ tmp = g_file_get_child (parent, components[i]); ++ g_object_unref (parent); ++ parent = tmp; ++ } ++ ++ if (_g_file_is_external_link (parent, destination, external_links)) { ++ external = TRUE; ++ break; ++ } ++ } ++ ++ g_strfreev (components); ++ g_object_unref (parent); ++ ++ return external; ++} ++ ++ ++static gboolean ++_g_path_is_external_to_destination (const char *relative_path, ++
Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
On Tue, Jul 07, 2020 at 10:56:18PM +0200, Hans van Kranenburg wrote: > Additional To: t...@security.debian.org > > Hi Security team, > > After our last security update, which was > 4.11.3+24-g14b62ab3e5-1~deb10u1, we found out that there is a bugfix to > be done to help users upgrade from Buster to Bullseye. This fix was > included in the unstable xen 4.11.4-1 upload (it also helps for the > future from there) and has been in unstable for 41 days now. > > I have chosen to not bother you with a new security upload for 4.11.4 to > Buster at that time (while it included security fixes) because I didn't > want to skip going through the stable release process because of this > packaging change. > > Now, we're at the verge of a new buster point release. > > Can you please read https://bugs.debian.org/964482 and ack that we can > do a combination of the security updates and this packaging change for > stable? Ack, we can piggyback the fix for 964482 to the buster-security update, no problem. Cheers, Moritz
Bug#950693: RM: radare2/1.1.0+dfsg-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Please remove radare2 from Stretch. There's a number of unfixed security issues and upstream actively objects it's presence in a stable release: #950372 Cheers, Moritz
Bug#950692: RM: radare2-cutter/1.7.4-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm See my earlier RM bug for radare2 itself. Cheers, Moritz
Bug#950691: RM: radare2/3.2.1+dfsg-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Please remove radare2 from Buster. There's a number of unfixed security issues and upstream actively objects it's presence in a stable release: #950372 (There's an rdep (radere2-cutter) to be removed along, separate bug following) Cheers, Moritz
Bug#949541: buster-pu: package mesa/18.3.6-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Attached debdiff fixes a minor security issue in mesa. I've been running the updated packaged on a Buster workstation over the last days. Cheers, Moritz diff -u mesa-18.3.6/debian/changelog mesa-18.3.6/debian/changelog --- mesa-18.3.6/debian/changelog +++ mesa-18.3.6/debian/changelog @@ -1,3 +1,10 @@ +mesa (18.3.6-2+deb10u1) buster; urgency=medium + + * Call shmget() with permission 0600 instead of 0777 (CVE-2019-5068) +(Closes: #944298) + + -- Moritz Mühlenhoff Wed, 15 Jan 2020 20:28:42 +0100 + mesa (18.3.6-2) unstable; urgency=medium * Cherry-pick c77acc3ceba (meson: remove meson-created megadrivers diff -u mesa-18.3.6/debian/patches/series mesa-18.3.6/debian/patches/series --- mesa-18.3.6/debian/patches/series +++ mesa-18.3.6/debian/patches/series @@ -5,0 +6 @@ +CVE-2019-5068.patch only in patch2: unchanged: --- mesa-18.3.6.orig/debian/patches/CVE-2019-5068.patch +++ mesa-18.3.6/debian/patches/CVE-2019-5068.patch @@ -0,0 +1,68 @@ +From 02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc Mon Sep 17 00:00:00 2001 +From: Brian Paul +Date: Wed, 9 Oct 2019 12:05:16 -0600 +Subject: Call shmget() with permission 0600 instead of 0777 + +A security advisory (TALOS-2019-0857/CVE-2019-5068) found that +creating shared memory regions with permission mode 0777 could allow +any user to access that memory. Several Mesa drivers use shared- +memory XImages to implement back buffers for improved performance. + +This path changes the shmget() calls to use 0600 (user r/w). + +Tested with legacy Xlib driver and llvmpipe. + +Cc: mesa-sta...@lists.freedesktop.org +Reviewed-by: Kristian H. Kristensen +--- + src/gallium/winsys/sw/dri/dri_sw_winsys.c | 3 ++- + src/gallium/winsys/sw/xlib/xlib_sw_winsys.c | 3 ++- + src/mesa/drivers/x11/xm_buffer.c| 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c +index cbccf4d01df..6173147a1ff 100644 +--- a/src/gallium/winsys/sw/dri/dri_sw_winsys.c b/src/gallium/winsys/sw/dri/dri_sw_winsys.c +@@ -92,7 +92,8 @@ alloc_shm(struct dri_sw_displaytarget *dri_sw_dt, unsigned size) + { +char *addr; + +- dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777); ++ /* 0600 = user read+write */ ++ dri_sw_dt->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600); +if (dri_sw_dt->shmid < 0) + return NULL; + +diff --git a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c +index be28fae3df2..8e97f0a24af 100644 +--- a/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c b/src/gallium/winsys/sw/xlib/xlib_sw_winsys.c +@@ -126,7 +126,8 @@ alloc_shm(struct xlib_displaytarget *buf, unsigned size) +shminfo->shmid = -1; +shminfo->shmaddr = (char *) -1; + +- shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|0777); ++ /* 0600 = user read+write */ ++ shminfo->shmid = shmget(IPC_PRIVATE, size, IPC_CREAT | 0600); +if (shminfo->shmid < 0) { + return NULL; +} +diff --git a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c +index d945d8af556..0da08a6e64d 100644 +--- a/src/mesa/drivers/x11/xm_buffer.c b/src/mesa/drivers/x11/xm_buffer.c +@@ -89,8 +89,9 @@ alloc_back_shm_ximage(XMesaBuffer b, GLuint width, GLuint height) + return GL_FALSE; +} + ++ /* 0600 = user read+write */ +b->shminfo.shmid = shmget(IPC_PRIVATE, b->backxrb->ximage->bytes_per_line +- * b->backxrb->ximage->height, IPC_CREAT|0777); ++ * b->backxrb->ximage->height, IPC_CREAT | 0600); +if (b->shminfo.shmid < 0) { + _mesa_warning(NULL, "shmget failed while allocating back buffer.\n"); + XDestroyImage(b->backxrb->ximage); +-- +cgit v1.2.1 + Cheers, Moritz
Bug#948104: buster-pu: package python3.7/3.7.3-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Similar to the python2.7 update which landed in Buster 10.2. Debdiff below. All these are fixed in bullseye/sid (but none had a dedicated bug) Cheers, Moritz diff -Nru python3.7-3.7.3/debian/changelog python3.7-3.7.3/debian/changelog --- python3.7-3.7.3/debian/changelog2019-04-03 07:39:12.0 +0200 +++ python3.7-3.7.3/debian/changelog2019-12-20 18:01:46.0 +0100 @@ -1,3 +1,14 @@ +python3.7 (3.7.3-2+deb10u1) buster; urgency=medium + + * CVE-2019-9740 + * CVE-2019-9947 + * CVE-2019-9948 + * CVE-2019-10160 + * CVE-2019-16056 + * CVE-2019-16935 + + -- Moritz Mühlenhoff Fri, 20 Dec 2019 19:57:59 +0100 + python3.7 (3.7.3-2) unstable; urgency=medium * d/p/arm-alignment.diff: Don't allow unaligned memory accesses in the diff -Nru python3.7-3.7.3/debian/patches/CVE-2019-10160-1.diff python3.7-3.7.3/debian/patches/CVE-2019-10160-1.diff --- python3.7-3.7.3/debian/patches/CVE-2019-10160-1.diff1970-01-01 01:00:00.0 +0100 +++ python3.7-3.7.3/debian/patches/CVE-2019-10160-1.diff2019-12-20 17:57:53.0 +0100 @@ -0,0 +1,59 @@ +From 4d723e76e1ad17e9e7d5e828e59bb47e76f2174b Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-isling...@users.noreply.github.com> +Date: Tue, 30 Apr 2019 05:21:02 -0700 +Subject: [PATCH] bpo-36742: Fixes handling of pre-normalization characters in + urlsplit() (GH-13017) + +(cherry picked from commit d537ab0ff9767ef024f26246899728f0116b1ec3) + +Co-authored-by: Steve Dower +--- + Lib/test/test_urlparse.py | 6 ++ + Lib/urllib/parse.py | 11 +++ + .../Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst | 1 + + 3 files changed, 14 insertions(+), 4 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2019-04-29-15-34-59.bpo-36742.QCUY0i.rst + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index e6638aee2244..c26235449461 100644 +--- a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +@@ -1001,6 +1001,12 @@ def test_urlsplit_normalization(self): + self.assertIn('\u2100', denorm_chars) + self.assertIn('\uFF03', denorm_chars) + ++# bpo-36742: Verify port separators are ignored when they ++# existed prior to decomposition ++urllib.parse.urlsplit('http://\u30d5\u309a:80') ++with self.assertRaises(ValueError): ++urllib.parse.urlsplit('http://\u30d5\u309a\ufe1380') ++ + for scheme in ["http", "https", "ftp"]: + for c in denorm_chars: + url = "{}://netloc{}false.netloc/path".format(scheme, c) +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 1eec26e0f1f3..f5b3487ea9d6 100644 +--- a/Lib/urllib/parse.py b/Lib/urllib/parse.py +@@ -397,13 +397,16 @@ def _checknetloc(netloc): + # looking for characters like \u2100 that expand to 'a/c' + # IDNA uses NFKC equivalence, so normalize for this check + import unicodedata +-netloc2 = unicodedata.normalize('NFKC', netloc) +-if netloc == netloc2: ++n = netloc.rpartition('@')[2] # ignore anything to the left of '@' ++n = n.replace(':', '')# ignore characters already included ++n = n.replace('#', '')# but not the surrounding text ++n = n.replace('?', '') ++netloc2 = unicodedata.normalize('NFKC', n) ++if n == netloc2: + return +-_, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay + for c in '/?#@:': + if c in netloc2: +-raise ValueError("netloc '" + netloc2 + "' contains invalid " + ++raise ValueError("netloc '" + netloc + "' contains invalid " + + "characters under NFKC normalization") + + def urlsplit(url, scheme='', allow_fragments=True): diff -Nru python3.7-3.7.3/debian/patches/CVE-2019-10160-2.diff python3.7-3.7.3/debian/patches/CVE-2019-10160-2.diff --- python3.7-3.7.3/debian/patches/CVE-2019-10160-2.diff1970-01-01 01:00:00.0 +0100 +++ python3.7-3.7.3/debian/patches/CVE-2019-10160-2.diff2019-12-20 17:57:53.0 +0100 @@ -0,0 +1,54 @@ +From 250b62acc59921d399f0db47db3b462cd6037e09 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-isling...@users.noreply.github.com> +Date: Tue, 4 Jun 2019 09:15:13 -0700 +Subject: [PATCH] bpo-36742: Corrects fix to handle decomposition in usernames + (GH-13812) + +(cherry picked from commit 8d0ef0b5edeae52960c7ed05ae8a12388324f87e) + +Co-authored-by: Steve Dower +--- + Lib/test/test_urlparse.py | 11 ++- + Lib/urllib/parse.py | 6 +++--- + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index c26235449461..68f633ca3a7d 100644 +--- a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +@@ -1008,11
Re: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
On Thu, Nov 28, 2019 at 12:03:25PM +, Holger Levsen wrote: > - for stretch, I will upload to stretch-security and that's it. Sounds good, I'll take care of releasing that. Cheers, Moritz
Re: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
On Wed, Nov 27, 2019 at 09:43:26AM +0100, Salvatore Bonaccorso wrote: > Hi Holger, > > On Tue, Nov 26, 2019 at 01:03:00PM +, Holger Levsen wrote: > > On Sun, Nov 24, 2019 at 08:27:40PM +, Adam D. Barratt wrote: > > > On Sun, 2019-11-24 at 18:42 +, Holger Levsen wrote: > > > > - or should debian-security-support follow the normal point release > > > > schedule, which AIUI currently has the unfortunate drawback that no > > > > stretch point release is planned anymore (??) > > > > > > Addressing just this point right now, I am not aware of any suggestion > > > that there will be no further point releases for stretch. > > > > > > There is not a planned date for 9.13 currently, but I'd expect that it > > > will be some time in January, alongside 10.3. 9.14 will likely be the > > > final point release before support moves over to LTS support, in mid- > > > 2020. > > > > ah, cool, thanks for this info. > > > > so then the question is: shall the debian-security-support package > > update, which informs the user that chromium doesnt have security > > support in stretch, wait til then, or does this warrant an update via > > stretch-updates or stretch-security? > > I think this does not warrant a separate DSA, We already had a DSA announcing Chromium EOL for stretch ( https://lists.debian.org/debian-security-announce/2019/msg00214.html), as such let's simply install an updated debian-security-support to stretch-security), no separate announcement needed. Cheers, Moritz
Bug#943846: buster-pu: package python-cryptography/2.6.1-3+deb10u2
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu (This is a followup update on top of the +deb10u1 already in s-p-u, I've reached out to Tristan beforehand) Attached debdiff fixes a memory leak in python-cryptography, which was noticed in an ACME-related service (https://wikitech.wikimedia.org/wiki/Acme-chief) running on Buster. It has been verified that the updated packages fix the memory leak (and are otherwise working fine as well). Debdiff below. Cheers, Moritz diff -Nru python-cryptography-2.6.1/debian/changelog python-cryptography-2.6.1/debian/changelog --- python-cryptography-2.6.1/debian/changelog 2019-09-30 20:55:00.0 +0200 +++ python-cryptography-2.6.1/debian/changelog 2019-10-18 16:08:59.0 +0200 @@ -1,3 +1,13 @@ +python-cryptography (2.6.1-3+deb10u2) buster; urgency=medium + + * Cherrypick 92241410b5b0591d849443b3023992334a4be0a2 and +9a22851fab924fd58482fdad3f8dd23dc3987f91 from upstream which +addresses a memory leak triggerable when parsing x509 +certificate extensions like AIA, thanks to Valentin +Gutierrez for the report (Closes: #941413) + + -- Moritz Mühlenhoff Fri, 18 Oct 2019 16:08:59 +0200 + python-cryptography (2.6.1-3+deb10u1) buster; urgency=medium * Non-maintainer upload. diff -Nru python-cryptography-2.6.1/debian/patches/aia-memleak-1.patch python-cryptography-2.6.1/debian/patches/aia-memleak-1.patch --- python-cryptography-2.6.1/debian/patches/aia-memleak-1.patch 1970-01-01 01:00:00.0 +0100 +++ python-cryptography-2.6.1/debian/patches/aia-memleak-1.patch 2019-10-18 16:08:35.0 +0200 @@ -0,0 +1,94 @@ +From 92241410b5b0591d849443b3023992334a4be0a2 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 11 Apr 2019 20:57:13 +0800 +Subject: [PATCH] fix a memory leak in AIA parsing (#4836) + +* fix a memory leak in AIA parsing + +* oops can't remove that +--- + src/_cffi_src/openssl/x509v3.py | 3 +++ + .../hazmat/backends/openssl/decode_asn1.py| 9 +++- + tests/hazmat/backends/test_openssl_memleak.py | 21 ++- + 3 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py +index 193d2e233b..5968120652 100644 +--- a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py +@@ -177,6 +177,7 @@ + typedef void (*sk_GENERAL_NAME_freefunc)(GENERAL_NAME *); + typedef void (*sk_DIST_POINT_freefunc)(DIST_POINT *); + typedef void (*sk_POLICYINFO_freefunc)(POLICYINFO *); ++typedef void (*sk_ACCESS_DESCRIPTION_freefunc)(ACCESS_DESCRIPTION *); + """ + + +@@ -228,6 +229,8 @@ + Cryptography_STACK_OF_ACCESS_DESCRIPTION *, int + ); + void sk_ACCESS_DESCRIPTION_free(Cryptography_STACK_OF_ACCESS_DESCRIPTION *); ++void sk_ACCESS_DESCRIPTION_pop_free(Cryptography_STACK_OF_ACCESS_DESCRIPTION *, ++ sk_ACCESS_DESCRIPTION_freefunc); + int sk_ACCESS_DESCRIPTION_push(Cryptography_STACK_OF_ACCESS_DESCRIPTION *, +ACCESS_DESCRIPTION *); + +diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py +index 773189d4f8..75d5844bc1 100644 +--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py +@@ -379,7 +379,14 @@ def _decode_authority_key_identifier(backend, akid): + + def _decode_authority_information_access(backend, aia): + aia = backend._ffi.cast("Cryptography_STACK_OF_ACCESS_DESCRIPTION *", aia) +-aia = backend._ffi.gc(aia, backend._lib.sk_ACCESS_DESCRIPTION_free) ++aia = backend._ffi.gc( ++aia, ++lambda x: backend._lib.sk_ACCESS_DESCRIPTION_pop_free( ++x, backend._ffi.addressof( ++backend._lib._original_lib, "ACCESS_DESCRIPTION_free" ++) ++) ++) + num = backend._lib.sk_ACCESS_DESCRIPTION_num(aia) + access_descriptions = [] + for i in range(num): +diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py +index ed22b5db9e..f9ae1c46b9 100644 +--- a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py +@@ -210,7 +210,7 @@ class TestOpenSSLMemoryLeaks(object): + @pytest.mark.parametrize("path", [ + "x509/PKITS_data/certs/ValidcRLIssuerTest28EE.crt", + ]) +-def test_x509_certificate_extensions(self, path): ++def test_der_x509_certificate_extensions(self, path): + assert_no_memory_leaks(textwrap.dedent(""" + def func(path): + from cryptography import x509 +@@ -226,6 +226,25 @@ def func(path): + cert.extensions + """), [path]) + ++@pytest.mark.parametrize("path", [ ++"x509/cryptography.io.pem", ++]) ++def test_pem_x509_certificate_extensions(self, path): ++
Bug#943364: buster-pu: package python2.7/2.7.16-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu This fixes a number of low severity issues which have popped up since the initial Buster release. Debdiff below. Cheers, Moritz diff -u python2.7-2.7.16/debian/changelog python2.7-2.7.16/debian/changelog --- python2.7-2.7.16/debian/changelog +++ python2.7-2.7.16/debian/changelog @@ -1,3 +1,14 @@ +python2.7 (2.7.16-2+deb10u1) buster; urgency=medium + + * CVE-2018-20852 + * CVE-2019-10160 + * CVE-2019-16056 (Closes: #940901) + * CVE-2019-16935 + * CVE-2019-9740 + * CVE-2019-9947 + + -- Moritz Mühlenhoff Fri, 11 Oct 2019 00:02:15 +0200 + python2.7 (2.7.16-2) unstable; urgency=high [ Matthias Klose ] diff -u python2.7-2.7.16/debian/patches/series.in python2.7-2.7.16/debian/patches/series.in --- python2.7-2.7.16/debian/patches/series.in +++ python2.7-2.7.16/debian/patches/series.in @@ -75,0 +76,5 @@ +CVE-2018-20852.diff +CVE-2019-10160.diff +CVE-2019-16056.diff +CVE-2019-16935.diff +CVE-2019-9740_CVE-2019-9947.diff only in patch2: unchanged: --- python2.7-2.7.16.orig/debian/patches/CVE-2018-20852.diff +++ python2.7-2.7.16/debian/patches/CVE-2018-20852.diff @@ -0,0 +1,93 @@ +Commit 979daae300916adb399ab5b51410b6ebd0888f13 from the 2.7 branch + +diff -Naur python2.7-2.7.16.orig/Lib/cookielib.py python2.7-2.7.16/Lib/cookielib.py +--- python2.7-2.7.16.orig/Lib/cookielib.py 2019-03-02 19:17:42.0 +0100 python2.7-2.7.16/Lib/cookielib.py 2019-10-11 15:33:02.648671958 +0200 +@@ -1139,6 +1139,11 @@ + req_host, erhn = eff_request_host(request) + domain = cookie.domain + ++if domain and not domain.startswith("."): ++dotdomain = "." + domain ++else: ++dotdomain = domain ++ + # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't + if (cookie.version == 0 and + (self.strict_ns_domain & self.DomainStrictNonDomain) and +@@ -1151,7 +1156,7 @@ + _debug(" effective request-host name %s does not domain-match " +"RFC 2965 cookie domain %s", erhn, domain) + return False +-if cookie.version == 0 and not ("."+erhn).endswith(domain): ++if cookie.version == 0 and not ("."+erhn).endswith(dotdomain): + _debug(" request-host %s does not match Netscape cookie domain " +"%s", req_host, domain) + return False +@@ -1165,7 +1170,11 @@ + req_host = "."+req_host + if not erhn.startswith("."): + erhn = "."+erhn +-if not (req_host.endswith(domain) or erhn.endswith(domain)): ++if domain and not domain.startswith("."): ++dotdomain = "." + domain ++else: ++dotdomain = domain ++if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)): + #_debug(" request domain %s does not match cookie domain %s", + # req_host, domain) + return False +diff -Naur python2.7-2.7.16.orig/Lib/test/test_cookielib.py python2.7-2.7.16/Lib/test/test_cookielib.py +--- python2.7-2.7.16.orig/Lib/test/test_cookielib.py 2019-03-02 19:17:42.0 +0100 python2.7-2.7.16/Lib/test/test_cookielib.py2019-10-11 15:33:02.648671958 +0200 +@@ -368,6 +368,7 @@ + ("http://foo.bar.com/;, ".foo.bar.com", True), + ("http://foo.bar.com/;, "foo.bar.com", True), + ("http://foo.bar.com/;, ".bar.com", True), ++("http://foo.bar.com/;, "bar.com", True), + ("http://foo.bar.com/;, "com", True), + ("http://foo.com/;, "rhubarb.foo.com", False), + ("http://foo.com/;, ".foo.com", True), +@@ -378,6 +379,8 @@ + ("http://foo/;, "foo", True), + ("http://foo/;, "foo.local", True), + ("http://foo/;, ".local", True), ++("http://barfoo.com;, ".foo.com", False), ++("http://barfoo.com;, "foo.com", False), + ]: + request = urllib2.Request(url) + r = pol.domain_return_ok(domain, request) +@@ -938,6 +941,33 @@ + c.add_cookie_header(req) + self.assertFalse(req.has_header("Cookie")) + ++c.clear() ++ ++pol.set_blocked_domains([]) ++req = Request("http://acme.com/;) ++res = FakeResponse(headers, "http://acme.com/;) ++cookies = c.make_cookies(res, req) ++c.extract_cookies(res, req) ++self.assertEqual(len(c), 1) ++ ++req = Request("http://acme.com/;) ++c.add_cookie_header(req) ++self.assertTrue(req.has_header("Cookie")) ++ ++req = Request("http://badacme.com/;) ++c.add_cookie_header(req) ++self.assertFalse(pol.return_ok(cookies[0], req)) ++self.assertFalse(req.has_header("Cookie")) ++ ++p = pol.set_blocked_domains(["acme.com"]) ++req = Request("http://acme.com/;) ++
Bug#938932: RM: pump/0.8.24-7
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Same as for #935458 in Buster, please also remove from Stretch. Cheers, Moritz
Bug#935746: buster-pu: package nss/2:3.42.1-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu The NSS update below fixes a few non-severe security issues. I've been running this version with Firefox on Buster (which uses the system copy of NSS unlike Firefox in Stretch) without any issues. Cheers, Moritz diff -Nru nss-3.42.1/debian/changelog nss-3.42.1/debian/changelog --- nss-3.42.1/debian/changelog 2019-02-13 05:19:39.0 +0100 +++ nss-3.42.1/debian/changelog 2019-08-23 00:03:22.0 +0200 @@ -1,3 +1,10 @@ +nss (2:3.42.1-1+deb10u1) buster; urgency=medium + + * Fixes for CVE-2019-11719, CVE-2019-11727 and CVE-2019-11729 (in unstable +these were addressed via the 2:3.45-1 upload to unstable) + + -- Moritz Mühlenhoff Fri, 23 Aug 2019 00:03:22 +0200 + nss (2:3.42.1-1) unstable; urgency=medium * New upstream release. diff -Nru nss-3.42.1/debian/patches/CVE-2019-11719_CVE-2019-11727_CVE-2019-11729.patch nss-3.42.1/debian/patches/CVE-2019-11719_CVE-2019-11727_CVE-2019-11729.patch --- nss-3.42.1/debian/patches/CVE-2019-11719_CVE-2019-11727_CVE-2019-11729.patch 1970-01-01 01:00:00.0 +0100 +++ nss-3.42.1/debian/patches/CVE-2019-11719_CVE-2019-11727_CVE-2019-11729.patch 2019-08-23 00:03:22.0 +0200 @@ -0,0 +1,410 @@ +Fixes for CVE-2019-11719, CVE-2019-11727 and CVE-2019-11729 which are based on +the following upstream commits: + +https://hg.mozilla.org/projects/nss/rev/6cfb54d262d030783137aa6478b45ecb3cbfc624 +https://hg.mozilla.org/projects/nss/rev/0a4e8b72a92e144663c2f35d3836f7828cfc97f2 +https://hg.mozilla.org/projects/nss/rev/dabfe1160c682b4d1d19c5a7a13ab3828bb9d37f +https://hg.mozilla.org/projects/nss/rev/ebc93d6daeaa9001d31fd18b5199779da99ae9aa + +--- nss-3.42.1.orig/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc nss-3.42.1/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc +@@ -40,6 +40,9 @@ class Pkcs11Curve25519Test + + ScopedCERTSubjectPublicKeyInfo certSpki( + SECKEY_DecodeDERSubjectPublicKeyInfo()); ++if (!expect_success && !certSpki) { ++ return; ++} + ASSERT_TRUE(certSpki); + + ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get())); +--- nss-3.42.1.orig/nss/gtests/ssl_gtest/ssl_auth_unittest.cc nss-3.42.1/nss/gtests/ssl_gtest/ssl_auth_unittest.cc +@@ -342,6 +342,44 @@ TEST_P(TlsConnectTls12, ClientAuthIncons + ConnectExpectAlert(server_, kTlsAlertIllegalParameter); + } + ++TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureScheme) { ++ static const SSLSignatureScheme kSignatureScheme[] = { ++ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pss_rsae_sha256}; ++ ++ Reset(TlsAgent::kServerRsa, "rsa"); ++ client_->SetSignatureSchemes(kSignatureScheme, ++ PR_ARRAY_SIZE(kSignatureScheme)); ++ server_->SetSignatureSchemes(kSignatureScheme, ++ PR_ARRAY_SIZE(kSignatureScheme)); ++ client_->SetupClientAuth(); ++ server_->RequestClientAuth(true); ++ ++ auto capture_cert_verify = MakeTlsFilter( ++ client_, kTlsHandshakeCertificateVerify); ++ capture_cert_verify->EnableDecryption(); ++ ++ Connect(); ++ CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_rsae_sha256, ++ 1024); ++} ++ ++TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureSchemeOnly) { ++ static const SSLSignatureScheme kSignatureScheme[] = { ++ ssl_sig_rsa_pkcs1_sha256}; ++ ++ Reset(TlsAgent::kServerRsa, "rsa"); ++ client_->SetSignatureSchemes(kSignatureScheme, ++ PR_ARRAY_SIZE(kSignatureScheme)); ++ server_->SetSignatureSchemes(kSignatureScheme, ++ PR_ARRAY_SIZE(kSignatureScheme)); ++ client_->SetupClientAuth(); ++ server_->RequestClientAuth(true); ++ ++ ConnectExpectAlert(server_, kTlsAlertHandshakeFailure); ++ server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); ++ client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP); ++} ++ + class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter { + public: + TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr& a) +@@ -571,7 +609,7 @@ TEST_P(TlsConnectTls13, InconsistentSign + client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); + } + +-TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) { ++TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) { + server_->SetSignatureSchemes(kSignatureSchemeRsaSha384, +PR_ARRAY_SIZE(kSignatureSchemeRsaSha384)); + server_->RequestClientAuth(false); +@@ -1033,12 +1071,21 @@ TEST_P(TlsSignatureSchemeConfiguration, + INSTANTIATE_TEST_CASE_P( + SignatureSchemeRsa, TlsSignatureSchemeConfiguration, + ::testing::Combine( +-TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12Plus, ++TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12, + ::testing::Values(TlsAgent::kServerRsaSign), +
Bug#935596: RM: teeworlds/0.6.5+dfsg-1~deb9u1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Please remove teeworlds in the 9.10 point release, it has open security issues, but it's not really worth fixing as the package from Stretch is now incompatible with current game servers. Cheers, Moritz
Bug#935460: stretch-pu: package sox/14.4.1-5+deb9u2
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Attached debdiff fixes a number of bugs in sox. These have been in jessie for a while already (Stretch and Jessie have the same base version as the package was unmaintained for a while) and I've ran some of the POCs on the Stretch build. Debdiff below. Cheers, Moritz diff -Nru sox-14.4.1/debian/changelog sox-14.4.1/debian/changelog --- sox-14.4.1/debian/changelog 2019-02-01 16:18:21.0 +0100 +++ sox-14.4.1/debian/changelog 2019-08-16 00:28:55.0 +0200 @@ -1,3 +1,16 @@ +sox (14.4.1-5+deb9u2) stretch; urgency=medium + + * Sync up patches with 14.4.1-5+deb8u4 (sans some uncommented patches) +CVE-2019-8354 CVE-2019-8355 CVE-2019-8356 CVE-2019-8357 (Closes: #927906) +CVE-2019-1010004 CVE-2017-18189 (Closes: #881121) +CVE-2017-15642 (Closes: #882144) +CVE-2017-15372 (Closes: #878808) +CVE-2017-15371 (Closes: #878809) +CVE-2017-15370 (Closes: #878810) +CVE-2017-11359 CVE-2017-11358 CVE-2017-11332 (Closes: #870328) + + -- Moritz Mühlenhoff Fri, 16 Aug 2019 00:28:55 +0200 + sox (14.4.1-5+deb9u1) stretch; urgency=medium * Non-maintainer upload. diff -Nru sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch --- sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch 1970-01-01 01:00:00.0 +0100 +++ sox-14.4.1/debian/patches/0001-Clean-up-lsx_malloc-and-friends.patch 2019-05-10 01:08:00.0 +0200 @@ -0,0 +1,80 @@ +From ccedd08802f62ed896f69d778e6a106d00f9ab58 Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Tue, 8 Dec 2015 22:52:41 + +Subject: [PATCH 1/5] Clean up lsx_malloc() and friends + +--- + src/Makefile.am | 2 +- + src/xmalloc.c | 30 +- + src/xmalloc.h | 7 --- + 3 files changed, 30 insertions(+), 9 deletions(-) + +diff --git a/src/xmalloc.c b/src/xmalloc.c +index 9bf15969..56fe6944 100644 +--- a/src/xmalloc.c b/src/xmalloc.c +@@ -20,6 +20,16 @@ + #include "sox_i.h" + #include + ++static void *lsx_checkptr(void *ptr) ++{ ++ if (!ptr) { ++lsx_fail("out of memory"); ++exit(2); ++ } ++ ++ return ptr; ++} ++ + /* Resize an allocated memory area; abort if not possible. + * + * For malloc, `If the size of the space requested is zero, the behavior is +@@ -34,10 +44,20 @@ void *lsx_realloc(void *ptr, size_t newsize) + return NULL; + } + +- if ((ptr = realloc(ptr, newsize)) == NULL) { +-lsx_fail("out of memory"); +-exit(2); +- } ++ return lsx_checkptr(realloc(ptr, newsize)); ++} + +- return ptr; ++void *lsx_malloc(size_t size) ++{ ++ return lsx_checkptr(malloc(size + !size)); ++} ++ ++void *lsx_calloc(size_t n, size_t size) ++{ ++ return lsx_checkptr(calloc(n + !n, size + !size)); ++} ++ ++char *lsx_strdup(const char *s) ++{ ++ return lsx_checkptr(strdup(s)); + } +diff --git a/src/xmalloc.h b/src/xmalloc.h +index 9ee77f63..92ac64d9 100644 +--- a/src/xmalloc.h b/src/xmalloc.h +@@ -23,10 +23,11 @@ + #include + #include + +-#define lsx_malloc(size) lsx_realloc(NULL, (size)) +-#define lsx_calloc(n,s) (((n)*(s))? memset(lsx_malloc((n)*(s)),0,(n)*(s)) : NULL) ++LSX_RETURN_VALID void *lsx_malloc(size_t size); ++LSX_RETURN_VALID void *lsx_calloc(size_t n, size_t size); ++LSX_RETURN_VALID char *lsx_strdup(const char *s); ++ + #define lsx_Calloc(v,n) v = lsx_calloc(n,sizeof(*(v))) +-#define lsx_strdup(p) ((p)? strcpy((char *)lsx_malloc(strlen(p) + 1), p) : NULL) + #define lsx_memdup(p,s) ((p)? memcpy(lsx_malloc(s), p, s) : NULL) + #define lsx_valloc(v,n) v = lsx_malloc((n)*sizeof(*(v))) + #define lsx_revalloc(v,n) v = lsx_realloc(v, (n)*sizeof(*(v))) +-- +2.20.1 + diff -Nru sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch --- sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch 1970-01-01 01:00:00.0 +0100 +++ sox-14.4.1/debian/patches/0002-fix-possible-buffer-size-overflow-in-lsx_make_lpf-CV.patch 2019-05-10 01:08:00.0 +0200 @@ -0,0 +1,23 @@ +From f70911261a84333b077c29908e1242f69d7439eb Mon Sep 17 00:00:00 2001 +From: Mans Rullgard +Date: Wed, 24 Apr 2019 14:57:34 +0100 +Subject: [PATCH 2/5] fix possible buffer size overflow in lsx_make_lpf() + (CVE-2019-8354) + +The multiplication in the size argument malloc() might overflow, +resulting in a small buffer being allocated. Use calloc() instead. +--- + src/effects_i_dsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/effects_i_dsp.c b/src/effects_i_dsp.c +@@ -256,7 +256,7 @@ + double * lsx_make_lpf(int num_taps, double Fc, double beta, double scale, sox_bool dc_norm) + { + int i, m = num_taps - 1; +- double * h = malloc(num_taps * sizeof(*h)), sum = 0;
Bug#935458: RM: pump/0.8.24-7.1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, please remove pump in the 10.1 point release. It's unmaintained both in Debian and upstream and security-buggy. I've gotten in touch with Red Hat (the former upstream), it was formerly developed by Red Hat by for RHEL 5 and they recommended very strongly to remove it. Cheers, Moritz
Bug#932175: stretch-pu: package openssh/1:7.4p1-10+deb9u7
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu This update for OpenSSH fixes a dead lock in AuthorizedKeysCommand (#905226). The fixed package is running fine on a formerly affected Stretch system (https://phabricator.wikimedia.org) (I'm not the maintainer, but acked by Colin in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905226#27) Debdiff below. Cheers, Moritz diff -Nru openssh-7.4p1/debian/changelog openssh-7.4p1/debian/changelog --- openssh-7.4p1/debian/changelog 2019-03-01 17:19:28.0 +0100 +++ openssh-7.4p1/debian/changelog 2019-07-15 15:32:09.0 +0200 @@ -1,3 +1,11 @@ +openssh (1:7.4p1-10+deb9u7) stretch; urgency=medium + + * Fix deadlock when the keys/principals command produces a lot of +output and a key is matched early (upstream commit +ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2). (Closes: #905226) + + -- Moritz Mühlenhoff Mon, 15 Jul 2019 15:32:09 +0200 + openssh (1:7.4p1-10+deb9u6) stretch-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch --- openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch 1970-01-01 01:00:00.0 +0100 +++ openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch 2019-07-15 15:31:41.0 +0200 @@ -0,0 +1,37 @@ +From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001 +From: "d...@openbsd.org" +Date: Fri, 30 Dec 2016 22:08:02 + +Subject: [PATCH] upstream commit + +fix deadlock when keys/principals command produces a lot of +output and a key is matched early; bz#2655, patch from jboning AT gmail.com + +Upstream-ID: e19456429bf99087ea994432c16d00a642060afe +--- + auth2-pubkey.c | 8 +++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/auth2-pubkey.c b/auth2-pubkey.c +index 20f3309e1..70c021589 100644 +--- a/auth2-pubkey.c b/auth2-pubkey.c +@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key) + + ok = process_principals(f, NULL, pw, cert); + ++ fclose(f); ++ f = NULL; ++ + if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0) + goto out; + +@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) + + ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); + ++ fclose(f); ++ f = NULL; ++ + if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0) + goto out; + diff -Nru openssh-7.4p1/debian/patches/series openssh-7.4p1/debian/patches/series --- openssh-7.4p1/debian/patches/series 2019-03-01 17:19:28.0 +0100 +++ openssh-7.4p1/debian/patches/series 2019-07-15 15:31:41.0 +0200 @@ -44,3 +44,4 @@ have-progressmeter-force-update-at-beginning-and-end-transfer.patch check-filenames-in-scp-client.patch scp-handle-braces.patch +fix-deadlock-in-keys-principals-command.patch
Re: Revert some Go packages in unstable to align with testing/buster
On Thu, Jul 04, 2019 at 12:30:24PM +0200, Paul Gevers wrote: > Hi security-team, > > On 08-06-2019 23:45, Thorsten Alteholz wrote: > > Hi everybody, > > > > On Wed, 5 Jun 2019, Paul Gevers wrote: > >> One other problem is that tools are lacking to schedule binNMUs on the > >> right packages in an efficient manner and in the right order. > > > > I just added [1]. It contains one simple shell script to calculate the > > build order of golang packages, for example: > > ./getBuildList golang-github-aleksi-pointer > > In order to only get the packages to build use: > > ./getBuildList golang-github-aleksi-pointer |grep "B:" > > > > At the beginning is a small config section that needs to be adjusted to > > your settings. It is only a simple script and should not be used in > > real life. It is just meant to check whether the algorithm works. > > So please have a look and be kind :-). > > > > Thorsten > > > > > > [1] https://salsa.debian.org/go-team/packages/getbuildlist > > If I am correct, this e-mail didn't get a reply yet. This e-mail is to > let you, the security team, know that we, the release team [1], think > the next action is for you to work with Thorsten to get this working, as > it is you that have to use it in the end. I hadn't seen that mail yet, but will look over it in the next two weeks. Cheers, Moritz
Bug#930812: unblock: cargo/0.35.0-2
On Sat, Jun 22, 2019 at 07:52:40PM +0200, Paul Gevers wrote: > Hi Ximin, > > On 22-06-2019 11:57, Ximin Luo wrote: > > Paul Gevers: > >> On 21-06-2019 07:38, Ximin Luo wrote: > >>> rustc 1.34.2 was unblocked in bug #930661 but the bug requestor forgot to > >>> file > >>> the corresponding unblock request for cargo version 0.35.0-1. This is the > >>> recommended version of cargo that goes with that rust version. > >> > >> How strong is this recommendation? It is too late in the freeze to take > >> new upstream releases that aren't targeted fixes for important or higher > >> bugs. > >> > > > > Strong in that upstream does not officially support any other > > combination and doesn't even talk about it as being possible. It's > > only a quirk of the Debian packaging situation that sometimes the > > versions are mismatched in unstable, because we de-synchronise rustc > > vs cargo releases. Upstream always releases them in sync. I don't > > think we should desync them for a stable release. > And is the security team aware of this (in CC)? We are doing this to > support Firefox security builds. Rust 1.34 is needed for Firefox ESR68 and if Cargo 0.35 should complement that, then let's do that. Cheers, Moritz
Bug#930661: unblock: rustc/1.34.2+dfsg1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock The next Firefox ESR 68 (about to obsolete ESR60 in October) will need rustc 1.34, while buster currently has 1.32. This is against all freeze policies, but OTOH only bumping to 1.34 in the first buster point release doesn't seem to buy us anything? unblock rustc/1.34.2+dfsg1-1 Cheers, Moritz
Bug#929603: unblock: webkit2gtk/2.24.2-1
On Thu, May 30, 2019 at 08:42:42AM +0200, Paul Gevers wrote: > Control: tags -1 moreinfo > > Hi Alberto, > > On Sun, 26 May 2019 23:08:03 +0200 Alberto Garcia wrote: > > Please unblock package webkit2gtk > > > > The new upstream stable release contains (among others) fixes > > for these three security bugs: CVE-2019-8595, CVE-2019-8607 and > > CVE-2019-8615. > > Just to get it clear, the security support of webkit2gtk in buster will > be done by following upstream releases? Does this involve specific > stable release branches? And this upload/unblock is the same what the > security team would accept if we would already have released? Yep, that's the case. Cheers, Moritz
Bug#928185: unblock: openjdk-11/11.0.3+7-4
On Mon, May 27, 2019 at 03:46:44PM +0200, Matthias Klose wrote: > Control: tag -1 - moreinfo > > On 02.05.19 10:30, Julien Cristau wrote: > > Control: tag -1 moreinfo > > > > Hi Matthias, > > > > On Mon, Apr 29, 2019 at 06:12:36PM +0200, Matthias Klose wrote: > >> Package: release.debian.org > >> Severity: normal > >> User: release.debian@packages.debian.org > >> Usertags: unblock > >> > >> Please unblock openjdk-11/11.0.3+7-4. That's the quarterly security update > >> and > >> should be released with buster. No more updates planned until the next > >> security > >> update in July. > > > > From what I understand bug#926009 is a regression in that version. > > There's no explanation that I can see for that change, no associated > > bug, and it doesn't look appropriate. Please revert it. > > No. With the change of ownership of the upstream jdk11-updates project, you > see > that the patches applied to the Oracle builds and to the OpenJDK builds > differ, > and the OpenJDK maintainers need to track issues based on tags in the issue > tracker and backport these changes themself. The LibreOffice packages are > fixed, the gradle tests are not used. Other vendors also ship OpenJDK with > other vendor settings. > > This is a minor change, and we had far more disruptive updates in OpenJDK 11 > itself like many late changes for documentation building. > > I will continue to update the packages to the next security release which is > expected in July. If that's too late for the release, these will most likely > be > handled by the security team. Indeed, there's no point in not unblocking this now for buster; buster-security updates will be based on following the openjdk-11 upstream releases as already done for openjdk-7/8 in jessie/stretch. Cheers, Moritz
Bug#929596: unblock: firefox-esr/60.7.0esr-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package firefox-esr. It's the latest ESR security release. unblock firefox-esr/60.7.0esr-1 Cheers, Moritz
Re: Bug#928026: security support for golang packages in Buster
On Wed, May 08, 2019 at 08:45:30AM +0200, Paul Gevers wrote: > > 2. binNMU without full source upload for security-master. > > > >It's still not possible, and I don't know there's any effort to > >change the dak. > > > >But I want to know how security team handles other static linked > >languages, like rust, haskell, ocaml, etc. > > With respect to binNMU'ing, static linking is not a problem, only > arch:all is. Most haskell (4 vs 1048) and ocaml (21 vs 233) aren't > arch:all. haskell and ocaml have a framework in place to at least know > the status in unstable/testing. See e.g. the "permanent trackers" at > https://release.debian.org/transitions/ I don't know yet what this means > for security support. Neither do I know what it means for rust. There's the additional issue that ftp-master and security-master don't share tarballs; binNMUs are only possible for packages which are on security-master, so we'd need to do manual source uploads for every affected go package. > But most haskell and ocaml packages can be binNMU'd. This issue has been around for Haskell and Ocaml for a long time, but it hasn't been an issue in practice. Ideally we can use the same mechanism found for Go, also for Ocaml or Haskell if the need should ever arise. For Go it's different, it has already bitten us for the limited subset of Go applications in Stretch (and #922170 which is needed to kludge around it), but with the increased footprint of Go stuff in buster we need something better. The same issue will hit us with Rust as well, but for buster we have only two relevant packages (librsvg and firefox which use vendored libs, which seems manageable). For bullseye we also need a proper, generic solution for Rust. > I think the > problem of the security team is that they don't want to commit to that. Yeah, that won't work, this could amount to hundreds of packages. Cheers, Moritz
Bug#928051: unblock: chromium/74.0.3729.108-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package chromium. It fixes the recent security issues and we're also following upstream releases in stable. unblock chromium/74.0.3729.108-1 Cheers, Moritz
Bug#927483: unblock: wireshark/2.6.8-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package wireshark. It fixes the recent security issues by updating to the latest 2.6.x (Wireshark in stretch-security also follows upstream releases (as will buster-security) unblock wireshark/2.6.8-1 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#927424: stretch-pu: package rails/2:4.2.7.1-1+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Fixes three issues in rails, debdiff below. Passes all regressions tests and a quick functional test. Cheers, Moritz diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog --- rails-4.2.7.1/debian/changelog 2016-08-22 19:33:48.0 +0200 +++ rails-4.2.7.1/debian/changelog 2019-04-18 16:51:20.0 +0200 @@ -1,3 +1,10 @@ +rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium + + * CVE-2018-16476 (Closes: #914847) + * CVE-2019-5418 / CVE-2019-5419 (Closes: #924520) + + -- Moritz Mühlenhoff Thu, 18 Apr 2019 20:48:13 +0200 + rails (2:4.2.7.1-1) unstable; urgency=medium * New upstream release; includes fixes for the following issues: diff -Nru rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch --- rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch 1970-01-01 01:00:00.0 +0100 +++ rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch 2019-04-18 16:44:58.0 +0200 @@ -0,0 +1,47 @@ +From 4f03411fd07d714b525655e2457bbd761c9f03a5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= + +Date: Wed, 5 Sep 2018 17:38:09 -0400 +Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by + Active Job + +Trusting any GlobaID object when deserializing jobs can allow +attackers to access information that should not be accessible to them. + +Fix CVE-2018-16476. +--- + activejob/lib/active_job/arguments.rb | 2 +- + activejob/test/cases/argument_serialization_test.rb | 4 + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb +index ecd81f2099..e33ee649cd 100644 +--- a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb +@@ -75,7 +75,7 @@ module ActiveJob + def deserialize_argument(argument) + case argument + when String +- GlobalID::Locator.locate(argument) || argument ++ argument + when *TYPE_WHITELIST + argument + when Array +diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb +index 1f11e916c4..058a828b86 100644 +--- a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb +@@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase + assert_arguments_roundtrip [@person] + end + ++ test "should keep Global IDs strings as they are" do ++assert_arguments_roundtrip [@person.to_gid.to_s] ++ end ++ + test 'should dive deep into arrays and hashes' do + assert_arguments_roundtrip [3, [@person]] + assert_arguments_roundtrip [{ 'a' => @person }] +-- +2.18.0 + diff -Nru rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch --- rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch 1970-01-01 01:00:00.0 +0100 +++ rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch 2019-04-18 16:45:44.0 +0200 @@ -0,0 +1,113 @@ +From 58ed245e80a8710fbe31e91417bfd19f9f934cc4 Mon Sep 17 00:00:00 2001 +From: John Hawthorn +Date: Mon, 4 Mar 2019 18:24:51 -0800 +Subject: [PATCH] Only accept formats from registered mime types + +[CVE-2019-5418] +[CVE-2019-5419] +--- + .../lib/action_dispatch/http/mime_negotiation.rb | 6 +- + .../test/controller/mime/respond_to_test.rb | 14 -- + .../new_base/content_negotiation_test.rb | 16 +--- + 3 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb +index 53a98c5d0a..00fd3d03df 100644 +--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb +@@ -61,7 +61,7 @@ module ActionDispatch + false + end + +- if params_readable ++ v = if params_readable + Array(Mime[parameters[:format]]) + elsif use_accept_header && valid_accept_header + accepts +@@ -70,6 +70,10 @@ module ActionDispatch + else + [Mime::HTML] + end ++ ++ v.select do |format| ++format.symbol || format.ref == "*/*" ++ end + end + end + +diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb +index 66d2fd7716..07ad0085fc 100644 +--- a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb +@@ -87,9 +87,9 @@ class RespondToController <
Bug#926897: stretch-pu: package audiofile/0.3.6-4+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Fixes two minor security issue, debdiff below. Cheers, Moritz diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog --- audiofile-0.3.6/debian/changelog2017-03-16 21:43:45.0 +0100 +++ audiofile-0.3.6/debian/changelog2019-04-11 00:28:31.0 +0200 @@ -1,3 +1,10 @@ +audiofile (0.3.6-4+deb9u1) stretch; urgency=medium + + * CVE-2018-13440 (Closes: #903499) + * CVE-2018-17095 (Closes: #913166) + + -- Moritz Mühlenhoff Thu, 11 Apr 2019 00:28:31 +0200 + audiofile (0.3.6-4) unstable; urgency=high * Team upload. diff -Nru audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch --- audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 1970-01-01 01:00:00.0 +0100 +++ audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 2019-04-05 16:10:40.0 +0200 @@ -0,0 +1,28 @@ +From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Thu, 27 Sep 2018 10:48:45 +0200 +Subject: [PATCH] ModuleState: handle compress/decompress init failure + +When the unit initcompress or initdecompress function fails, +m_fileModule is NULL. Return AF_FAIL in that case instead of +causing NULL pointer dereferences later. + +Fixes #49 +--- + libaudiofile/modules/ModuleState.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp +index 0c29d7a..070fd9b 100644 +--- a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp +@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track) + m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok, + file->m_fileFormat == AF_FILE_RAWDATA, ); + ++ if (!m_fileModule) ++ return AF_FAIL; ++ + if (unit->needsRebuffer) + { + assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP); diff -Nru audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch --- audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 1970-01-01 01:00:00.0 +0100 +++ audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 2019-04-05 16:10:40.0 +0200 @@ -0,0 +1,26 @@ +From 822b732fd31ffcb78f6920001e9b1fbd815fa712 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Thu, 27 Sep 2018 12:11:12 +0200 +Subject: [PATCH] SimpleModule: set output chunk framecount after pull + +After pulling the data, set the output chunk to the amount of +frames we pulled so that the next module in the chain has the correct +frame count. + +Fixes #50 and #51 +--- + libaudiofile/modules/SimpleModule.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp +index 2bae1eb..e87932c 100644 +--- a/libaudiofile/modules/SimpleModule.cpp b/libaudiofile/modules/SimpleModule.cpp +@@ -26,6 +26,7 @@ + void SimpleModule::runPull() + { + pull(m_outChunk->frameCount); ++ m_outChunk->frameCount = m_inChunk->frameCount; + run(*m_inChunk, *m_outChunk); + } + diff -Nru audiofile-0.3.6/debian/patches/series audiofile-0.3.6/debian/patches/series --- audiofile-0.3.6/debian/patches/series 2017-03-16 21:38:15.0 +0100 +++ audiofile-0.3.6/debian/patches/series 2019-04-11 00:28:31.0 +0200 @@ -8,3 +8,5 @@ 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch 09_Actually-fail-when-error-occurs-in-parseFormat.patch 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch +11_CVE-2018-13440.patch +12_CVE-2018-17095.patch
Bug#926890: unblock: audiofile/0.3.6-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package audiofile. It fixes two security issues and updates the meta data away from Alioth to Salsa. unblock audiofile/0.3.6-5 Cheers, Moritz diff -Nru audiofile-0.3.6/debian/changelog audiofile-0.3.6/debian/changelog --- audiofile-0.3.6/debian/changelog2017-03-16 21:43:45.0 +0100 +++ audiofile-0.3.6/debian/changelog2019-04-05 16:13:16.0 +0200 @@ -1,10 +1,28 @@ +audiofile (0.3.6-5) unstable; urgency=medium + + * Team upload. + + [ Ondřej Nový ] + * d/control: Set Vcs-* to salsa.debian.org + * d/copyright: Use https protocol in Format field + + [ Felipe Sateler ] + * Change maintainer address to debian-multime...@lists.debian.org + + [ Moritz Mühlenhoff ] + * Two security fixes from the https://github.com/wtay/audiofile fork: +CVE-2018-13440 (Closes: #903499) +CVE-2018-17095 (Closes: #913166) + + -- Sebastian Ramacher Fri, 05 Apr 2019 16:13:16 +0200 + audiofile (0.3.6-4) unstable; urgency=high * Team upload. - * debian/patches: Apply patches to fix CVE-2017-6829, CVE-2017-6831, -CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, -CVE-2017-6837, CVE-2017-6838, CVE-2017-6839, CVE-2017-6827, CVE-2017-6828. -(Closes: #857651) + * debian/patches: Apply patches to fix CVE-2017-6827, CVE-2017-6828, +CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, +CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, +CVE-2017-6839. (Closes: #857651) -- Sebastian Ramacher Thu, 16 Mar 2017 21:43:45 +0100 @@ -471,7 +489,7 @@ audiofile (0.1.5-5) unstable; urgency=low - * Added extra documentation (#32366) + * Added extra documentation (#32366) -- Brian M. Almeida Wed, 3 Feb 1999 13:13:08 -0500 diff -Nru audiofile-0.3.6/debian/control audiofile-0.3.6/debian/control --- audiofile-0.3.6/debian/control 2017-03-16 21:11:18.0 +0100 +++ audiofile-0.3.6/debian/control 2019-04-05 16:10:40.0 +0200 @@ -1,7 +1,7 @@ Source: audiofile Section: libs Priority: optional -Maintainer: Debian Multimedia Maintainers +Maintainer: Debian Multimedia Maintainers Uploaders: Alessio Treglia Build-Depends: @@ -12,8 +12,8 @@ pkg-config Standards-Version: 3.9.8 Homepage: http://audiofile.68k.org/ -Vcs-Git: https://anonscm.debian.org/git/pkg-multimedia/audiofile.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-multimedia/audiofile.git +Vcs-Git: https://salsa.debian.org/multimedia-team/audiofile.git +Vcs-Browser: https://salsa.debian.org/multimedia-team/audiofile Package: audiofile-tools Section: utils diff -Nru audiofile-0.3.6/debian/copyright audiofile-0.3.6/debian/copyright --- audiofile-0.3.6/debian/copyright2017-03-16 21:11:18.0 +0100 +++ audiofile-0.3.6/debian/copyright2019-04-05 16:10:40.0 +0200 @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: audiofile Upstream-Contact: Michael Pruett Source: http://www.68k.org/~michael/audiofile/ diff -Nru audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch --- audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 1970-01-01 01:00:00.0 +0100 +++ audiofile-0.3.6/debian/patches/11_CVE-2018-13440.patch 2019-04-05 16:10:40.0 +0200 @@ -0,0 +1,28 @@ +From fde6d79fb8363c4a329a184ef0b107156602b225 Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Thu, 27 Sep 2018 10:48:45 +0200 +Subject: [PATCH] ModuleState: handle compress/decompress init failure + +When the unit initcompress or initdecompress function fails, +m_fileModule is NULL. Return AF_FAIL in that case instead of +causing NULL pointer dereferences later. + +Fixes #49 +--- + libaudiofile/modules/ModuleState.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp +index 0c29d7a..070fd9b 100644 +--- a/libaudiofile/modules/ModuleState.cpp b/libaudiofile/modules/ModuleState.cpp +@@ -75,6 +75,9 @@ status ModuleState::initFileModule(AFfilehandle file, Track *track) + m_fileModule = unit->initcompress(track, file->m_fh, file->m_seekok, + file->m_fileFormat == AF_FILE_RAWDATA, ); + ++ if (!m_fileModule) ++ return AF_FAIL; ++ + if (unit->needsRebuffer) + { + assert(unit->nativeSampleFormat == AF_SAMPFMT_TWOSCOMP); diff -Nru audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch --- audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 1970-01-01 01:00:00.0 +0100 +++ audiofile-0.3.6/debian/patches/12_CVE-2018-17095.patch 2019-04-05
Bug#926739: stretch-pu: package gpac/0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Fixes a number of minor issues, same patches are also in unstable for a week. Cheers, Moritz diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog --- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog 2016-08-04 23:29:39.0 +0200 +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/changelog 2019-03-04 23:37:26.0 +0100 @@ -1,3 +1,12 @@ +gpac (0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1) stretch; urgency=medium + + * CVE-2018-7752 (Closes: #892526) + * CVE-2018-13005, CVE-2018-13006 (Closes: #902782) + * CVE-2018-20760, CVE-2018-20761, CVE-2018-20762, CVE-2018-20763 +(Closes: #921969) + + -- Moritz Mühlenhoff Mon, 04 Mar 2019 23:37:26 +0100 + gpac (0.5.2-426-gc5ad4e4+dfsg5-3) unstable; urgency=medium * Team upload. diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005_CVE-2018-13006.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005_CVE-2018-13006.patch --- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005_CVE-2018-13006.patch 1970-01-01 01:00:00.0 +0100 +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-13005_CVE-2018-13006.patch 2019-03-04 23:13:09.0 +0100 @@ -0,0 +1,38 @@ +From bceb03fd2be95097a7b409ea59914f332fb6bc86 Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Thu, 28 Jun 2018 13:34:08 +0200 +Subject: [PATCH] fixed 2 possible heap overflows (inc. #1088) + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/internal/isomedia_dev.h gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/internal/isomedia_dev.h +@@ -2988,7 +2988,7 @@ GF_GenericSubtitleSample *gf_isom_parse_ + char __ptype[5];\ + strcpy(__ptype, gf_4cc_to_str(__parent->type) );\ + GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \ +- gf_isom_box_del(a);\ ++ gf_isom_box_del(__abox);\ + return GF_OK;\ + } + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_code_base.c gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_code_base.c +@@ -619,7 +619,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream + + //then get the break + i = 0; +- while ( (tmpName[i] != 0) && (i < to_read) ) { ++ while ( (i < to_read) && (tmpName[i] != 0) ) { + i++; + } + //check the data is consistent +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_dump.c gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_dump.c +@@ -988,7 +988,7 @@ GF_Err dpin_dump(GF_Box *a, FILE * trace + GF_Err hdlr_dump(GF_Box *a, FILE * trace) + { + GF_HandlerBox *p = (GF_HandlerBox *)a; +- if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) { ++ if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) { + fprintf(trace, "handlerType), p->nameUTF8+1); + } else { + fprintf(trace, "handlerType), p->nameUTF8); diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch --- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch 1970-01-01 01:00:00.0 +0100 +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20760.patch 2019-03-04 23:13:47.0 +0100 @@ -0,0 +1,16 @@ +From 4c1360818fc8948e9307059fba4dc47ba8ad255d Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Thu, 13 Dec 2018 14:39:21 +0100 +Subject: [PATCH] check error code on call to gf_utf8_wcstombs (#1177) + +--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/text_import.c gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/text_import.c +@@ -259,6 +259,8 @@ char *gf_text_get_utf8_line(char *szLine + } + sptr = (u16 *)szLine; + i = (u32) gf_utf8_wcstombs(szLineConv, 1024, (const unsigned short **) ); ++ if (i >= (u32)ARRAY_LENGTH(szLineConv)) ++ return NULL; + szLineConv[i] = 0; + strcpy(szLine, szLineConv); + /*this is ugly indeed: since input is UTF16-LE, there are many chances the fgets never reads the \0 after a \n*/ diff -Nru gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761_CVE-2018-20762.patch gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761_CVE-2018-20762.patch --- gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761_CVE-2018-20762.patch 1970-01-01 01:00:00.0 +0100 +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/debian/patches/CVE-2018-20761_CVE-2018-20762.patch 2019-03-04 23:14:31.0 +0100 @@ -0,0 +1,147 @@ +From 35ab4475a7df9b2a4bcab235e379c0c3ec543658 Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Fri, 11 Jan 2019 11:32:54 +0100 +Subject: [PATCH] fix some overflows due to strcpy + +fixes #1184, #1186, #1187 among other things + +---
Bug#926048: RM: tbdialout/1.7.2-1+deb9u1
reopen 926048 thanks On Sun, Mar 31, 2019 at 07:30:28AM +0200, Paul Gevers wrote: > Hi Moritz, > > On 30-03-2019 22:33, Moritz Muehlenhoff wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: rm > > > > This extension is broken with Thunderbird 60 and was already removed from > > sid. > > I assume you know that removals from sid are (normally) tracked in > testing. Yeah, this is for the next point release, it was tagged "stretch". Cheers, Moritz
Bug#926053: unblock: firefox-esr/60.6.1esr-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package firefox-esr. It upgrades to the latest 60 ESR release, including a few security fixes. unblock firefox-esr/60.6.1esr-1 Cheers, Moritz