Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Hello, Thanks for the update, I will upload it next week if that's ok /Nicolas 7 juill. 2024 14 h 55 min 41 s Jonathan Wiltshire : > Control: tag -1 confirmed > > Hi, > > Sorry about the long delay; if this is still of interest, please go ahead. > The next point release of bullseye will be the final. > > Thanks, > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 > ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1057107: bullseye-pu: package libssh2/1.9.0-2
Le 2024-04-22 à 13 h 08, Jonathan Wiltshire a écrit : Please go ahead. Thanks, it's uploaded
Bug#1056936: bookworm-pu: package glewlwyd/2.7.5-3
Le 2024-04-06 à 18 h 38, Jonathan Wiltshire a écrit : Sorry for the delay; please go ahead. Thanks, it's uploaded! /Nicolas
Bug#1056936: bookworm-pu: package glewlwyd/2.7.5-3
Hello,
I've updated the debdiff to add a fix for CVE-2024-25715
/Nicolasdiff -Nru glewlwyd-2.7.5/debian/changelog glewlwyd-2.7.5/debian/changelog
--- glewlwyd-2.7.5/debian/changelog 2023-05-04 07:21:27.0 -0400
+++ glewlwyd-2.7.5/debian/changelog 2023-11-23 17:12:13.0 -0500
@@ -1,3 +1,12 @@
+glewlwyd (2.7.5-3+deb12u1) bookworm; urgency=medium
+
+ * d/patches: Fix CVE-2023-49208
+possible buffer overflow during FIDO2 credentials validation
+ * d/patches: Fix CVE-2024-25715
+open redirection via redirect_uri
+
+ -- Nicolas Mora Thu, 23 Nov 2023 17:12:13 -0500
+
glewlwyd (2.7.5-3) unstable; urgency=medium
* Install config.json as config-2.7.json (Closes: #1035503)
diff -Nru glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch
--- glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch 1969-12-31 19:00:00.0 -0500
+++ glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch 2023-11-23 17:12:13.0 -0500
@@ -0,0 +1,21 @@
+Description: Fix CVE-2023-49208 for bookworm
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/scheme/webauthn.c
b/src/scheme/webauthn.c
+@@ -2260,13 +2260,13 @@
+ for (i=0; i
+Forwarded: not-needed
+--- a/src/plugin/protocol_oauth2.c
b/src/plugin/protocol_oauth2.c
+@@ -696,7 +696,7 @@
+
+ static json_t * check_client_valid(struct _oauth2_config * config, const char * client_id, const char * client_header_login, const char * client_header_password, const char * redirect_uri, unsigned short authorization_type, int implicit_flow, const char * ip_source) {
+ json_t * j_client, * j_element = NULL, * j_return;
+- int uri_found, authorization_type_enabled;
++ int uri_found = 0, authorization_type_enabled;
+ size_t index = 0;
+
+ if (client_id == NULL) {
+@@ -707,20 +707,17 @@
+ return json_pack("{si}", "result", G_ERROR_PARAM);
+ }
+ j_client = config->glewlwyd_config->glewlwyd_callback_check_client_valid(config->glewlwyd_config, client_id, client_header_password);
+- if (check_result_value(j_client, G_OK)) {
++ if (check_result_value(j_client, G_OK) && json_object_get(json_object_get(j_client, "client"), "enabled") == json_true()) {
+ if (!implicit_flow && client_header_password == NULL && json_object_get(json_object_get(j_client, "client"), "confidential") == json_true()) {
+ y_log_message(Y_LOG_LEVEL_DEBUG, "check_client_valid - oauth2 - Error, confidential client must be authentified with its password, origin: %s", ip_source);
+ j_return = json_pack("{si}", "result", G_ERROR_UNAUTHORIZED);
+ } else {
+ if (redirect_uri != NULL) {
+-uri_found = 0;
+ json_array_foreach(json_object_get(json_object_get(j_client, "client"), "redirect_uri"), index, j_element) {
+ if (0 == o_strcmp(json_string_value(j_element), redirect_uri)) {
+ uri_found = 1;
+ }
+ }
+- } else {
+-uri_found = 1;
+ }
+
+ authorization_type_enabled = 0;
+@@ -2444,8 +2441,8 @@
+ // Check if client is allowed to perform this request
+ if (check_result_value(j_client, G_OK)) {
+ // Client is allowed to use auth_code grant with this redirection_uri
+-if (u_map_has_key(request->map_url, "g_continue")) {
+- if (!o_strnullempty(u_map_get(request->map_url, "scope"))) {
++if (!o_strnullempty(u_map_get(request->map_url, "scope"))) {
++ if (u_map_has_key(request->map_url, "g_continue")) {
+ j_session = validate_session_client_scope(config, request, u_map_get(request->map_url, "client_id"), u_map_get(request->map_url, "scope"));
+ if (check_result_value(j_session, G_OK)) {
+ if (json_object_get(json_object_get(j_session, "session"), "authorization_required") == json_false()) {
+@@ -2526,26 +2523,20 @@
+ }
+ json_decref(j_session);
+ } else {
+-// Scope is not allowed for this user
+-y_log_message(Y_LOG_LEVEL_DEBUG, "check_auth_type_auth_code_grant - oauth2 - scope list is missing or empty, origin: %s", ip_source);
+-response->status = 302;
+-redirect_url = msprintf("%s%serror=invalid_scope%s", u_map_get(request->map_url, "redirect_uri"), (o_strchr(u_map_get(request->map_url, "redirect_uri"), '?')!=NULL?"&":"?"), state_param);
++// Redirect to login page
++redirect_url = get_login_url(config, request, "auth", u_map_get(request->map_url, "client_id"), u_map_get(request->map_url, "scope"), NULL);
+ ulfius_add_header_to_response(response, "Location", redirect_url);
+ o_free(redirect_url);
++respons
Bug#1057107: bullseye-pu: package libssh2/1.9.0-2
Control: tag +1 moreinfo Thanks,
Bug#1057107: bullseye-pu: package libssh2/1.9.0-2
Control: tag -1 moreinfo Thanks,
Bug#1057107: bullseye-pu: package libssh2/1.9.0-2
Control: tag - moreinfo Thanks, Sorry, it seems that I'm not very well aware of the BTS process, according to [1] this is how I should untag the bug. [1] https://www.debian.org/Bugs/server-control
Bug#1057107: bullseye-pu: package libssh2/1.9.0-2
Hello,
Thank you for the feedback, the new attached debdiff should fix these.
Thanks!diff -Nru libssh2-1.9.0/debian/changelog libssh2-1.9.0/debian/changelog
--- libssh2-1.9.0/debian/changelog 2020-12-14 10:02:16.0 -0500
+++ libssh2-1.9.0/debian/changelog 2023-11-29 07:00:07.0 -0500
@@ -1,3 +1,10 @@
+libssh2 (1.9.0-2+deb11u1) bullseye; urgency=medium
+
+ * Fix CVE-2020-22218: missing check in _libssh2_packet_add() allows
+attackers to access out of bounds memory.
+
+ -- Nicolas Mora Wed, 29 Nov 2023 07:00:07 -0500
+
libssh2 (1.9.0-2) unstable; urgency=medium
* d/control: Fix VCS URIs
diff -Nru libssh2-1.9.0/debian/patches/CVE-2020-22218.patch
libssh2-1.9.0/debian/patches/CVE-2020-22218.patch
--- libssh2-1.9.0/debian/patches/CVE-2020-22218.patch 1969-12-31
19:00:00.0 -0500
+++ libssh2-1.9.0/debian/patches/CVE-2020-22218.patch 2023-11-29
07:00:07.0 -0500
@@ -0,0 +1,14 @@
+Description: Fix CVE-2020-22218
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/transport.c
b/src/transport.c
+@@ -472,7 +472,7 @@
+ /* Get a packet handle put data into. We get one to
+hold all data, including padding and MAC. */
+ p->payload = LIBSSH2_ALLOC(session, total_num);
+-if(!p->payload) {
++if(total_num == 0 || !p->payload) {
+ return LIBSSH2_ERROR_ALLOC;
+ }
+ p->total_num = total_num;
diff -Nru libssh2-1.9.0/debian/patches/series
libssh2-1.9.0/debian/patches/series
--- libssh2-1.9.0/debian/patches/series 2020-12-14 10:02:16.0 -0500
+++ libssh2-1.9.0/debian/patches/series 2023-11-29 07:00:07.0 -0500
@@ -1,3 +1,4 @@
+CVE-2020-22218.patch
manpage.patch
0001-Add-lgpg-error-to-.pc-to-facilitate-static-linking.patch
0001-Do-not-expose-private-libraries-nor-link-flags-to-us.patch
Bug#1057107: bullseye-pu: package libssh2/1.9.0-2
See the debdiff attacheddiff -Nru libssh2-1.9.0/debian/changelog libssh2-1.9.0/debian/changelog
--- libssh2-1.9.0/debian/changelog 2020-12-14 10:02:16.0 -0500
+++ libssh2-1.9.0/debian/changelog 2023-11-29 07:00:07.0 -0500
@@ -1,3 +1,9 @@
+libssh2 (1.9.0-2+debu11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2020-22218
+
+ -- Nicolas Mora Wed, 29 Nov 2023 07:00:07 -0500
+
libssh2 (1.9.0-2) unstable; urgency=medium
* d/control: Fix VCS URIs
diff -Nru libssh2-1.9.0/debian/patches/CVE-2020-22218.patch
libssh2-1.9.0/debian/patches/CVE-2020-22218.patch
--- libssh2-1.9.0/debian/patches/CVE-2020-22218.patch 1969-12-31
19:00:00.0 -0500
+++ libssh2-1.9.0/debian/patches/CVE-2020-22218.patch 2023-11-29
07:00:07.0 -0500
@@ -0,0 +1,14 @@
+Description: Fix CVE-2020-22218
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/transport.c
b/src/transport.c
+@@ -472,7 +472,7 @@
+ /* Get a packet handle put data into. We get one to
+hold all data, including padding and MAC. */
+ p->payload = LIBSSH2_ALLOC(session, total_num);
+-if(!p->payload) {
++if(total_num == 0 || !p->payload) {
+ return LIBSSH2_ERROR_ALLOC;
+ }
+ p->total_num = total_num;
diff -Nru libssh2-1.9.0/debian/patches/series
libssh2-1.9.0/debian/patches/series
--- libssh2-1.9.0/debian/patches/series 2020-12-14 10:02:16.0 -0500
+++ libssh2-1.9.0/debian/patches/series 2023-11-29 07:00:07.0 -0500
@@ -1,3 +1,4 @@
+CVE-2020-22218.patch
manpage.patch
0001-Add-lgpg-error-to-.pc-to-facilitate-static-linking.patch
0001-Do-not-expose-private-libraries-nor-link-flags-to-us.patch
Bug#1057107: bullseye-pu: package libssh2/1.9.0-2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libs...@packages.debian.org, t...@security.debian.org Control: affects -1 + src:libssh2 [ Reason ] Fix CVE-2020-22218 https://security-tracker.debian.org/tracker/CVE-2020-22218 [ Impact ] allows attackers to access out of bounds memory [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] This is a backport of the PR 476
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Hello Salvatore, Le 2023-11-27 à 13 h 01, Salvatore Bonaccorso a écrit : Small remark, the version ideally is set to 2.5.2-2+deb11u3. My very bad, must be a wrong dch command, here is a new debdiff. Thanks for noticing /Nicolasdiff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog --- glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/changelog 2023-11-24 08:14:30.0 -0500 @@ -1,3 +1,18 @@ +glewlwyd (2.5.2-2+deb11u3) bullseye; urgency=medium + + * d/patches: Fix CVE-2022-27240 + possible buffer overflow during webauthn signature assertion + * d/patches: Fix CVE-2022-29967 + static_compressed_inmemory_website_callback.c in Glewlwyd + through 2.6.2 allows directory traversal + * d/glewlwyd-common.install: copy bootstrap, jquery, fork-awesome +instead of linking it + * d/patches: Fix CVE-2023-49208: + possible buffer overflow during FIDO2 signature validation + in webauthn registration + + -- Nicolas Mora Fri, 24 Nov 2023 08:15:30 -0500 + glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium * d/patches: Fix possible privilege escalation (Closes: #1001849) diff -Nru glewlwyd-2.5.2/debian/control glewlwyd-2.5.2/debian/control --- glewlwyd-2.5.2/debian/control 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/control 2023-11-24 08:13:12.0 -0500 @@ -35,6 +35,10 @@ , node-i18next-http-backend , node-qrcode-generator , webpack + , fonts-fork-awesome + , libjs-jquery + , libjs-bootstrap4 + , libjs-popper.js Standards-Version: 4.5.1 Homepage: https://github.com/babelouest/glewlwyd Vcs-Browser: https://salsa.debian.org/debian-iot-team/oauth2/glewlwyd.git diff -Nru glewlwyd-2.5.2/debian/glewlwyd-common.install glewlwyd-2.5.2/debian/glewlwyd-common.install --- glewlwyd-2.5.2/debian/glewlwyd-common.install 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/glewlwyd-common.install 2023-11-24 08:13:12.0 -0500 @@ -1,5 +1,6 @@ -webapp-src/css/glewlwyd*.css usr/share/glewlwyd/webapp/css/ -webapp-src/css/*-custom.css usr/share/glewlwyd/webapp/css/ +webapp-src/css/* usr/share/glewlwyd/webapp/css/ +webapp-src/js/* usr/share/glewlwyd/webapp/js/ +webapp-src/fonts/* usr/share/glewlwyd/webapp/fonts/ webapp-src/locales/ usr/share/glewlwyd/webapp/ webapp-src/img/ usr/share/glewlwyd/webapp/ webapp-src/output/*.js usr/share/glewlwyd/webapp/ @@ -7,3 +8,4 @@ webapp-src/favicon.ico usr/share/glewlwyd/webapp/ debian/config.json usr/share/glewlwyd/templates/ +debian/config.json usr/share/glewlwyd/webapp/ diff -Nru glewlwyd-2.5.2/debian/glewlwyd-common.links glewlwyd-2.5.2/debian/glewlwyd-common.links --- glewlwyd-2.5.2/debian/glewlwyd-common.links 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/glewlwyd-common.links 1969-12-31 19:00:00.0 -0500 @@ -1,19 +0,0 @@ -usr/share/javascript/jquery/jquery.min.js usr/share/glewlwyd/webapp/js/jquery.min.js -usr/share/javascript/jquery/jquery.min.js usr/share/glewlwyd/webapp/js/jquery.min.js -usr/share/javascript/popper.js/umd/popper.min.js usr/share/glewlwyd/webapp/js/popper.min.js -usr/share/javascript/popper.js/umd/popper-utils.min.js usr/share/glewlwyd/webapp/js/popper-utils.min.js - -usr/share/nodejs/bootstrap/dist/js/bootstrap.min.js usr/share/glewlwyd/webapp/js/bootstrap.min.js -usr/share/nodejs/bootstrap/dist/js/bootstrap.min.js.map usr/share/glewlwyd/webapp/js/bootstrap.min.js.map -usr/share/nodejs/bootstrap/dist/css/bootstrap.min.css usr/share/glewlwyd/webapp/css/bootstrap.min.css -usr/share/nodejs/bootstrap/dist/css/bootstrap.min.css.map usr/share/glewlwyd/webapp/css/bootstrap.min.css.map - -usr/share/fonts-fork-awesome/css/fork-awesome.css usr/share/glewlwyd/webapp/css/fork-awesome.min.css -usr/share/fonts-fork-awesome/css/v5-compat.css usr/share/glewlwyd/webapp/css/v5-compat.min.css -usr/share/fonts/eot/fork-awesome/forkawesome-webfont.eot usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.eot -usr/share/fonts/svg/fork-awesome/forkawesome-webfont.svg usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.svg -usr/share/fonts/truetype/fork-awesome/forkawesome-webfont.ttf usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.ttf -usr/share/fonts/woff/fork-awesome/forkawesome-webfont.woff usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.woff -usr/share/fonts/woff/fork-awesome/forkawesome-webfont.woff2 usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.woff2 - -etc/glewlwyd/config.json usr/share/glewlwyd/webapp/config.json diff -Nru glewlwyd-2.5.2/debian/patches/CVE-2022-29967.patch glewlwyd-2.5.2/debian/patches/CVE-2022-29967.patch --- glewlwyd-2.5.2/debian/patches/CVE-2022-29967.patch 1969-12-31 19:00:00.0 -0500 +++ glewlwyd-2.5.2/debian/patches/CVE-2022-29967.patch 2023-11-24 08:13:12.0 -0500 @@ -0,0 +1,263 @@ +--- a/src
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Hello, Here is a new debdiff for the glewlwyd/2.5.2-2+deb11u2 package, which now also includes the fix for CVE-2023-49208.diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog --- glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/changelog 2023-11-24 08:14:30.0 -0500 @@ -1,3 +1,18 @@ +glewlwyd (2.5.2-2+deb11u2.1) bullseye; urgency=medium + + * d/patches: Fix CVE-2022-27240 + possible buffer overflow during webauthn signature assertion + * d/patches: Fix CVE-2022-29967 + static_compressed_inmemory_website_callback.c in Glewlwyd + through 2.6.2 allows directory traversal + * d/glewlwyd-common.install: copy bootstrap, jquery, fork-awesome +instead of linking it + * d/patches: Fix CVE-2023-49208: + possible buffer overflow during FIDO2 signature validation + in webauthn registration + + -- Nicolas Mora Fri, 24 Nov 2023 08:15:30 -0500 + glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium * d/patches: Fix possible privilege escalation (Closes: #1001849) diff -Nru glewlwyd-2.5.2/debian/control glewlwyd-2.5.2/debian/control --- glewlwyd-2.5.2/debian/control 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/control 2023-11-24 08:13:12.0 -0500 @@ -35,6 +35,10 @@ , node-i18next-http-backend , node-qrcode-generator , webpack + , fonts-fork-awesome + , libjs-jquery + , libjs-bootstrap4 + , libjs-popper.js Standards-Version: 4.5.1 Homepage: https://github.com/babelouest/glewlwyd Vcs-Browser: https://salsa.debian.org/debian-iot-team/oauth2/glewlwyd.git diff -Nru glewlwyd-2.5.2/debian/glewlwyd-common.install glewlwyd-2.5.2/debian/glewlwyd-common.install --- glewlwyd-2.5.2/debian/glewlwyd-common.install 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/glewlwyd-common.install 2023-11-24 08:13:12.0 -0500 @@ -1,5 +1,6 @@ -webapp-src/css/glewlwyd*.css usr/share/glewlwyd/webapp/css/ -webapp-src/css/*-custom.css usr/share/glewlwyd/webapp/css/ +webapp-src/css/* usr/share/glewlwyd/webapp/css/ +webapp-src/js/* usr/share/glewlwyd/webapp/js/ +webapp-src/fonts/* usr/share/glewlwyd/webapp/fonts/ webapp-src/locales/ usr/share/glewlwyd/webapp/ webapp-src/img/ usr/share/glewlwyd/webapp/ webapp-src/output/*.js usr/share/glewlwyd/webapp/ @@ -7,3 +8,4 @@ webapp-src/favicon.ico usr/share/glewlwyd/webapp/ debian/config.json usr/share/glewlwyd/templates/ +debian/config.json usr/share/glewlwyd/webapp/ diff -Nru glewlwyd-2.5.2/debian/glewlwyd-common.links glewlwyd-2.5.2/debian/glewlwyd-common.links --- glewlwyd-2.5.2/debian/glewlwyd-common.links 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/glewlwyd-common.links 1969-12-31 19:00:00.0 -0500 @@ -1,19 +0,0 @@ -usr/share/javascript/jquery/jquery.min.js usr/share/glewlwyd/webapp/js/jquery.min.js -usr/share/javascript/jquery/jquery.min.js usr/share/glewlwyd/webapp/js/jquery.min.js -usr/share/javascript/popper.js/umd/popper.min.js usr/share/glewlwyd/webapp/js/popper.min.js -usr/share/javascript/popper.js/umd/popper-utils.min.js usr/share/glewlwyd/webapp/js/popper-utils.min.js - -usr/share/nodejs/bootstrap/dist/js/bootstrap.min.js usr/share/glewlwyd/webapp/js/bootstrap.min.js -usr/share/nodejs/bootstrap/dist/js/bootstrap.min.js.map usr/share/glewlwyd/webapp/js/bootstrap.min.js.map -usr/share/nodejs/bootstrap/dist/css/bootstrap.min.css usr/share/glewlwyd/webapp/css/bootstrap.min.css -usr/share/nodejs/bootstrap/dist/css/bootstrap.min.css.map usr/share/glewlwyd/webapp/css/bootstrap.min.css.map - -usr/share/fonts-fork-awesome/css/fork-awesome.css usr/share/glewlwyd/webapp/css/fork-awesome.min.css -usr/share/fonts-fork-awesome/css/v5-compat.css usr/share/glewlwyd/webapp/css/v5-compat.min.css -usr/share/fonts/eot/fork-awesome/forkawesome-webfont.eot usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.eot -usr/share/fonts/svg/fork-awesome/forkawesome-webfont.svg usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.svg -usr/share/fonts/truetype/fork-awesome/forkawesome-webfont.ttf usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.ttf -usr/share/fonts/woff/fork-awesome/forkawesome-webfont.woff usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.woff -usr/share/fonts/woff/fork-awesome/forkawesome-webfont.woff2 usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.woff2 - -etc/glewlwyd/config.json usr/share/glewlwyd/webapp/config.json diff -Nru glewlwyd-2.5.2/debian/patches/CVE-2022-29967.patch glewlwyd-2.5.2/debian/patches/CVE-2022-29967.patch --- glewlwyd-2.5.2/debian/patches/CVE-2022-29967.patch 1969-12-31 19:00:00.0 -0500 +++ glewlwyd-2.5.2/debian/patches/CVE-2022-29967.patch 2023-11-24 08:13:12.0 -0500 @@ -0,0 +1,263 @@ +--- a/src/static_compressed_inmemory_website_callback.c b/src/static_compressed_inmemory_website_callback.c +@@ -158,7 +158,7 @@ + static
Bug#1056936: bookworm-pu: package glewlwyd/2.7.5-3
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: glewl...@packages.debian.org Control: affects -1 + src:glewlwyd (Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] Fix possible buffer overflow in webauthn attestation (CVE-2023-49208) [ Risks ] If a crafted webauthn assertion is executed, could result in denial of service or the execution of arbitrary code [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The change checks the length of a parameter before copying it into a fixed size array.diff -Nru glewlwyd-2.7.5/debian/changelog glewlwyd-2.7.5/debian/changelog --- glewlwyd-2.7.5/debian/changelog 2023-05-04 07:21:27.0 -0400 +++ glewlwyd-2.7.5/debian/changelog 2023-11-23 17:12:13.0 -0500 @@ -1,3 +1,9 @@ +glewlwyd (2.7.5-3+deb12u1) bookworm; urgency=medium + + * d/patches: Fix CVE-2023-49208 + + -- Nicolas Mora Thu, 23 Nov 2023 17:12:13 -0500 + glewlwyd (2.7.5-3) unstable; urgency=medium * Install config.json as config-2.7.json (Closes: #1035503) diff -Nru glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch --- glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch 1969-12-31 19:00:00.0 -0500 +++ glewlwyd-2.7.5/debian/patches/CVE-2023-49208.patch 2023-11-23 17:12:13.0 -0500 @@ -0,0 +1,21 @@ +Description: Fix CVE-2023-49208 for bookworm +Author: Nicolas Mora +Forwarded: not-needed +--- a/src/scheme/webauthn.c b/src/scheme/webauthn.c +@@ -2260,13 +2260,13 @@ + for (i=0; i
Re: FTBFS: tests fail in clean environment
Hello, On Tue, 21 Nov 2023 13:30:31 + Steve McIntyre wrote: Source: libssh2 Version: 1.9.0-2 Severity: serious Tags: ftbfs patch Hi! Building libssh2 using debuild in a clean local chroot, I get test failures and even a core dump! Thanks for reporting the bug, although I have concerns on its scope. The package you have found the issue is the bullseye one, and the package updates for oldstable are allowed mostly for security patches. Your bug is related to the test suite, and the patch won't change the binary files in the package, so I assume the patch isn't going to be allowed for proposed-updates. I've added the release team to ask for their opinion. Friends from the release team, do you have a feedback on this? /Nicolas
Bug#1036029: unblock: glewlwyd/2.7.5-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: debian-iot-maintain...@lists.alioth.debian.org Please unblock package glewlwyd 2.7.5-3 [ Reason ] This new version in unstable fixes #1035503 : glewlwyd-common: prompting due to modified conffiles which were not modified by the user: /etc/glewlwyd/config.json It also updates the default glewlwyd.conf file provided in the package which prevents a startup error due to missing empty directory /usr/lib/glewlwyd/user-middleware [ Impact ] The package glewlwyd will not be available in Debian Bookwork due to #1035503 [ Risks ] The change doesn't affect the program nor the build, only the upgrade procedure [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock glewlwyd/2.7.5-3 diff -Nru glewlwyd-2.7.5/debian/changelog glewlwyd-2.7.5/debian/changelog --- glewlwyd-2.7.5/debian/changelog 2023-01-17 07:24:23.0 -0500 +++ glewlwyd-2.7.5/debian/changelog 2023-05-04 07:21:27.0 -0400 @@ -1,3 +1,10 @@ +glewlwyd (2.7.5-3) unstable; urgency=medium + + * Install config.json as config-2.7.json (Closes: #1035503) + * d/glewlwyd-debian.conf.properties: disable user_middleware_module_path + + -- Nicolas Mora Thu, 04 May 2023 07:21:27 -0400 + glewlwyd (2.7.5-2) unstable; urgency=medium * d/control: add adduser as glewlwyd package dependency, fix piuparts issue diff -Nru glewlwyd-2.7.5/debian/glewlwyd-common.install glewlwyd-2.7.5/debian/glewlwyd-common.install --- glewlwyd-2.7.5/debian/glewlwyd-common.install 2023-01-17 07:24:23.0 -0500 +++ glewlwyd-2.7.5/debian/glewlwyd-common.install 2023-05-04 07:21:27.0 -0400 @@ -7,5 +7,5 @@ webapp-src/favicon.ico usr/share/glewlwyd/webapp/ debian/config.json usr/share/glewlwyd/templates/ -debian/config.json etc/glewlwyd/ +debian/config.json etc/glewlwyd/config-2.7.json debian/glewlwyd-apache.conf etc/glewlwyd/ diff -Nru glewlwyd-2.7.5/debian/glewlwyd-common.links glewlwyd-2.7.5/debian/glewlwyd-common.links --- glewlwyd-2.7.5/debian/glewlwyd-common.links 2023-01-17 07:24:23.0 -0500 +++ glewlwyd-2.7.5/debian/glewlwyd-common.links 2023-05-04 07:21:27.0 -0400 @@ -15,4 +15,4 @@ usr/share/fonts/woff/fork-awesome/forkawesome-webfont.woff usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.woff usr/share/fonts/woff/fork-awesome/forkawesome-webfont.woff2 usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.woff2 -etc/glewlwyd/config.json usr/share/glewlwyd/webapp/config.json +etc/glewlwyd/config-2.7.json usr/share/glewlwyd/webapp/config.json diff -Nru glewlwyd-2.7.5/debian/glewlwyd-debian.conf.properties glewlwyd-2.7.5/debian/glewlwyd-debian.conf.properties --- glewlwyd-2.7.5/debian/glewlwyd-debian.conf.properties 2023-01-17 07:24:23.0 -0500 +++ glewlwyd-2.7.5/debian/glewlwyd-debian.conf.properties 2023-05-04 07:21:27.0 -0400 @@ -94,7 +94,7 @@ user_module_path="/usr/lib/glewlwyd/user" # user_middleware_module path -user_middleware_module_path="/usr/lib/glewlwyd/user_middleware" +#user_middleware_module_path="/usr/lib/glewlwyd/user_middleware" # client_module path client_module_path="/usr/lib/glewlwyd/client" diff -Nru glewlwyd-2.7.5/debian/NEWS glewlwyd-2.7.5/debian/NEWS --- glewlwyd-2.7.5/debian/NEWS 2023-01-17 07:24:23.0 -0500 +++ glewlwyd-2.7.5/debian/NEWS 2023-05-04 07:21:27.00000 -0400 @@ -9,13 +9,19 @@ -- Nicolas Mora Mon, 15 Mar 2021 18:18:01 -0400 -glewlwyd (2.7.5-2) unstable; urgency=medium +glewlwyd (2.7.5-3) unstable; urgency=medium Upgrading Glewlwyd package from Debian Bullseye requires to update the database. It's also recommended to disable the config property 'static_files_path', and serve the static files application located in /usr/share/glewlwyd/webapp/ using a static file web server (Apache, NGINX). + The webapp config.json has been updated, the new config.json file is now + located in /etc/glewlwyd/config-2.7.json and linked to + /usr/share/glewlwyd/webapp/config.json. + If you have made changes to your original config.json, you can backport them + to the new config-2.7.json file or keep your current config.json file if you + don't need the new properties. See /usr/share/doc/glewlwyd/INSTALL.md for more details.
Bug#1033004: unblock: libevent/2.1.12-stable-8
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package libevent
[ Reason ]
libevent in testing has a ftbfs bug with glibc 2.36: #1023284
[ Impact ]
The package libevent 2.1.12-stable-5 recompiled with glibc 2.36 breaks the ABI
by removing the symbol evutil_secure_rng_add_bytes.
[ Tests ]
Tests and autopkgtest passed
[ Risks ]
Low risks, the issue has been discussed upstream
(https://github.com/libevent/libevent/issues/1393) and the patrch, which is
already implemented in other distribs, has been accepted upstream
(https://github.com/libevent/libevent/pull/1427). The patch noops the function
evutil_secure_rng_add_bytes when arc4random is already provided by the system.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
The package should have been update sooner (before freeze), the first attempt
was to change the package name to libevent-2.1-7a, as in Ubuntu, the new
package went in NEW queue and was rejected (2.1.12-stable-7), then then
question was asked upstream to find a better solution.
Thanks in advance!
/Nicolas
unblock libevent/2.1.12-stable-8
diff -Nru libevent-2.1.12-stable/debian/changelog
libevent-2.1.12-stable/debian/changelog
--- libevent-2.1.12-stable/debian/changelog 2022-04-15 11:26:52.0
-0400
+++ libevent-2.1.12-stable/debian/changelog 2023-01-04 15:28:26.0
-0500
@@ -1,3 +1,30 @@
+libevent (2.1.12-stable-8) unstable; urgency=medium
+
+ * Upload to unstable
+ * Restore last unstable version
+ * d/patches: Add patch evutil_secure_rng_add_bytes_noop.patch
+to make evutil_secure_rng_add_bytes noop with glibc's
+implemtation of arc4random, thanks z...@debian.org!
+(Closes: #1023284)
+ * d/control: upgrade Standards-Version to 4.6.2
+ * d/copyright: update year to 2023
+
+ -- Nicolas Mora Wed, 04 Jan 2023 15:28:26 -0500
+
+libevent (2.1.12-stable-7) experimental; urgency=medium
+
+ * d/control: change package name to libevent-2.1-7a to update rdeps
+ (Closes: #1023284)
+
+ -- Nicolas Mora Mon, 07 Nov 2022 07:14:20 -0500
+
+libevent (2.1.12-stable-6) experimental; urgency=medium
+
+ * d/symbols: remove symbol evutil_secure_rng_add_bytes
+ * d/control: upgrade Standards-Version to 4.6.1
+
+ -- Nicolas Mora Wed, 02 Nov 2022 13:07:03 -0400
+
libevent (2.1.12-stable-5) unstable; urgency=medium
* d/control: Update maintainer
diff -Nru libevent-2.1.12-stable/debian/control
libevent-2.1.12-stable/debian/control
--- libevent-2.1.12-stable/debian/control 2022-04-15 11:26:42.0
-0400
+++ libevent-2.1.12-stable/debian/control 2023-01-04 15:28:26.0
-0500
@@ -4,7 +4,7 @@
Priority: optional
Build-Depends: debhelper-compat (= 13),
libssl-dev
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
Vcs-Git: https://salsa.debian.org/debian/libevent.git -b master
Vcs-Browser: https://salsa.debian.org/debian/libevent
Homepage: https://libevent.org/
diff -Nru libevent-2.1.12-stable/debian/copyright
libevent-2.1.12-stable/debian/copyright
--- libevent-2.1.12-stable/debian/copyright 2022-04-15 09:45:11.0
-0400
+++ libevent-2.1.12-stable/debian/copyright 2023-01-04 15:28:26.0
-0500
@@ -13,7 +13,7 @@
2007-2015 Anibal Monsalve Salazar
2017-2020 Balint Reczey
2022 Balint Reczey
- 2022 Nicolas Mora
+ 2022-2023 Nicolas Mora
License: BSD-3-clause
Files: WIN32-Code/getopt.c
diff -Nru
libevent-2.1.12-stable/debian/patches/evutil_secure_rng_add_bytes_noop.patch
libevent-2.1.12-stable/debian/patches/evutil_secure_rng_add_bytes_noop.patch
---
libevent-2.1.12-stable/debian/patches/evutil_secure_rng_add_bytes_noop.patch
1969-12-31 19:00:00.0 -0500
+++
libevent-2.1.12-stable/debian/patches/evutil_secure_rng_add_bytes_noop.patch
2023-01-04 15:28:26.0 -0500
@@ -0,0 +1,40 @@
+Description: Make evutil_secure_rng_add_bytes noop with glibc's implemtation
of arc4random
+Author: Shengjing Zhu
+Forwarded: not-needed
+--- a/evutil_rand.c
b/evutil_rand.c
+@@ -190,14 +190,14 @@
+ ev_arc4random_buf(buf, n);
+ }
+
+-#if !defined(EVENT__HAVE_ARC4RANDOM) ||
defined(EVENT__HAVE_ARC4RANDOM_ADDRANDOM)
+ void
+ evutil_secure_rng_add_bytes(const char *buf, size_t n)
+ {
++#if defined(EVENT__HAVE_ARC4RANDOM_ADDRANDOM)
+ arc4random_addrandom((unsigned char*)buf,
+ n>(size_t)INT_MAX ? INT_MAX : (int)n);
+-}
+ #endif
++}
+
+ void
+ evutil_free_secure_rng_globals_(void)
+--- a/include/event2/util.h
b/include/event2/util.h
+@@ -862,7 +862,6 @@
+ EVENT2_EXPORT_SYMBOL
+ int evutil_secure_rng_set_urandom_device_file(char *fname);
+
+-#if !defined(EVENT__HAVE_ARC4RANDOM) ||
defined(EVENT__HAVE_ARC4RANDOM_ADDRANDOM)
+ /** Seed the random number generator with ex
Migrating libevent 2.1.12-stable-8 to testing status
Hello team, I've uploaded the package libevent 2.1.12-stable-8 to unstable to fix the RC bug #1023284 (libevent: FTBFS with glibc 2.36) on march 3rd. Now the package migration status is blocked because it needs an approval [1]. According to the freeze policy [2], The package needs to be unblocked by the release team because of it's a key package. Therefore I would like you to unblock the migration to testing, is there something I need to do to help you unlock the package? Thanks in advance! /Nicolas [1] https://tracker.debian.org/pkg/libevent [2] https://release.debian.org/testing/freeze_policy.html
package glewlwyd/2.5.2-2+deb11u3 and bug #1007884 in bullseye
Hello team, I've made a bullseye-pu for the package glewlwyd/2.5.2-2+deb11u3 a few months ago, but it seems that the bug has been lost somewhere. The bug is #1007884. The new package fixes 2 CVEs. I think I did something wrong in the bug and it was lost in the pile of pu packages, if so could you tell me what did I do wrong? Can I do something else so the new package would be available in the next stable point release? Thanks in advance and for your help! /Nicolas
Re: Looking for help on transition workflow with package libevent
Le 2022-11-07 à 07 h 31, Nicolas Mora a écrit : I was also told to change the package name, it would also make the package cleaner. So uploading to experimental with the name libevent-2.1-12 instead of libevent-2.1-7 would do it? Let's go with it then. My mistake, renaming the package name to 2.1-12 isn't a clean solution. I've looked at the ubuntu debdiff [1] and I think they are smarter than me, so I suggest a similar change for the package libevent [2] Do you have feedbacks for this proposed solution? /Nicolas [1] https://launchpadlibrarian.net/627597893/libevent_2.1.12-stable-5_2.1.12-stable-5ubuntu1.diff.gz [2] https://salsa.debian.org/debian/libevent
Re: Looking for help on transition workflow with package libevent
Hello, Thanks for your help! Le 2022-11-07 à 05 h 44, Graham Inggs a écrit : A test rebuild of reverse-dependencies was done in Ubuntu, and the transition went ahead. I was also told to change the package name, it would also make the package cleaner. So uploading to experimental with the name libevent-2.1-12 instead of libevent-2.1-7 would do it? Let's go with it then. /Nicolas
Looking for help on transition workflow with package libevent
Hello release team, I have a bug tagged serious in the package libevent I maintain [1], I've been told the solution is to start a transition workflow. As mentioned in the transition doc [2], I uploaded the fixed package in experimental, but I'm wondering what does "Check the auto-generated "auto-"" mean. Will my package appear on this list automatically or after I request a transition slot from the release team? Thanks in advance for the help, sorry for the noob question, this is my first transition... /Nicolas [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023284 [2] https://wiki.debian.org/Teams/ReleaseTeam/Transitions OpenPGP_0xFE82139440BD22B9.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Bug#1013893: bullseye-pu: package rhonabwy/0.9.13-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Fix possible buffer overflow when decrypting forged jwe with invalid iv or
cypherkey
[ Impact ]
program might crash or execute arbitrary code
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Check iv and cypherkey len before decoding them
[ Other info ]
CVE id pending
diff -Nru rhonabwy-0.9.13/debian/changelog rhonabwy-0.9.13/debian/changelog
--- rhonabwy-0.9.13/debian/changelog2021-09-22 07:29:46.0 -0400
+++ rhonabwy-0.9.13/debian/changelog2022-06-26 17:27:39.0 -0400
@@ -1,3 +1,9 @@
+rhonabwy (0.9.13-3+deb11u2) bullseye; urgency=medium
+
+ * d/patches/aesgcm.patch: Fix aesgcm buffer overflow
+
+ -- Nicolas Mora Sun, 26 Jun 2022 17:27:39 -0400
+
rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
* d/patches/bugfixes: apply upstream bugfixes
diff -Nru rhonabwy-0.9.13/debian/patches/aesgcm.patch
rhonabwy-0.9.13/debian/patches/aesgcm.patch
--- rhonabwy-0.9.13/debian/patches/aesgcm.patch 1969-12-31 19:00:00.0
-0500
+++ rhonabwy-0.9.13/debian/patches/aesgcm.patch 2022-06-26 17:26:58.0
-0400
@@ -0,0 +1,32 @@
+Description: Fix aesgcm buffer overflow
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/jwe.c
b/src/jwe.c
+@@ -226,14 +226,24 @@
+ ret = RHN_ERROR;
+ break;
+ }
++ if (!o_base64url_decode((const unsigned char
*)r_jwe_get_header_str_value(jwe, "iv"),
o_strlen(r_jwe_get_header_str_value(jwe, "iv")), NULL, _len) || iv_len > 96)
{
++y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Invalid
header iv");
++ret = RHN_ERROR_INVALID;
++break;
++ }
+ if (!o_base64url_decode((const unsigned char
*)r_jwe_get_header_str_value(jwe, "iv"),
o_strlen(r_jwe_get_header_str_value(jwe, "iv")), iv, _len)) {
+ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Error
o_base64url_decode iv");
+-ret = RHN_ERROR;
++ret = RHN_ERROR_INVALID;
++break;
++ }
++ if (!o_base64url_decode((const unsigned char
*)jwe->encrypted_key_b64url, o_strlen((const char *)jwe->encrypted_key_b64url),
NULL, _len) || cipherkey_len > 64) {
++y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Invalid
cipherkey");
++ret = RHN_ERROR_INVALID;
+ break;
+ }
+ if (!o_base64url_decode((const unsigned char
*)jwe->encrypted_key_b64url, o_strlen((const char *)jwe->encrypted_key_b64url),
cipherkey, _len)) {
+ y_log_message(Y_LOG_LEVEL_ERROR, "r_jwe_aesgcm_key_unwrap - Error
o_base64url_decode cipherkey");
+-ret = RHN_ERROR;
++ret = RHN_ERROR_INVALID;
+ break;
+ }
+ key_g.data = key;
diff -Nru rhonabwy-0.9.13/debian/patches/series
rhonabwy-0.9.13/debian/patches/series
--- rhonabwy-0.9.13/debian/patches/series 2021-09-22 07:29:46.0
-0400
+++ rhonabwy-0.9.13/debian/patches/series 2022-06-26 17:25:31.0
-0400
@@ -1,3 +1,4 @@
library_info.patch
disable_test_rhonabwy_generate_key_pair.patch
bugfixes.patch
+aesgcm.patch
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Control: tags -1 - moreinfo Can you please review the last debdiff?
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Hello, I've updated glewlwyd/2.5.2-2+deb11u2 with the glewlwyd_2.5.2-2+deb11u2...2.5.2-2+deb11u3.debdiff file. Now both CVEs (CVE-2022-27240 and CVE-2022-29967) are fixed in the update. The fix for CVE-2022-27240 only addresses the buffer overflow, o_base64url_decode isn't changed to o_base64_decode anymore. The CVE-2022-29967 requires more changes though. The bug fix uses 'realpath' to avoid traversal access. Although if an accessed file is a soft link, realpath returns the realpath of the file which isn't in /usr/share/glewlwyd/webapp, so an error 404 is raised. The solution is to copy jquery, popper.js, bootstrap and fonts-fork-awesome files from their respective installation into /usr/share/glewlwyd/webapp.diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog --- glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/changelog 2022-03-17 21:13:09.0 -0400 @@ -1,3 +1,15 @@ +glewlwyd (2.5.2-2+deb11u3) bullseye; urgency=medium + + * d/patches: Fix CVE-2022-27240 + possible buffer overflow during webauthn signature assertion + * d/patches: Fix CVE-2022-29967 + static_compressed_inmemory_website_callback.c in Glewlwyd + through 2.6.2 allows directory traversal + * d/glewlwyd-common.install: copy bootstrap, jquery, fork-awesome +instead of linking it + + -- Nicolas Mora Thu, 17 Mar 2022 21:13:09 -0400 + glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium * d/patches: Fix possible privilege escalation (Closes: #1001849) diff -Nru glewlwyd-2.5.2/debian/control glewlwyd-2.5.2/debian/control --- glewlwyd-2.5.2/debian/control 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/control 2022-03-17 21:13:09.0 -0400 @@ -35,6 +35,10 @@ , node-i18next-http-backend , node-qrcode-generator , webpack + , fonts-fork-awesome + , libjs-jquery + , libjs-bootstrap4 + , libjs-popper.js Standards-Version: 4.5.1 Homepage: https://github.com/babelouest/glewlwyd Vcs-Browser: https://salsa.debian.org/debian-iot-team/oauth2/glewlwyd.git diff -Nru glewlwyd-2.5.2/debian/glewlwyd-common.install glewlwyd-2.5.2/debian/glewlwyd-common.install --- glewlwyd-2.5.2/debian/glewlwyd-common.install 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/glewlwyd-common.install 2022-03-17 21:13:09.0 -0400 @@ -1,5 +1,6 @@ -webapp-src/css/glewlwyd*.css usr/share/glewlwyd/webapp/css/ -webapp-src/css/*-custom.css usr/share/glewlwyd/webapp/css/ +webapp-src/css/* usr/share/glewlwyd/webapp/css/ +webapp-src/js/* usr/share/glewlwyd/webapp/js/ +webapp-src/fonts/* usr/share/glewlwyd/webapp/fonts/ webapp-src/locales/ usr/share/glewlwyd/webapp/ webapp-src/img/ usr/share/glewlwyd/webapp/ webapp-src/output/*.js usr/share/glewlwyd/webapp/ @@ -7,3 +8,4 @@ webapp-src/favicon.ico usr/share/glewlwyd/webapp/ debian/config.json usr/share/glewlwyd/templates/ +debian/config.json usr/share/glewlwyd/webapp/ diff -Nru glewlwyd-2.5.2/debian/glewlwyd-common.links glewlwyd-2.5.2/debian/glewlwyd-common.links --- glewlwyd-2.5.2/debian/glewlwyd-common.links 2021-12-17 07:51:46.0 -0500 +++ glewlwyd-2.5.2/debian/glewlwyd-common.links 1969-12-31 19:00:00.0 -0500 @@ -1,19 +0,0 @@ -usr/share/javascript/jquery/jquery.min.js usr/share/glewlwyd/webapp/js/jquery.min.js -usr/share/javascript/jquery/jquery.min.js usr/share/glewlwyd/webapp/js/jquery.min.js -usr/share/javascript/popper.js/umd/popper.min.js usr/share/glewlwyd/webapp/js/popper.min.js -usr/share/javascript/popper.js/umd/popper-utils.min.js usr/share/glewlwyd/webapp/js/popper-utils.min.js - -usr/share/nodejs/bootstrap/dist/js/bootstrap.min.js usr/share/glewlwyd/webapp/js/bootstrap.min.js -usr/share/nodejs/bootstrap/dist/js/bootstrap.min.js.map usr/share/glewlwyd/webapp/js/bootstrap.min.js.map -usr/share/nodejs/bootstrap/dist/css/bootstrap.min.css usr/share/glewlwyd/webapp/css/bootstrap.min.css -usr/share/nodejs/bootstrap/dist/css/bootstrap.min.css.map usr/share/glewlwyd/webapp/css/bootstrap.min.css.map - -usr/share/fonts-fork-awesome/css/fork-awesome.css usr/share/glewlwyd/webapp/css/fork-awesome.min.css -usr/share/fonts-fork-awesome/css/v5-compat.css usr/share/glewlwyd/webapp/css/v5-compat.min.css -usr/share/fonts/eot/fork-awesome/forkawesome-webfont.eot usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.eot -usr/share/fonts/svg/fork-awesome/forkawesome-webfont.svg usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.svg -usr/share/fonts/truetype/fork-awesome/forkawesome-webfont.ttf usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.ttf -usr/share/fonts/woff/fork-awesome/forkawesome-webfont.woff usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.woff -usr/share/fonts/woff/fork-awesome/forkawesome-webfont.woff2 usr/share/glewlwyd/webapp/fonts/forkawesome-webfont.woff2 - -etc/glewlwyd/config.json usr/share/glewlwyd/webapp
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Hello, Is it possible to review the patch, so the package in bullseye can be in p-u? Thanks!
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Hello,
Le 2022-03-18 à 11 h 29, Julien Cristau a écrit :
The below is not a debdiff, and doesn't include a changelog entry. :(
Sorry, added the debdiff here
What's the change of o_base64url_decode to o_base64_decode about?
This is why I found the issue in the first place, by refactoring
o_base64* functions.
o_base64_decode should be used because the data is in base64, not
base64url, but in this case, a conversion happens before decoding the
data. So I switched back to o_base64url_decode in the debdiff
/Nicolasdiff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog
--- glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 -0500
+++ glewlwyd-2.5.2/debian/changelog 2022-03-17 21:13:09.0 -0400
@@ -1,3 +1,10 @@
+glewlwyd (2.5.2-2+deb11u3) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2022-27240
+ possible buffer overflow during webauthn signature assertion
+
+ -- Nicolas Mora Thu, 17 Mar 2022 21:13:09 -0400
+
glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
* d/patches: Fix possible privilege escalation (Closes: #1001849)
diff -Nru glewlwyd-2.5.2/debian/patches/series
glewlwyd-2.5.2/debian/patches/series
--- glewlwyd-2.5.2/debian/patches/series2021-12-17 07:51:46.0
-0500
+++ glewlwyd-2.5.2/debian/patches/series2022-03-17 21:13:09.0
-0400
@@ -1,3 +1,4 @@
#webpack.patch
+webauthn-2.patch
webauthn.patch
auth.patch
diff -Nru glewlwyd-2.5.2/debian/patches/webauthn-2.patch
glewlwyd-2.5.2/debian/patches/webauthn-2.patch
--- glewlwyd-2.5.2/debian/patches/webauthn-2.patch 1969-12-31
19:00:00.0 -0500
+++ glewlwyd-2.5.2/debian/patches/webauthn-2.patch 2022-03-17
21:13:09.0 -0400
@@ -0,0 +1,32 @@
+Description: Fix buffer overflow
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/scheme/webauthn.c
b/src/scheme/webauthn.c
+@@ -2336,12 +2336,24 @@
+ break;
+ }
+
+- if (!o_base64url_decode((const unsigned char
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")),
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")), sig, _len)) {
+-y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error
o_base64url_decode signature");
++ if (!o_base64url_decode((const unsigned char
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")),
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")), NULL, _len)) {
++y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature
format");
+ ret = G_ERROR_PARAM;
+ break;
+ }
+
++ if (sig_len > 128) {
++y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid
signature");
++ret = G_ERROR_PARAM;
++break;
++ }
++
++ if (!o_base64url_decode((const unsigned char
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")),
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")), sig, _len)) {
++y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error
o_base64url_decode signature");
++ret = G_ERROR;
++break;
++ }
++
+ memcpy(data_signed, auth_data, auth_data_len);
+ memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);
+
Bug#1007884: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u2)
The CVE ID is CVE-2022-27240
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
Possible buffer overflow on signature verification during webauthn assertion
[ Impact ]
Possibility of denial of service
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Check the length of the signature before verifying it
[ Other info ]
CVE ID request pending
Description: Fix buffer overflow
Author: Nicolas Mora
Forwarded: not-needed
--- a/src/scheme/webauthn.c
+++ b/src/scheme/webauthn.c
@@ -2336,12 +2336,24 @@
break;
}
- if (!o_base64url_decode((const unsigned char
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")),
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")), sig, _len)) {
-y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error
o_base64url_decode signature");
+ if (!o_base64_decode((const unsigned char
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")),
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")), NULL, _len)) {
+y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid signature
format");
ret = G_ERROR_PARAM;
break;
}
+ if (sig_len > 128) {
+y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Invalid
signature");
+ret = G_ERROR_PARAM;
+break;
+ }
+
+ if (!o_base64_decode((const unsigned char
*)json_string_value(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")),
json_string_length(json_object_get(json_object_get(json_object_get(j_scheme_data,
"credential"), "response"), "signature")), sig, _len)) {
+y_log_message(Y_LOG_LEVEL_DEBUG, "check_assertion - Error
o_base64_decode signature");
+ret = G_ERROR;
+break;
+ }
+
memcpy(data_signed, auth_data, auth_data_len);
memcpy(data_signed+auth_data_len, cdata_hash, cdata_hash_len);
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
Also, the bug is only for 2.x versions. The package glewlwyd 1.4.9-1 in oldstable isn't vulnerable
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
Hello, On Fri, 24 Dec 2021 14:39:14 -0500 Nicolas Mora wrote: Hello Salvatore, Le 2021-12-24 à 14 h 36, Salvatore Bonaccorso a écrit : > > Any news on the CVE assignment? Did MITRE respond? > The CVE has been attributed for this bug: CVE-2021-45379
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
Hello Salvatore, Le 2021-12-24 à 14 h 36, Salvatore Bonaccorso a écrit : Any news on the CVE assignment? Did MITRE respond? Not yet, still waiting for the submission to be reviewed according to the mitre... /Nicolas
Bug#1001849: Acknowledgement (bullseye-pu: package glewlwyd/2.5.2-2+deb11u1)
See attached debdiff
diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog
--- glewlwyd-2.5.2/debian/changelog 2021-09-22 08:42:59.0 -0400
+++ glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 -0500
@@ -1,3 +1,9 @@
+glewlwyd (2.5.2-2+deb11u2) bullseye; urgency=medium
+
+ * d/patches: Fix possible privilege escalation (Closes: #1001849)
+
+ -- Nicolas Mora Fri, 17 Dec 2021 07:51:46 -0500
+
glewlwyd (2.5.2-2+deb11u1) bullseye; urgency=medium
* d/patches: Fix CVE-2021-40818
diff -Nru glewlwyd-2.5.2/debian/patches/auth.patch
glewlwyd-2.5.2/debian/patches/auth.patch
--- glewlwyd-2.5.2/debian/patches/auth.patch1969-12-31 19:00:00.0
-0500
+++ glewlwyd-2.5.2/debian/patches/auth.patch2021-12-17 07:51:46.0
-0500
@@ -0,0 +1,16 @@
+Description: Fix escalation privilege
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/webservice.c
b/src/webservice.c
+@@ -259,10 +259,6 @@
+ if (check_result_value(j_result, G_ERROR_UNAUTHORIZED)) {
+ y_log_message(Y_LOG_LEVEL_WARNING, "Security - Authorization
invalid for username %s at IP Address %s",
json_string_value(json_object_get(j_param, "username")), ip_source);
+ }
+-if ((session_uid = get_session_id(config, request)) != NULL &&
user_session_update(config, session_uid, u_map_get_case(request->map_header,
"user-agent"), issued_for, json_string_value(json_object_get(j_param,
"username")), NULL, 1) != G_OK) {
+- y_log_message(Y_LOG_LEVEL_ERROR, "callback_glewlwyd_user_auth -
Error user_session_update (2)");
+-}
+-o_free(session_uid);
+ response->status = 401;
+ }
+ json_decref(j_result);
diff -Nru glewlwyd-2.5.2/debian/patches/series
glewlwyd-2.5.2/debian/patches/series
--- glewlwyd-2.5.2/debian/patches/series2021-09-22 08:42:59.0
-0400
+++ glewlwyd-2.5.2/debian/patches/series2021-12-17 07:51:46.0
-0500
@@ -1,2 +1,3 @@
#webpack.patch
webauthn.patch
+auth.patch
Bug#1001849: bullseye-pu: package glewlwyd/2.5.2-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] A bug has been fixed in Glewlwyd 2.6.1 to avoid possible possible privilege escalation [ Impact ] Users accounts might be compromised [ Changes ] Remove a misplaced session update in the source code CVE request has been filed, await for response
friendly ping for buster and bullseye pu
Hello team, Any chance those proposed-updates are allowed to be uploaded before the freeze date? bullseye https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994880 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994881 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994885 buster https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994887 Thanks in advance!
Bug#994887: buster-pu: package ulfius/2.5.2-4
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Ulfius package contains the bug that is rewferred by CVE-2021-40540
[ Impact ]
Application segfault when a malformed http request is received
[ Risks ]
the patch is trivial, the risk is low
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
add 'memset(con_info, 0, sizeof(struct connection_info_struct));' after
con_info is malloced to initialize the structure and avoid testing an undefined
value.
diff -Nru ulfius-2.5.2/debian/changelog ulfius-2.5.2/debian/changelog
--- ulfius-2.5.2/debian/changelog 2019-01-12 12:41:47.0 -0500
+++ ulfius-2.5.2/debian/changelog 2021-09-20 08:15:27.0 -0400
@@ -1,3 +1,9 @@
+ulfius (2.5.2-4+deb10u1) buster; urgency=medium
+
+ * d/patches: Fix CVE-2021-40540
+
+ -- Nicolas Mora Mon, 20 Sep 2021 08:15:27 -0400
+
ulfius (2.5.2-4) unstable; urgency=medium
* debian/rules: remove override_dh_auto_test since now it's executed
diff -Nru ulfius-2.5.2/debian/patches/CVE-2021-40540.patch
ulfius-2.5.2/debian/patches/CVE-2021-40540.patch
--- ulfius-2.5.2/debian/patches/CVE-2021-40540.patch1969-12-31
19:00:00.0 -0500
+++ ulfius-2.5.2/debian/patches/CVE-2021-40540.patch2021-09-20
08:15:27.0 -0400
@@ -0,0 +1,13 @@
+Description: Fix CVE-2021-40540
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/ulfius.c
b/src/ulfius.c
+@@ -190,6 +190,7 @@
+ UNUSED(cls);
+
+ if (con_info != NULL) {
++memset(con_info, 0, sizeof(struct connection_info_struct));
+ con_info->callback_first_iteration = 1;
+ con_info->u_instance = NULL;
+ u_map_init(_info->map_url_initial);
diff -Nru ulfius-2.5.2/debian/patches/series ulfius-2.5.2/debian/patches/series
--- ulfius-2.5.2/debian/patches/series 2019-01-12 12:41:47.0 -0500
+++ ulfius-2.5.2/debian/patches/series 2021-09-20 08:15:27.0 -0400
@@ -1,3 +1,4 @@
examples.patch
test.patch
cmake.patch
+CVE-2021-40540.patch
Bug#994885: bullseye-pu: package glewlwyd/2.5.2-2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Fix CVE-2021-40818 in bullseye
[ Reason ]
CVE-2021-40818 allows a malicious user to perform a buffer overflow during a
webauthn registration with FIDO2 protocol.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The patch changes a 'unsigned char data_signed[200]' to a 'unsigned char *
data_signed = NULL' and allocates the variable with the proper length. The
previous code didn't take credential_id_len in account.
diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog
--- glewlwyd-2.5.2/debian/changelog 2021-03-14 19:32:40.0 -0400
+++ glewlwyd-2.5.2/debian/changelog 2021-09-22 08:42:59.0 -0400
@@ -1,3 +1,11 @@
+glewlwyd (2.5.2-2+deb11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2021-40818
+ possible buffer overflow during FIDO2 signature validation
+ in webauthn registration
+
+ -- Nicolas Mora Wed, 22 Sep 2021 08:42:59 -0400
+
glewlwyd (2.5.2-2) unstable; urgency=medium
* Fix postgre database initialization (Closes: #985238)
diff -Nru glewlwyd-2.5.2/debian/patches/series
glewlwyd-2.5.2/debian/patches/series
--- glewlwyd-2.5.2/debian/patches/series2021-03-14 19:32:40.0
-0400
+++ glewlwyd-2.5.2/debian/patches/series2021-09-22 08:42:59.0
-0400
@@ -1 +1,2 @@
#webpack.patch
+webauthn.patch
diff -Nru glewlwyd-2.5.2/debian/patches/webauthn.patch
glewlwyd-2.5.2/debian/patches/webauthn.patch
--- glewlwyd-2.5.2/debian/patches/webauthn.patch1969-12-31
19:00:00.0 -0500
+++ glewlwyd-2.5.2/debian/patches/webauthn.patch2021-09-22
08:42:59.0 -0400
@@ -0,0 +1,35 @@
+Description: Fix buffer overflow
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/scheme/webauthn.c
b/src/scheme/webauthn.c
+@@ -1530,7 +1530,7 @@
+ gnutls_pubkey_t pubkey = NULL;
+ gnutls_x509_crt_t cert = NULL;
+ gnutls_datum_t cert_dat, data, signature, cert_issued_by;
+- unsigned char data_signed[200], client_data_hash[32], cert_export[32],
cert_export_b64[64];
++ unsigned char * data_signed = NULL, client_data_hash[32], cert_export[32],
cert_export_b64[64];
+ size_t data_signed_offset = 0, client_data_hash_len = 32, cert_export_len =
32, cert_export_b64_len = 0;
+
+ if (j_error != NULL) {
+@@ -1619,6 +1619,12 @@
+ break;
+ }
+
++ if ((data_signed =
o_malloc(rpid_hash_len+client_data_hash_len+credential_id_len+cert_x_len+cert_y_len+2))
== NULL) {
++y_log_message(Y_LOG_LEVEL_DEBUG, "check_attestation_fido_u2f - Error
allocating data_signed");
++json_array_append_new(j_error, json_string("Internal error"));
++break;
++ }
++
+ // Build bytestring to verify signature
+ data_signed[0] = 0x0;
+ data_signed_offset = 1;
+@@ -1653,6 +1659,7 @@
+ }
+
+ } while (0);
++o_free(data_signed);
+
+ if (json_array_size(j_error)) {
+ j_return = json_pack("{sisO}", "result", G_ERROR_PARAM, "error",
j_error);
Bug#994881: bullseye-pu: package rhonabwy/0.9.13-3
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff file fixes 2 bugs:
jwe cbc tag computation error
jws alg:none signature verification issue
[ Tests ]
The tests are updated by the debdiff file
[ Risks ]
The jws alg:none signature verification issue might lead to incorrect token
verification, while the jwe cbc tag computation error leads to incorrect token
decryption
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
diff -Nru rhonabwy-0.9.13/debian/changelog rhonabwy-0.9.13/debian/changelog
--- rhonabwy-0.9.13/debian/changelog2021-02-09 07:33:21.0 -0500
+++ rhonabwy-0.9.13/debian/changelog2021-09-22 07:29:46.0 -0400
@@ -1,3 +1,11 @@
+rhonabwy (0.9.13-3+deb11u1) bullseye; urgency=medium
+
+ * d/patches/bugfixes: apply upstream bugfixes
+ jwe cbc tag computation error
+ jws alg:none signature verification issue
+
+ -- Nicolas Mora Wed, 22 Sep 2021 07:29:46 -0400
+
rhonabwy (0.9.13-3) unstable; urgency=medium
* Fix r_library_info_json_t output
diff -Nru rhonabwy-0.9.13/debian/patches/bugfixes.patch
rhonabwy-0.9.13/debian/patches/bugfixes.patch
--- rhonabwy-0.9.13/debian/patches/bugfixes.patch 1969-12-31
19:00:00.0 -0500
+++ rhonabwy-0.9.13/debian/patches/bugfixes.patch 2021-09-22
07:29:46.0 -0400
@@ -0,0 +1,37 @@
+Description: Fix jwe cbc tag computation and jws alg:none signature
verification
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/jwe.c
b/src/jwe.c
+@@ -450,7 +450,7 @@
+ memcpy(compute_hmac+hmac_size, al, 8);
+ hmac_size += 8;
+
+-if (!(res = gnutls_hmac_fast(mac, jwe->key, 16, compute_hmac, hmac_size,
tag))) {
++if (!(res = gnutls_hmac_fast(mac, jwe->key, jwe->key_len/2, compute_hmac,
hmac_size, tag))) {
+ *tag_len = gnutls_hmac_get_len(mac)/2;
+ ret = RHN_OK;
+ } else {
+--- a/src/jws.c
b/src/jws.c
+@@ -1268,9 +1268,6 @@
+ case R_JWA_ALG_ES256K:
+ ret = RHN_ERROR_UNSUPPORTED;
+ break;
+-case R_JWA_ALG_NONE:
+- ret = RHN_OK;
+- break;
+ default:
+ ret = RHN_ERROR_INVALID;
+ break;
+--- a/test/jws_core.c
b/test/jws_core.c
+@@ -496,7 +496,7 @@
+ ck_assert_ptr_ne((token = r_jws_serialize(jws_sign, NULL, 0)), NULL);
+
+ ck_assert_int_eq(r_jws_parse(jws_verify, token, 0), RHN_OK);
+- ck_assert_int_eq(r_jws_verify_signature(jws_verify, NULL, 0), RHN_OK);
++ ck_assert_int_eq(r_jws_verify_signature(jws_verify, NULL, 0),
RHN_ERROR_INVALID);
+ o_free(token);
+
+ r_jws_free(jws_sign);
diff -Nru rhonabwy-0.9.13/debian/patches/series
rhonabwy-0.9.13/debian/patches/series
--- rhonabwy-0.9.13/debian/patches/series 2021-02-09 07:33:21.0
-0500
+++ rhonabwy-0.9.13/debian/patches/series 2021-09-22 07:29:46.0
-0400
@@ -1,2 +1,3 @@
library_info.patch
disable_test_rhonabwy_generate_key_pair.patch
+bugfixes.patch
Bug#994880: bullseye-pu: package ulfius/2.7.1-1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Fix CVE-2021-40540 in Bullseye
[ Reason ]
Ulfius package contains the bug that is rewferred by CVE-2021-40540
[ Impact ]
Application segfault when a malformed http request is received
[ Tests ]
none
[ Risks ]
the patch is trivial, the risk is low
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
add 'memset(con_info, 0, sizeof(struct connection_info_struct));' after
con_info is malloced to initialize the structure and avoid testing an undefined
value.
[ Other info ]
(Anything else the release team should know.)
diff -Nru ulfius-2.7.1/debian/changelog ulfius-2.7.1/debian/changelog
--- ulfius-2.7.1/debian/changelog 2021-01-03 09:03:05.0 -0500
+++ ulfius-2.7.1/debian/changelog 2021-09-19 15:39:39.0 -0400
@@ -1,3 +1,9 @@
+ulfius (2.7.1-1+deb11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2021-40540 (Closes: #994763)
+
+ -- Nicolas Mora Sun, 19 Sep 2021 15:39:39 -0400
+
ulfius (2.7.1-1) unstable; urgency=medium
* New upstream release
diff -Nru ulfius-2.7.1/debian/patches/CVE-2021-40540.patch
ulfius-2.7.1/debian/patches/CVE-2021-40540.patch
--- ulfius-2.7.1/debian/patches/CVE-2021-40540.patch1969-12-31
19:00:00.0 -0500
+++ ulfius-2.7.1/debian/patches/CVE-2021-40540.patch2021-09-19
15:39:20.0 -0400
@@ -0,0 +1,13 @@
+Description: Fix CVE-2021-40540
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/ulfius.c
b/src/ulfius.c
+@@ -207,6 +207,7 @@
+ UNUSED(cls);
+
+ if (con_info != NULL) {
++memset(con_info, 0, sizeof(struct connection_info_struct));
+ con_info->callback_first_iteration = 1;
+ con_info->u_instance = NULL;
+ u_map_init(_info->map_url_initial);
diff -Nru ulfius-2.7.1/debian/patches/series ulfius-2.7.1/debian/patches/series
--- ulfius-2.7.1/debian/patches/series 2021-01-03 09:03:05.0 -0500
+++ ulfius-2.7.1/debian/patches/series 2021-09-19 15:39:39.0 -0400
@@ -1,2 +1,3 @@
examples.patch
doc.patch
+CVE-2021-40540.patch
Re: request to send update packages for ulfius, rhonabwy and glewlwyd
Hello Johnatan,
Thanks for your answer, I have a couple of questions though, to make
sure I'm in the right track before the pu window closes. It's my first
pu upload, so I'm a little confused.
Le 2021-09-20 à 17 h 02, Jonathan Wiltshire a écrit :
Please see the guidance in the developer's reference [1] and use reportbug
to submit your request(s). In particular you need to include a source
debdiff of the proposed changes.
I follow the dev reference to make my changes but something's not clear
for me.
I've opened the bug #994763 "Fix CVE-2021-40540 in bullseye", I've been
answered to merge this bug with the original one (#993851) because it's
not needed to fill a separate bug for the suites in
which I want to fix a bug.
So I just have to attach the debdiff files for bullseye and buster in
the original bug #993851 ?
See diff file attached for the debdiff I intend to post.
After that, I can dput ftp-master the new packages. Am I correct?
Thanks!
/Nicolas
diff -Nru ulfius-2.7.1/debian/changelog ulfius-2.7.1/debian/changelog
--- ulfius-2.7.1/debian/changelog 2021-01-03 09:03:05.0 -0500
+++ ulfius-2.7.1/debian/changelog 2021-09-19 15:39:39.0 -0400
@@ -1,3 +1,9 @@
+ulfius (2.7.1-1+deb11u1) bullseye; urgency=medium
+
+ * d/patches: Fix CVE-2021-40540
+
+ -- Nicolas Mora Sun, 19 Sep 2021 15:39:39 -0400
+
ulfius (2.7.1-1) unstable; urgency=medium
* New upstream release
diff -Nru ulfius-2.7.1/debian/patches/CVE-2021-40540.patch ulfius-2.7.1/debian/patches/CVE-2021-40540.patch
--- ulfius-2.7.1/debian/patches/CVE-2021-40540.patch 1969-12-31 19:00:00.0 -0500
+++ ulfius-2.7.1/debian/patches/CVE-2021-40540.patch 2021-09-19 15:39:20.0 -0400
@@ -0,0 +1,13 @@
+Description: Fix CVE-2021-40540
+Author: Nicolas Mora
+Forwarded: not-needed
+--- a/src/ulfius.c
b/src/ulfius.c
+@@ -207,6 +207,7 @@
+ UNUSED(cls);
+
+ if (con_info != NULL) {
++memset(con_info, 0, sizeof(struct connection_info_struct));
+ con_info->callback_first_iteration = 1;
+ con_info->u_instance = NULL;
+ u_map_init(_info->map_url_initial);
diff -Nru ulfius-2.7.1/debian/patches/series ulfius-2.7.1/debian/patches/series
--- ulfius-2.7.1/debian/patches/series 2021-01-03 09:03:05.0 -0500
+++ ulfius-2.7.1/debian/patches/series 2021-09-19 15:39:39.0 -0400
@@ -1,2 +1,3 @@
examples.patch
doc.patch
+CVE-2021-40540.patch
request to send update packages for ulfius, rhonabwy and glewlwyd
Hello, I would like to upload new versions for my packages ulfius, rhonabwy and glewlwyd in buster-updates for ulfius and bullseye-updates for the 3 of them. The goal is to fix the following bugs: - ulfius: CVE-2021-40540 (Bug #993851) - rhonabwy: Bug #993866 - glewlwyd: CVE-2021-40818: webauthn buffer overflow (Bug #993867) The update packages are ready in my machine, although the glibc transition [1] blocks the packages to be fixed in testing for now... Thanks in advance for your feedback /Nicolas [1] https://tracker.debian.org/pkg/glibc
Re: how to patch package rhonabwy before bullseye release?
Salut Pierre-Elliott, thanks for your help! Le 2021-07-04 à 06 h 12, Pierre-Elliott Bécue a écrit : Have a look at [0]. Yes, that's why I'm asking for help. The full freeze is close but the bugs fixed are quite important, and since rhonabwy is a crypto library, they can lead to security issues. We are in the hard freeze part. If your package has passing non-trivial autopkgtest, it'll migrate from unstable to bullseye after 20 days without an unblock request. It is expected that your changes are non big and non-disruptive. The package salsa repo [0] has been updated with the fix. There's a d/rules minor change which isn't related to the bugs fixed: d/rules: remove dpkg-shlibdeps from override_dh_auto_install It's a remaining I forgot to remove before, but I can cancel this change since it's not important. The bugfix itself is a single patch file [2]. BUT, as the full freeze will probably start before the 20 days limit is reached, I can't say how your package migration will be handled. I guess it will be blocked. I would therefore recommend you confirm with a release team member what to do, but I guess an unblock bug with the debdiff opened right now could be a good idea and would probably allow your changes to be part of bullseye if the release-team see it fit. :) 1. Uploading to unstable for now is not a bad idea if the upload is what you expect to see in testing 2. The urgency field is ignored during the currents and future parts of the freeze. Therefore I'm relying on the team wisdom. Would you accept a new package in unstable, maybe with a high urgency? I can also wait for bullseye release and push the new package in proposed-updates? Thanks! /Nicolas [0] https://salsa.debian.org/debian-iot-team/oauth2/rhonabwy [2] https://salsa.debian.org/debian-iot-team/oauth2/rhonabwy/-/blob/master/debian/patches/bugfixes.patch
how to patch package rhonabwy before bullseye release?
Hello release team, I'm maintaining the package rhonaby [1] in the debian IoT tem, as well as being the upstream author. Recently, I've fixed two bugs in the library that I'd like to backport to the debian package in the bullseye release, I consider them to be important bugfixes. Do I have to open a RC bug before pushing the package or can I just push a new package? Also, do I have to set the urgency higher than medium? Thanks in advance, sorry if my questions are dumb. /Nicolas [1] https://tracker.debian.org/pkg/rhonabwy OpenPGP_0xFE82139440BD22B9.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: Asking advice for libssh2
Hello team, Le 2021-04-02 à 16 h 28, Paul Gevers a écrit : Let's not do that this late in the release. We'll have the full bookworm release to iron out corner case issues. I agree, there's no rush The license issue can be discussed again when bullseye is released, meamwhile the package should use libgcrypt as it's used to in bullseye. So I imagine there's nothing to do here, the unstable package is blocked from migration [1] and will stay as is until unfreeze I guess? /Nicolas [1] https://tracker.debian.org/pkg/libssh2 OpenPGP_0xFE82139440BD22B9.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Asking advice for libssh2
Hello team, I'm the maintainer of libssh2 [1]. There was an old bug with this package asking to switch from libgcrypt to openssl [2]. The issue was with the license openssl that had consequences with its rdeps. The ftp-master team came up with a solution for the OpenSSL license [3]. This solution allows to use openssl in libssh2. Therefore I uploaded a new package for libssh2 yesterday, hoping the libssh2-with-openssl package will be available for bullseye. But because of the hard freeze, this has to be manually allowed. I recently added autopkgtests to the libssh2 package and try to maintain as clean as possible, but I'm aware this is a key package so changes may be potentially dangerous, especially before a release. Therefore I'm asking your opinion on whether it would be wise to release libssh2-with-openssl in bullseye? The package uses libgcrypt for a long time now. And on second thought I wouldn't mind waiting another release for what could potentially break other packages. Thanks in advance for your feedback /Nicolas [1] https://tracker.debian.org/pkg/libssh2 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271 [3] http://meetbot.debian.net/debian-ftp/2020/debian-ftp.2020-03-13-20.02.html OpenPGP_0xFE82139440BD22B9.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
