Processed: Re: Bug#1054455: bullseye-pu: package weborf/0.17-3
Processing control commands: > tag -1 confirmed Bug #1054455 [release.debian.org] bullseye-pu: package weborf/0.17-3 Added tag(s) confirmed. -- 1054455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054455 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1054455: bullseye-pu: package weborf/0.17-3
Control: tag -1 confirmed On Sat, Nov 04, 2023 at 10:34:49PM +0100, Salvo Tomaselli wrote: > +Author: Salvo "LtWorf" Tomaselli > +Origin: upstream > +Bug: DEP-3 says Origin should normally be a URL, 'upstream' is a prefix. The Bug field should also be fixed or removed; with those fixes, please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1054455: bullseye-pu: package weborf/0.17-3
Hi Salvo, On Tue, Oct 24, 2023 at 09:58:30AM +0200, Salvo Tomaselli wrote: > > This version was already used: > > https://snapshot.debian.org/package/weborf/0.17-4/ > > Sorry! > > Attaching a new debdiff file with the correct version Now there is a off-by-one in the distro version :) I believe it should be 0.17-3+deb11u1. Regards, Salvatore
Bug#1054455: bullseye-pu: package weborf/0.17-3
On 2023-10-23 23:23:07 +0200, Salvo "LtWorf" Tomaselli wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: web...@packages.debian.org, tipos...@tiscali.it
> Control: affects -1 + src:weborf
>
> I have found a denial of service in all versions of weborf.
>
> It is tracked in #1054417 and solved in 1.0 upstream.
> https://github.com/ltworf/weborf/pull/88
>
> The issue is fixed in unstable but remains in stable and oldstable.
>
> [ Reason ]
> The bug has been there undetected for years. The fix is minimal.
>
> [ Impact ]
> The denial of service and extremely unlikely but theoretically possible
> remote execution issue will remain.
>
> The issue exists only if the process has CGI enabled (not the default).
>
> [ Tests ]
>
> There are no automated tests covering the issue.
>
> [ Risks ]
>
> The patch is just 3 lines.
>
> [ Checklist ]
> [*] *all* changes are documented in the d/changelog
> [*] I reviewed all changes and I approve them
> [*] attach debdiff against the package in (old)stable
> [*] the issue is verified as fixed in unstable
>
> [ Changes ]
>
> A patch to remove a memory allocation and copy, where I forgot a +1 in the
> copy.
>
> The resulting code just reuses the same buffer instead of copying, which was
> not
> needed to begin with.
>
> [ Other info ]
>
> Tracked in CVE-2023-46586
> diff -Nru weborf-0.17/debian/changelog weborf-0.17/debian/changelog
> --- weborf-0.17/debian/changelog 2020-12-31 15:13:19.0 +0100
> +++ weborf-0.17/debian/changelog 2023-10-23 18:40:22.0 +0200
> @@ -1,3 +1,9 @@
> +weborf (0.17-4) bullseye; urgency=medium
This version was already used:
https://snapshot.debian.org/package/weborf/0.17-4/
Cheers
> +
> + * Backport patch from upstream to fix denial of service (Closes: 1054417)
> +
> + -- Salvo 'LtWorf' Tomaselli Mon, 23 Oct 2023
> 18:40:22 +0200
> +
> weborf (0.17-3) unstable; urgency=medium
>
>* Disable most of the test suite (flaky on debian builders)
> diff -Nru weborf-0.17/debian/patches/cgi_buffer_fix.patch
> weborf-0.17/debian/patches/cgi_buffer_fix.patch
> --- weborf-0.17/debian/patches/cgi_buffer_fix.patch 1970-01-01
> 01:00:00.0 +0100
> +++ weborf-0.17/debian/patches/cgi_buffer_fix.patch 2023-10-23
> 18:40:22.0 +0200
> @@ -0,0 +1,25 @@
> +Description: Fix incorrect memory operation
> + The original code failed to take into account the space needed for the
> + null terminator.
> + .
> + The patch just avoids the copy altogether, because it was not needed.
> +Author: Salvo "LtWorf" Tomaselli
> +Origin: upstream
> +Bug:
> +Bug-Debian: https://bugs.debian.org/1054417
> +Forwarded: not-needed
> +Applied-Upstream: 1.0
> +Last-Update: 2023-10-23
> +
> +--- weborf-0.19.orig/cgi.c
> weborf-0.19/cgi.c
> +@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con
> + environ = NULL; //Clear env vars
> +
> + if (strlen(executor) == 0) {
> +-executor = malloc(connection_prop->strfile_len + 1);
> +-strncpy(executor, connection_prop->strfile,
> connection_prop->strfile_len);
> ++executor = connection_prop->strfile;
> + }
> +
> + cgi_set_http_env_vars(connection_prop->http_param);
> diff -Nru weborf-0.17/debian/patches/series weborf-0.17/debian/patches/series
> --- weborf-0.17/debian/patches/series 2020-12-31 15:13:19.0 +0100
> +++ weborf-0.17/debian/patches/series 2023-10-23 18:40:22.0 +0200
> @@ -1,2 +1,3 @@
> 0001-sleep_in_http
> 002-disable_tests
> +cgi_buffer_fix.patch
--
Sebastian Ramacher
Bug#1054455: bullseye-pu: package weborf/0.17-3
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: web...@packages.debian.org, tipos...@tiscali.it
Control: affects -1 + src:weborf
I have found a denial of service in all versions of weborf.
It is tracked in #1054417 and solved in 1.0 upstream.
https://github.com/ltworf/weborf/pull/88
The issue is fixed in unstable but remains in stable and oldstable.
[ Reason ]
The bug has been there undetected for years. The fix is minimal.
[ Impact ]
The denial of service and extremely unlikely but theoretically possible
remote execution issue will remain.
The issue exists only if the process has CGI enabled (not the default).
[ Tests ]
There are no automated tests covering the issue.
[ Risks ]
The patch is just 3 lines.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
A patch to remove a memory allocation and copy, where I forgot a +1 in the copy.
The resulting code just reuses the same buffer instead of copying, which was not
needed to begin with.
[ Other info ]
Tracked in CVE-2023-46586
diff -Nru weborf-0.17/debian/changelog weborf-0.17/debian/changelog
--- weborf-0.17/debian/changelog2020-12-31 15:13:19.0 +0100
+++ weborf-0.17/debian/changelog2023-10-23 18:40:22.0 +0200
@@ -1,3 +1,9 @@
+weborf (0.17-4) bullseye; urgency=medium
+
+ * Backport patch from upstream to fix denial of service (Closes: 1054417)
+
+ -- Salvo 'LtWorf' Tomaselli Mon, 23 Oct 2023 18:40:22
+0200
+
weborf (0.17-3) unstable; urgency=medium
* Disable most of the test suite (flaky on debian builders)
diff -Nru weborf-0.17/debian/patches/cgi_buffer_fix.patch
weborf-0.17/debian/patches/cgi_buffer_fix.patch
--- weborf-0.17/debian/patches/cgi_buffer_fix.patch 1970-01-01
01:00:00.0 +0100
+++ weborf-0.17/debian/patches/cgi_buffer_fix.patch 2023-10-23
18:40:22.0 +0200
@@ -0,0 +1,25 @@
+Description: Fix incorrect memory operation
+ The original code failed to take into account the space needed for the
+ null terminator.
+ .
+ The patch just avoids the copy altogether, because it was not needed.
+Author: Salvo "LtWorf" Tomaselli
+Origin: upstream
+Bug:
+Bug-Debian: https://bugs.debian.org/1054417
+Forwarded: not-needed
+Applied-Upstream: 1.0
+Last-Update: 2023-10-23
+
+--- weborf-0.19.orig/cgi.c
weborf-0.19/cgi.c
+@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con
+ environ = NULL; //Clear env vars
+
+ if (strlen(executor) == 0) {
+-executor = malloc(connection_prop->strfile_len + 1);
+-strncpy(executor, connection_prop->strfile,
connection_prop->strfile_len);
++executor = connection_prop->strfile;
+ }
+
+ cgi_set_http_env_vars(connection_prop->http_param);
diff -Nru weborf-0.17/debian/patches/series weborf-0.17/debian/patches/series
--- weborf-0.17/debian/patches/series 2020-12-31 15:13:19.0 +0100
+++ weborf-0.17/debian/patches/series 2023-10-23 18:40:22.0 +0200
@@ -1,2 +1,3 @@
0001-sleep_in_http
002-disable_tests
+cgi_buffer_fix.patch
