Processed: Re: Bug#1054455: bullseye-pu: package weborf/0.17-3
Processing control commands: > tag -1 confirmed Bug #1054455 [release.debian.org] bullseye-pu: package weborf/0.17-3 Added tag(s) confirmed. -- 1054455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054455 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1054455: bullseye-pu: package weborf/0.17-3
Control: tag -1 confirmed On Sat, Nov 04, 2023 at 10:34:49PM +0100, Salvo Tomaselli wrote: > +Author: Salvo "LtWorf" Tomaselli > +Origin: upstream > +Bug: DEP-3 says Origin should normally be a URL, 'upstream' is a prefix. The Bug field should also be fixed or removed; with those fixes, please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1054455: bullseye-pu: package weborf/0.17-3
Hi Salvo, On Tue, Oct 24, 2023 at 09:58:30AM +0200, Salvo Tomaselli wrote: > > This version was already used: > > https://snapshot.debian.org/package/weborf/0.17-4/ > > Sorry! > > Attaching a new debdiff file with the correct version Now there is a off-by-one in the distro version :) I believe it should be 0.17-3+deb11u1. Regards, Salvatore
Bug#1054455: bullseye-pu: package weborf/0.17-3
On 2023-10-23 23:23:07 +0200, Salvo "LtWorf" Tomaselli wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: web...@packages.debian.org, tipos...@tiscali.it > Control: affects -1 + src:weborf > > I have found a denial of service in all versions of weborf. > > It is tracked in #1054417 and solved in 1.0 upstream. > https://github.com/ltworf/weborf/pull/88 > > The issue is fixed in unstable but remains in stable and oldstable. > > [ Reason ] > The bug has been there undetected for years. The fix is minimal. > > [ Impact ] > The denial of service and extremely unlikely but theoretically possible > remote execution issue will remain. > > The issue exists only if the process has CGI enabled (not the default). > > [ Tests ] > > There are no automated tests covering the issue. > > [ Risks ] > > The patch is just 3 lines. > > [ Checklist ] > [*] *all* changes are documented in the d/changelog > [*] I reviewed all changes and I approve them > [*] attach debdiff against the package in (old)stable > [*] the issue is verified as fixed in unstable > > [ Changes ] > > A patch to remove a memory allocation and copy, where I forgot a +1 in the > copy. > > The resulting code just reuses the same buffer instead of copying, which was > not > needed to begin with. > > [ Other info ] > > Tracked in CVE-2023-46586 > diff -Nru weborf-0.17/debian/changelog weborf-0.17/debian/changelog > --- weborf-0.17/debian/changelog 2020-12-31 15:13:19.0 +0100 > +++ weborf-0.17/debian/changelog 2023-10-23 18:40:22.0 +0200 > @@ -1,3 +1,9 @@ > +weborf (0.17-4) bullseye; urgency=medium This version was already used: https://snapshot.debian.org/package/weborf/0.17-4/ Cheers > + > + * Backport patch from upstream to fix denial of service (Closes: 1054417) > + > + -- Salvo 'LtWorf' Tomaselli Mon, 23 Oct 2023 > 18:40:22 +0200 > + > weborf (0.17-3) unstable; urgency=medium > >* Disable most of the test suite (flaky on debian builders) > diff -Nru weborf-0.17/debian/patches/cgi_buffer_fix.patch > weborf-0.17/debian/patches/cgi_buffer_fix.patch > --- weborf-0.17/debian/patches/cgi_buffer_fix.patch 1970-01-01 > 01:00:00.0 +0100 > +++ weborf-0.17/debian/patches/cgi_buffer_fix.patch 2023-10-23 > 18:40:22.0 +0200 > @@ -0,0 +1,25 @@ > +Description: Fix incorrect memory operation > + The original code failed to take into account the space needed for the > + null terminator. > + . > + The patch just avoids the copy altogether, because it was not needed. > +Author: Salvo "LtWorf" Tomaselli > +Origin: upstream > +Bug: > +Bug-Debian: https://bugs.debian.org/1054417 > +Forwarded: not-needed > +Applied-Upstream: 1.0 > +Last-Update: 2023-10-23 > + > +--- weborf-0.19.orig/cgi.c > weborf-0.19/cgi.c > +@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con > + environ = NULL; //Clear env vars > + > + if (strlen(executor) == 0) { > +-executor = malloc(connection_prop->strfile_len + 1); > +-strncpy(executor, connection_prop->strfile, > connection_prop->strfile_len); > ++executor = connection_prop->strfile; > + } > + > + cgi_set_http_env_vars(connection_prop->http_param); > diff -Nru weborf-0.17/debian/patches/series weborf-0.17/debian/patches/series > --- weborf-0.17/debian/patches/series 2020-12-31 15:13:19.0 +0100 > +++ weborf-0.17/debian/patches/series 2023-10-23 18:40:22.0 +0200 > @@ -1,2 +1,3 @@ > 0001-sleep_in_http > 002-disable_tests > +cgi_buffer_fix.patch -- Sebastian Ramacher
Bug#1054455: bullseye-pu: package weborf/0.17-3
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: web...@packages.debian.org, tipos...@tiscali.it Control: affects -1 + src:weborf I have found a denial of service in all versions of weborf. It is tracked in #1054417 and solved in 1.0 upstream. https://github.com/ltworf/weborf/pull/88 The issue is fixed in unstable but remains in stable and oldstable. [ Reason ] The bug has been there undetected for years. The fix is minimal. [ Impact ] The denial of service and extremely unlikely but theoretically possible remote execution issue will remain. The issue exists only if the process has CGI enabled (not the default). [ Tests ] There are no automated tests covering the issue. [ Risks ] The patch is just 3 lines. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] A patch to remove a memory allocation and copy, where I forgot a +1 in the copy. The resulting code just reuses the same buffer instead of copying, which was not needed to begin with. [ Other info ] Tracked in CVE-2023-46586 diff -Nru weborf-0.17/debian/changelog weborf-0.17/debian/changelog --- weborf-0.17/debian/changelog2020-12-31 15:13:19.0 +0100 +++ weborf-0.17/debian/changelog2023-10-23 18:40:22.0 +0200 @@ -1,3 +1,9 @@ +weborf (0.17-4) bullseye; urgency=medium + + * Backport patch from upstream to fix denial of service (Closes: 1054417) + + -- Salvo 'LtWorf' Tomaselli Mon, 23 Oct 2023 18:40:22 +0200 + weborf (0.17-3) unstable; urgency=medium * Disable most of the test suite (flaky on debian builders) diff -Nru weborf-0.17/debian/patches/cgi_buffer_fix.patch weborf-0.17/debian/patches/cgi_buffer_fix.patch --- weborf-0.17/debian/patches/cgi_buffer_fix.patch 1970-01-01 01:00:00.0 +0100 +++ weborf-0.17/debian/patches/cgi_buffer_fix.patch 2023-10-23 18:40:22.0 +0200 @@ -0,0 +1,25 @@ +Description: Fix incorrect memory operation + The original code failed to take into account the space needed for the + null terminator. + . + The patch just avoids the copy altogether, because it was not needed. +Author: Salvo "LtWorf" Tomaselli +Origin: upstream +Bug: +Bug-Debian: https://bugs.debian.org/1054417 +Forwarded: not-needed +Applied-Upstream: 1.0 +Last-Update: 2023-10-23 + +--- weborf-0.19.orig/cgi.c weborf-0.19/cgi.c +@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con + environ = NULL; //Clear env vars + + if (strlen(executor) == 0) { +-executor = malloc(connection_prop->strfile_len + 1); +-strncpy(executor, connection_prop->strfile, connection_prop->strfile_len); ++executor = connection_prop->strfile; + } + + cgi_set_http_env_vars(connection_prop->http_param); diff -Nru weborf-0.17/debian/patches/series weborf-0.17/debian/patches/series --- weborf-0.17/debian/patches/series 2020-12-31 15:13:19.0 +0100 +++ weborf-0.17/debian/patches/series 2023-10-23 18:40:22.0 +0200 @@ -1,2 +1,3 @@ 0001-sleep_in_http 002-disable_tests +cgi_buffer_fix.patch