Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
gerbv is a utility for viewing Gerber RS-274X files, Excellon drill files, and CSV files for pick-and-place files. Gerber files are used for communicating printed circuit board (PCB) designs to PCB manufacturers. [ Reason ] The gerbv upstream project was getting in contact via the pkg-electronic-devel mailing list to inform about a security issue for gerbv that was found by the Cisco Talos team. That issue got the CVE number CVE-2021-40391. https://alioth-lists.debian.net/pipermail/pkg-electronics-devel/2021-November/008221.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40391 This issue was fixed with the release of version 2.7.1, buster was released with version 2.7.0, so this version is taking effect of the CVE. Debian testing and unstable are on version 2.8.1 for gerbv while writing. [ Impact ] Users of the unpatched gerbv version from the buster release might be affected to get unwanted code exceution and loose of data. [ Tests ] Currently there are no automated or manuall test available to check the fixing of this issue. [ Risks ] Nearlly to zero, the fix for this is quite non intrusive and really small (basically it's just one line of code). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The whole change to get the CVE is fixed is adding one line of code within the C-file drill.c, within the function drill_parse_T_code() a 'return -1' is need to solve the issue. [ Other info ] Anton Gladky within the LTS team did an upload of version 2.6.1-2+deb9u1 to fix this issue for Debian 9. https://tracker.debian.org/news/1283553/accepted-gerbv-261-2deb9u1-source-into-oldoldstable/ The debdiff between the old version 2.7.0-1 in buster and prepared version gerbv_2.7.0-1+deb10u1 is added here as it's not that big. diff -Nru gerbv-2.7.0/debian/changelog gerbv-2.7.0/debian/changelog --- gerbv-2.7.0/debian/changelog 2019-02-18 17:57:45.000000000 +0100 +++ gerbv-2.7.0/debian/changelog 2021-12-05 09:29:11.000000000 +0100 @@ -1,3 +1,14 @@ +gerbv (2.7.0-1+deb10u1) buster; urgency=medium + + * Build for buster + * [c33610a] Rebuild patch queue from patch-queue branch + Added patch: + security/Fix-TALOS-2021-1402.patch + Fixing CVE-2021-40391 + * [09244b9] d/gbp.conf: Adjust to branch debian/buster + + -- Carsten Schoenert <c.schoen...@t-online.de> Sun, 05 Dec 2021 09:29:11 +0100 + gerbv (2.7.0-1) unstable; urgency=medium * [ac52385] d/gbp.conf: adding helper for git-buildpackage diff -Nru gerbv-2.7.0/debian/gbp.conf gerbv-2.7.0/debian/gbp.conf --- gerbv-2.7.0/debian/gbp.conf 2019-02-18 17:55:34.000000000 +0100 +++ gerbv-2.7.0/debian/gbp.conf 2021-12-05 09:29:03.000000000 +0100 @@ -5,7 +5,7 @@ pristine-tar = True # generate gz compressed orig.tar file compression = gz -debian-branch = debian/sid +debian-branch = debian/buster upstream-branch = upstream [pq] @@ -13,7 +13,7 @@ [dch] id-length = 7 -debian-branch = debian/sid +debian-branch = debian/buster [import-orig] # filter out unwanted files/dirs from upstream diff -Nru gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch --- gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch 1970-01-01 01:00:00.000000000 +0100 +++ gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch 2021-12-05 09:26:42.000000000 +0100 @@ -0,0 +1,27 @@ +From: eyal0 <109809+ey...@users.noreply.github.com> +Date: Tue, 26 Oct 2021 21:39:25 -0600 +Subject: Fix TALOS-2021-1402 + +See issue #30 + +This commit fixes CVE-2021-40391. Background information can be found on +this URL. +https://talosintelligence.com/vulnerability_reports/TALOS-2021-1402 + +Forwarded: https://github.com/gerbv/gerbv/commit/9f83950b772b37b49ee188300e444546e6aab17e +--- + src/drill.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/drill.c b/src/drill.c +index bc90524..414872d 100644 +--- a/src/drill.c ++++ b/src/drill.c +@@ -1115,6 +1115,7 @@ drill_parse_T_code(gerb_file_t *fd, drill_state_t *state, + _("Out of bounds drill number %d " + "at line %ld in file \"%s\""), + tool_num, file_line, fd->filename); ++ return -1; + } + + /* Set the current tool to the correct one */ diff -Nru gerbv-2.7.0/debian/patches/series gerbv-2.7.0/debian/patches/series --- gerbv-2.7.0/debian/patches/series 2019-02-18 17:56:38.000000000 +0100 +++ gerbv-2.7.0/debian/patches/series 2021-12-05 09:26:42.000000000 +0100 @@ -5,3 +5,4 @@ debian-hacks/crossbuild-use-PKG_PROG_PKG_CONFIG-instead-of-AC_PATH_PRO.patch fixes/man-page-fix-misspelled-excercise-exercise.patch fixes/Fix-Werror-format-security-problem.patch +security/Fix-TALOS-2021-1402.patch I've uploaded gerbv_2.7.0-1+deb10u1 with the target buster, please consider accepting this upload to get into the next point release. Thanks! Regards Carsten