Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear release team, I have prepared an upload libgetdata_0.10.0-5+deb10u1 which fixes CVE-2021-20204. Security team has marked this CVE as no-dsa and recommended to use a point release to fix this CVE. Diff is attached. Regards Anton -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCdntMRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wY9fA/9GhbpQE/14peaNZt693zH+Rytwe6nazqa ZbWljwhAXFDgNKNtlphAmoBVmhGBAnS4r2lpi8sBnTgTJByZL4QQYWv5YGX4sle0 79uYmpRHpykDR+9EufEYdAykx68voieai5COkp86RmsiSyUrdIUKIxj7osNQ4BdZ euTSejNiMGxYxjMesI2UYFtYrEsEqe5z1HuKo4fJSjfvjB8xchLhAWgeWp7Xj0nC W3zbnutXKracEyxo+pi0kbRzyLoc8I/N4yzX0b85Q7LoP3Iib/7N2+FrskW6LFQ2 bxF9SpbvZcnIdgirPqoAVtnbUK+kb5Ux6f9GJwDZLyAeT3gwxfKZEyODQKz/+rYq qAtlDiSZ2nLgORw35oEqdJZCOoOdByigQ+T5pbtdzfvWUyQokTO6l+u5vo31kkse 5PE7YHtbsarvWamvAMLUTUPvH23bLG6tNgPkFSLQQBqz75y9OMl7+fsslXUoMlpv +ELQRFTywOXHmfOlpHGDjGqgWdhWn03PEcMAsDcTGSxUOHTlsXFkHidkLTQR2A0G nUVSee5MBougDzTP8qZ6dcRelLYolf7hD3MkNfiOMzfD8YLFpSKkaGRFGN3Aur5A QPOQ3SdDgX/b3OQSHX1121wTuiLWAf/avoQvM79V4TSDdLCjKwZ2JbB30YTE3ULl h8bmLlsgihM= =XSBh -----END PGP SIGNATURE-----
diff -Nru libgetdata-0.10.0/debian/changelog libgetdata-0.10.0/debian/changelog --- libgetdata-0.10.0/debian/changelog 2018-07-08 16:05:59.000000000 +0200 +++ libgetdata-0.10.0/debian/changelog 2021-05-13 23:20:53.000000000 +0200 @@ -1,3 +1,10 @@ +libgetdata (0.10.0-5+deb10u1) buster; urgency=medium + + * Team upload. + * Fix CVE-2021-20204. + + -- Anton Gladky <gl...@debian.org> Thu, 13 May 2021 23:20:53 +0200 + libgetdata (0.10.0-5) unstable; urgency=medium * Rebuild for python3.7 support diff -Nru libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch --- libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch 1970-01-01 01:00:00.000000000 +0100 +++ libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch 2021-05-13 23:20:53.000000000 +0200 @@ -0,0 +1,24 @@ +Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL + Fix for CVE-2021-20204 +Author: Anton Gladky <gl...@debian.org> +Bug-Debian: https://bugs.debian.org/988239 +Last-Update: 2021-05-09 + +Index: libgetdata/src/parse.c +=================================================================== +--- libgetdata.orig/src/parse.c ++++ libgetdata/src/parse.c +@@ -2501,9 +2501,12 @@ char *_GD_ParseFragment(FILE *restrict f + match = _GD_ParseDirective(D, p, in_cols, n_cols, me, &ref_name, + &outstring, tok_pos); + +- if (D->error == GD_E_OK && !match) ++ if (D->error == GD_E_OK && !match) { + first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, strlen(in_cols[0]), + NULL, me, 0, 1, &outstring, tok_pos); ++ if (first_raw == NULL) ++ _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL); ++ } + + if (D->error == GD_E_FORMAT) { + /* call the callback for this error */ diff -Nru libgetdata-0.10.0/debian/patches/series libgetdata-0.10.0/debian/patches/series --- libgetdata-0.10.0/debian/patches/series 2018-07-08 16:05:59.000000000 +0200 +++ libgetdata-0.10.0/debian/patches/series 2021-05-13 23:20:13.000000000 +0200 @@ -1 +1,2 @@ #python3.patch +CVE-2021-20204.patch