Squeeze LTS update for dulwich
Hi,
attached is the debdiff for dulwich fixing CVE-2015-0838. Since this
is might first LTS upload it'd be happy about somebody having a second
look.
The fix is a straight cherry pick from Wheezy.
Cheers,
-- Guido
diff --git a/debian/changelog b/debian/changelog
index 87cc441..af8f8e9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+dulwich (0.6.1-1+deb6u1) squeeze-lts; urgency=high
+
+ * CVE-2015-0838: Fix buffer overflow in C version of apply_delta()
+
+ -- Guido Günther <agx@sigxcpu.org> Tue, 26 May 2015 21:46:59 +0200
+
dulwich (0.6.1-1) unstable; urgency=low
* New upstream release.
diff --git a/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch b/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch
new file mode 100644
index 0000000..beee163
--- /dev/null
+++ b/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch
@@ -0,0 +1,59 @@
+From: =?utf-8?q?Jelmer_Vernoo=C4=B3?= <jelmer@google.com>
+Date: Fri, 22 May 2015 15:01:47 +0200
+Subject: CVE-2015-0838: Fix buffer overflow in C version of apply_delta()
+
+Cheery-picked from upstream commmit
+1c7e06f6ae53cf4a755fe734db7114be67daf35b.
+---
+ dulwich/_pack.c | 8 ++++++--
+ dulwich/tests/test_pack.py | 8 ++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/dulwich/_pack.c b/dulwich/_pack.c
+index ee79b40..c6ab327 100644
+--- a/dulwich/_pack.c
++++ b/dulwich/_pack.c
+@@ -146,10 +146,14 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args)
+ break;
+ memcpy(out+outindex, src_buf+cp_off, cp_size);
+ outindex += cp_size;
++ dest_size -= cp_size;
+ } else if (cmd != 0) {
++ if (cmd > dest_size)
++ break;
+ memcpy(out+outindex, delta+index, cmd);
+ outindex += cmd;
+- index += cmd;
++ index += cmd;
++ dest_size -= cmd;
+ } else {
+ PyErr_SetString(PyExc_ValueError, "Invalid opcode 0");
+ Py_DECREF(ret);
+@@ -167,7 +171,7 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args)
+ return NULL;
+ }
+
+- if (dest_size != outindex) {
++ if (dest_size != 0) {
+ PyErr_SetString(PyExc_ValueError, "dest size incorrect");
+ Py_DECREF(ret);
+ return NULL;
+diff --git a/dulwich/tests/test_pack.py b/dulwich/tests/test_pack.py
+index b6aea48..2bbd674 100644
+--- a/dulwich/tests/test_pack.py
++++ b/dulwich/tests/test_pack.py
+@@ -155,6 +155,14 @@ class TestPackDeltas(TestCase):
+ def test_overflow(self):
+ self._test_roundtrip(self.test_string_empty, self.test_string_big)
+
++ def test_dest_overflow(self):
++ self.assertRaises(
++ ValueError,
++ apply_delta, 'a'*0x10000, '\x80\x80\x04\x80\x80\x04\x80' + 'a'*0x10000)
++ self.assertRaises(
++ ValueError,
++ apply_delta, '', '\x00\x80\x02\xb0\x11\x11')
++
+
+ class TestPackData(PackTests):
+ """Tests getting the data from the packfile."""
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..7a0b9eb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch
Reply to: