Squeeze LTS update for dulwich

To: debian-lts@lists.debian.org
Cc: Jelmer Vernooij <jelmer@samba.org>
Subject: Squeeze LTS update for dulwich
From: Guido Günther <agx@sigxcpu.org>
Date: Tue, 26 May 2015 22:12:20 +0200
Message-id: <[🔎] 20150526201220.GA8883@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, debian-lts@lists.debian.org, Jelmer Vernooij <jelmer@samba.org>

Hi,
attached is the debdiff for dulwich fixing CVE-2015-0838. Since this
is might first LTS upload it'd be happy about somebody having a second
look.

The fix is a straight cherry pick from Wheezy.

Cheers,
 -- Guido

diff --git a/debian/changelog b/debian/changelog
index 87cc441..af8f8e9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+dulwich (0.6.1-1+deb6u1) squeeze-lts; urgency=high
+
+  * CVE-2015-0838: Fix buffer overflow in C version of apply_delta()
+
+ -- Guido Günther <agx@sigxcpu.org>  Tue, 26 May 2015 21:46:59 +0200
+
 dulwich (0.6.1-1) unstable; urgency=low
 
   * New upstream release.
diff --git a/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch b/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch
new file mode 100644
index 0000000..beee163
--- /dev/null
+++ b/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch
@@ -0,0 +1,59 @@
+From: =?utf-8?q?Jelmer_Vernoo=C4=B3?= <jelmer@google.com>
+Date: Fri, 22 May 2015 15:01:47 +0200
+Subject: CVE-2015-0838: Fix buffer overflow in C version of apply_delta()
+
+Cheery-picked from upstream commmit
+1c7e06f6ae53cf4a755fe734db7114be67daf35b.
+---
+ dulwich/_pack.c            | 8 ++++++--
+ dulwich/tests/test_pack.py | 8 ++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/dulwich/_pack.c b/dulwich/_pack.c
+index ee79b40..c6ab327 100644
+--- a/dulwich/_pack.c
++++ b/dulwich/_pack.c
+@@ -146,10 +146,14 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args)
+                 break;
+ 			memcpy(out+outindex, src_buf+cp_off, cp_size);
+ 			outindex += cp_size;
++			dest_size -= cp_size;
+ 		} else if (cmd != 0) {
++			if (cmd > dest_size)
++				break;
+ 			memcpy(out+outindex, delta+index, cmd);
+ 			outindex += cmd;
+-            index += cmd;
++			index += cmd;
++			dest_size -= cmd;
+ 		} else {
+ 			PyErr_SetString(PyExc_ValueError, "Invalid opcode 0");
+ 			Py_DECREF(ret);
+@@ -167,7 +171,7 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args)
+ 		return NULL;
+ 	}
+ 
+-	if (dest_size != outindex) {
++	if (dest_size != 0) {
+         PyErr_SetString(PyExc_ValueError, "dest size incorrect");
+ 		Py_DECREF(ret);
+ 		return NULL;
+diff --git a/dulwich/tests/test_pack.py b/dulwich/tests/test_pack.py
+index b6aea48..2bbd674 100644
+--- a/dulwich/tests/test_pack.py
++++ b/dulwich/tests/test_pack.py
+@@ -155,6 +155,14 @@ class TestPackDeltas(TestCase):
+     def test_overflow(self):
+         self._test_roundtrip(self.test_string_empty, self.test_string_big)
+ 
++    def test_dest_overflow(self):
++        self.assertRaises(
++            ValueError,
++            apply_delta, 'a'*0x10000, '\x80\x80\x04\x80\x80\x04\x80' + 'a'*0x10000)
++        self.assertRaises(
++            ValueError,
++            apply_delta, '', '\x00\x80\x02\xb0\x11\x11')
++
+ 
+ class TestPackData(PackTests):
+     """Tests getting the data from the packfile."""
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..7a0b9eb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch

Reply to:

Follow-Ups:
- Re: Squeeze LTS update for dulwich
  - From: Jelmer Vernooij <jelmer@debian.org>

Prev by Date: Review squeeze-lts exactimage/0.8.1-3+deb6u4
Next by Date: Re: Squeeze LTS update for dulwich
Previous by thread: Re: Review squeeze-lts exactimage/0.8.1-3+deb6u4
Next by thread: Re: Squeeze LTS update for dulwich
Index(es):
- Date
- Thread