Re: Squeeze LTS update for dulwich
s/Cheery/Cherry/
Other than that, looks good to me.
Thanks for backporting this!
Cheers,
Jelmer
On Tue, May 26, 2015 at 10:12:20PM +0200, Guido Günther wrote:
> Hi,
> attached is the debdiff for dulwich fixing CVE-2015-0838. Since this
> is might first LTS upload it'd be happy about somebody having a second
> look.
>
> The fix is a straight cherry pick from Wheezy.
>
> Cheers,
> -- Guido
> diff --git a/debian/changelog b/debian/changelog
> index 87cc441..af8f8e9 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,9 @@
> +dulwich (0.6.1-1+deb6u1) squeeze-lts; urgency=high
> +
> + * CVE-2015-0838: Fix buffer overflow in C version of apply_delta()
> +
> + -- Guido Günther <agx@sigxcpu.org> Tue, 26 May 2015 21:46:59 +0200
> +
> dulwich (0.6.1-1) unstable; urgency=low
>
> * New upstream release.
> diff --git a/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch b/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch
> new file mode 100644
> index 0000000..beee163
> --- /dev/null
> +++ b/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch
> @@ -0,0 +1,59 @@
> +From: =?utf-8?q?Jelmer_Vernoo=C4=B3?= <jelmer@google.com>
> +Date: Fri, 22 May 2015 15:01:47 +0200
> +Subject: CVE-2015-0838: Fix buffer overflow in C version of apply_delta()
> +
> +Cheery-picked from upstream commmit
> +1c7e06f6ae53cf4a755fe734db7114be67daf35b.
> +---
> + dulwich/_pack.c | 8 ++++++--
> + dulwich/tests/test_pack.py | 8 ++++++++
> + 2 files changed, 14 insertions(+), 2 deletions(-)
> +
> +diff --git a/dulwich/_pack.c b/dulwich/_pack.c
> +index ee79b40..c6ab327 100644
> +--- a/dulwich/_pack.c
> ++++ b/dulwich/_pack.c
> +@@ -146,10 +146,14 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args)
> + break;
> + memcpy(out+outindex, src_buf+cp_off, cp_size);
> + outindex += cp_size;
> ++ dest_size -= cp_size;
> + } else if (cmd != 0) {
> ++ if (cmd > dest_size)
> ++ break;
> + memcpy(out+outindex, delta+index, cmd);
> + outindex += cmd;
> +- index += cmd;
> ++ index += cmd;
> ++ dest_size -= cmd;
> + } else {
> + PyErr_SetString(PyExc_ValueError, "Invalid opcode 0");
> + Py_DECREF(ret);
> +@@ -167,7 +171,7 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args)
> + return NULL;
> + }
> +
> +- if (dest_size != outindex) {
> ++ if (dest_size != 0) {
> + PyErr_SetString(PyExc_ValueError, "dest size incorrect");
> + Py_DECREF(ret);
> + return NULL;
> +diff --git a/dulwich/tests/test_pack.py b/dulwich/tests/test_pack.py
> +index b6aea48..2bbd674 100644
> +--- a/dulwich/tests/test_pack.py
> ++++ b/dulwich/tests/test_pack.py
> +@@ -155,6 +155,14 @@ class TestPackDeltas(TestCase):
> + def test_overflow(self):
> + self._test_roundtrip(self.test_string_empty, self.test_string_big)
> +
> ++ def test_dest_overflow(self):
> ++ self.assertRaises(
> ++ ValueError,
> ++ apply_delta, 'a'*0x10000, '\x80\x80\x04\x80\x80\x04\x80' + 'a'*0x10000)
> ++ self.assertRaises(
> ++ ValueError,
> ++ apply_delta, '', '\x00\x80\x02\xb0\x11\x11')
> ++
> +
> + class TestPackData(PackTests):
> + """Tests getting the data from the packfile."""
> diff --git a/debian/patches/series b/debian/patches/series
> new file mode 100644
> index 0000000..7a0b9eb
> --- /dev/null
> +++ b/debian/patches/series
> @@ -0,0 +1 @@
> +CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch
Reply to: