[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: buffer overflow vulnerability in netmask 2.3.12

On 2019-02-06 01:59:58, Guilhem Moulin wrote:
> Dear LTS team,

Hi Guilhem!

> A buffer overflow vulnerability was recently found in the netmask
> package (a small utility that helps determining network masks):
>     https://github.com/tlby/netmask/issues/3
> The Security Team argued that the version in stretch (2.4.3-1) doesn't
> warrant a DSA as the program is built with hardening options enabled
> (thus turning the buffer overflow vulnerability into an harmless clash),
> but that's not the case for the version in jessie (2.3.12), so I guess
> it makes sense to upload a +deb8u1.


> I attach a debdiff with a trivial fix backported from 2.4.4, more
> specifically the ‘errors.c’ part of
>     https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c
> For convenience, you can also find the source package at
>     dget -x https://people.debian.org/~guilhem/tmp/netmask_2.3.12+deb8u1.dsc
> Notes:
>  * I only started maintaining this package after jessie was frozen, but
>    the previous maintainer is no longer active and I thus took the
>    liberty to update the ‘Maintainer’ field in d/control accordingly.

While this is usually a superfluous change, I think that in this case it
makes sense so we know who to talk with the next time a problem happens
(which will hopefully be never :).

>  * Before 2.4.2-1 the package was (incorrectly) native, so in this
>    jessie-security package I applied the fix directly to the upstream
>    source rather than going via a patch series.
>  * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's
>    instructions regarding this.

Sorry, forwarded where? Did I miss something?

Ideally, we would have at least one Debian-specific tracking number if
we don't have a CVE. A bug in the BTS would do, for example. I'd be
happy to do that administrativa if you wish.


The patch otherwise looks sound and should be uploaded.

I believe the next step is to:

 1. open a bug report in the BTS
 2. mention it in the changelog
 3. upload the package to security-master
 4. issue a DLA when the package is accepted

I'd be happy, like anyone else in the LTS team I'm sure, to take on any
or all of those tasks, at your discretion.


Un éducateur dans l'âme ne prend rien au sérieux que par rapport
à ses disciples -- soi-même non excepté.
                        - Nietzsche, "Par delà le bien et le mal"

Reply to: