Re: security issue in libcompress-raw-bzip2-perl (CVE-2009-1884)

To: debian-release@lists.debian.org
Cc: Bas Zoetekouw <bas@debian.org>, team@security.debian.org, ntyni@debian.org
Subject: Re: security issue in libcompress-raw-bzip2-perl (CVE-2009-1884)
From: gregor herrmann <gregoa@debian.org>
Date: Fri, 28 Aug 2009 14:59:14 +0200
Message-id: <[🔎] 20090828125913.GM5222@belanna.comodo.priv.at>
In-reply-to: <87ab1kh52d.fsf@mid.deneb.enyo.de>
References: <20090824195110.GA49512@aegir.org.uk> <87bpm1vzg3.fsf@mid.deneb.enyo.de> <20090827221556.GC5222@belanna.comodo.priv.at> <87ocq0h5k7.fsf@mid.deneb.enyo.de> <87ab1kh52d.fsf@mid.deneb.enyo.de>

On Fri, 28 Aug 2009 07:37:30 +0200, Florian Weimer wrote:

> * Florian Weimer:
> > * gregor herrmann:
> >>> * Bas Zoetekouw:
> >>> > Could you please advice whether it's ok to upload an NMU with the above
> >>> > patch to stable-security?
> >>> Sure.  Please send the debdiff for review first.
> >>
> >> Thanks, debdiff attached.
> >>
> >> Please tell me if it's ok or if I should change anything.
> >
> > Please rebuild the patch without using quilt.  We don't change build
> > systems in security updates.  Thanks.
> 
> Oh, and considering that CVE-2009-1391 will be fixed through
> stable-proposed-updates, we should fix this bug through s-p-u, too.
> So please send your final patch to debian-release@ instead of
> security@ (and you need to change the suite to
> {old,}stable-proposed-updates, not build with -sa, and eventually
> upload to ftp-master instead of security-master).

Ok, here we go.

Dear release team, attached is the debdiff for a possible upload to
s-p-u for libcompress-raw-bzip2-perl that fixes CVE-2009-1884 /
#542777.

(I've also built the package on a amd64 lenny system and ran the test
proposed by Niko in #542777.) 

Please advise on how to proceed.


Cheers,
gregor
-- 
 .''`.   http://info.comodo.priv.at/ -- GPG Key IDs: 0x00F3CFE4, 0x8649AA06
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
   `-    NP: Fleetwood Mac: You Make Loving Fun

diff -u libcompress-raw-bzip2-perl-2.011/debian/changelog libcompress-raw-bzip2-perl-2.011/debian/changelog
--- libcompress-raw-bzip2-perl-2.011/debian/changelog
+++ libcompress-raw-bzip2-perl-2.011/debian/changelog
@@ -1,3 +1,11 @@
+libcompress-raw-bzip2-perl (2.011-2lenny1) stable-proposed-updates; urgency=high
+
+  * Non-maintainer upload on maintainer's request.
+  * [SECURITY] CVE-2009-1884: fix off-by-one error in the bzinflate function
+    in Bzip2.xs. Closes: #542777
+
+ -- gregor herrmann <gregoa@debian.org>  Thu, 27 Aug 2009 23:54:27 +0200
+
 libcompress-raw-bzip2-perl (2.011-2) unstable; urgency=low
 
   * Fix the binary-arch target. 
only in patch2:
unchanged:
--- libcompress-raw-bzip2-perl-2.011.orig/Bzip2.xs
+++ libcompress-raw-bzip2-perl-2.011/Bzip2.xs
@@ -753,7 +753,7 @@
 
         if (s->stream.avail_out == 0) {
 	    /* out of space in the output buffer so make it bigger */
-            Sv_Grow(output, SvLEN(output) + bufinc) ;
+            Sv_Grow(output, SvLEN(output) + bufinc +1) ;
             cur_length += increment ;
             s->stream.next_out = (char*) SvPVbyte_nolen(output) + cur_length ;
             increment = bufinc ;

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: security issue in libcompress-raw-bzip2-perl (CVE-2009-1884)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Please unblock eglibc/2.9-25
Next by Date: Re: security issue in libcompress-raw-bzip2-perl (CVE-2009-1884)
Previous by thread: Re: Please unblock eglibc/2.9-25
Next by thread: Re: security issue in libcompress-raw-bzip2-perl (CVE-2009-1884)
Index(es):
- Date
- Thread