[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libsmi: security unblock



Hello,

Please unblock  libsmi.  It fixes  CVE-2010-2891. I also  ship correctly
Debian.NEWS in this release.

diff --git a/debian/NEWS.Debian b/debian/NEWS.Debian
deleted file mode 100644
index 7ffe084..0000000
--- a/debian/NEWS.Debian
+++ /dev/null
@@ -1,9 +0,0 @@
-libsmi (0.4.8+dfsg2-2) unstable; urgency=low
-
-  * MIB that were shipped in libsmi2-common were non-free: most of them
-    were licensed under the same license than the corresponding IETF
-    RFC. Therefore, libsmi2-common package becomes empty and suggests
-    snmp-mibs-downloader instead which should propose to download MIB from
-    Internet.
-
- -- Vincent Bernat <bernat@debian.org>  Thu, 03 Dec 2009 20:38:36 +0100
diff --git a/debian/changelog b/debian/changelog
index aaeae6e..dfd1783 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libsmi (0.4.8+dfsg2-3) unstable; urgency=high
+
+  * Really ship Debian.NEWS.
+  * Fix CVE-2010-2891: buffer overflow when handling large OID.
+  * Update Standards-Version to 3.9.1.
+
+ -- Vincent Bernat <bernat@debian.org>  Sat, 23 Oct 2010 15:17:37 +0200
+
 libsmi (0.4.8+dfsg2-2) unstable; urgency=low
 
   * Suggest snmp-mibs-downloader, a package in contrib that will download
diff --git a/debian/control b/debian/control
index 48723e8..1692bec 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Priority: optional
 Maintainer: Vincent Bernat <bernat@debian.org>
 Build-Depends: flex, bison, debhelper (>= 5), autotools-dev, quilt
 Section: libs
-Standards-Version: 3.8.3
+Standards-Version: 3.9.1
 Homepage: http://www.ibr.cs.tu-bs.de/projects/libsmi/
 Vcs-Browser: http://git.debian.org/?p=collab-maint/libsmi.git
 Vcs-Git: git://git.debian.org/git/collab-maint/libsmi.git
diff --git a/debian/libsmi2-common.NEWS b/debian/libsmi2-common.NEWS
new file mode 100644
index 0000000..82f2e24
--- /dev/null
+++ b/debian/libsmi2-common.NEWS
@@ -0,0 +1,9 @@
+libsmi (0.4.8+dfsg2-3) unstable; urgency=high
+
+  MIB that were shipped in libsmi2-common were non-free: most of them
+  were licensed under the same license than the corresponding IETF
+  RFC. Therefore, libsmi2-common package becomes empty and suggests
+  snmp-mibs-downloader instead which should propose to download MIB
+  from Internet.
+
+ -- Vincent Bernat <bernat@debian.org>  Thu, 03 Dec 2009 20:38:36 +0100
diff --git a/debian/patches/cve-2010-2891.patch b/debian/patches/cve-2010-2891.patch
new file mode 100644
index 0000000..832524f
--- /dev/null
+++ b/debian/patches/cve-2010-2891.patch
@@ -0,0 +1,23 @@
+Fix for CVE-2010-2891
+
+Index: libsmi/lib/smi.c
+===================================================================
+--- libsmi/lib/smi.c	(révision 29144)
++++ libsmi/lib/smi.c	(révision 29145)
+@@ -1793,10 +1793,15 @@
+     }
+ 
+     if (isdigit((int)node2[0])) {
+-	for (oidlen = 0, p = strtok(node2, ". "); p;
++	for (oidlen = 0, p = strtok(node2, ". ");
++	     p && oidlen < sizeof(oid)/sizeof(oid[0]);
+ 	     oidlen++, p = strtok(NULL, ". ")) {
+ 	    oid[oidlen] = strtoul(p, NULL, 0);
+ 	}
++	if (p) {
++	    /* the numeric OID is too long */
++	    return NULL;
++	}
+ 	nodePtr = getNode(oidlen, oid);
+ 	if (nodePtr) {
+ 	    if (modulePtr) {
diff --git a/debian/patches/series b/debian/patches/series
index 3d94a38..57e8181 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 smi-display-string.patch
 smistrip.patch
+cve-2010-2891.patch
-- 
Make the coupling between modules visible.
            - The Elements of Programming Style (Kernighan & Plauger)

Attachment: pgpY6mKrVTbcI.pgp
Description: PGP signature


Reply to: