Hello, Please unblock libsmi. It fixes CVE-2010-2891. I also ship correctly Debian.NEWS in this release.
diff --git a/debian/NEWS.Debian b/debian/NEWS.Debian deleted file mode 100644 index 7ffe084..0000000 --- a/debian/NEWS.Debian +++ /dev/null @@ -1,9 +0,0 @@ -libsmi (0.4.8+dfsg2-2) unstable; urgency=low - - * MIB that were shipped in libsmi2-common were non-free: most of them - were licensed under the same license than the corresponding IETF - RFC. Therefore, libsmi2-common package becomes empty and suggests - snmp-mibs-downloader instead which should propose to download MIB from - Internet. - - -- Vincent Bernat <bernat@debian.org> Thu, 03 Dec 2009 20:38:36 +0100 diff --git a/debian/changelog b/debian/changelog index aaeae6e..dfd1783 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libsmi (0.4.8+dfsg2-3) unstable; urgency=high + + * Really ship Debian.NEWS. + * Fix CVE-2010-2891: buffer overflow when handling large OID. + * Update Standards-Version to 3.9.1. + + -- Vincent Bernat <bernat@debian.org> Sat, 23 Oct 2010 15:17:37 +0200 + libsmi (0.4.8+dfsg2-2) unstable; urgency=low * Suggest snmp-mibs-downloader, a package in contrib that will download diff --git a/debian/control b/debian/control index 48723e8..1692bec 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Priority: optional Maintainer: Vincent Bernat <bernat@debian.org> Build-Depends: flex, bison, debhelper (>= 5), autotools-dev, quilt Section: libs -Standards-Version: 3.8.3 +Standards-Version: 3.9.1 Homepage: http://www.ibr.cs.tu-bs.de/projects/libsmi/ Vcs-Browser: http://git.debian.org/?p=collab-maint/libsmi.git Vcs-Git: git://git.debian.org/git/collab-maint/libsmi.git diff --git a/debian/libsmi2-common.NEWS b/debian/libsmi2-common.NEWS new file mode 100644 index 0000000..82f2e24 --- /dev/null +++ b/debian/libsmi2-common.NEWS @@ -0,0 +1,9 @@ +libsmi (0.4.8+dfsg2-3) unstable; urgency=high + + MIB that were shipped in libsmi2-common were non-free: most of them + were licensed under the same license than the corresponding IETF + RFC. Therefore, libsmi2-common package becomes empty and suggests + snmp-mibs-downloader instead which should propose to download MIB + from Internet. + + -- Vincent Bernat <bernat@debian.org> Thu, 03 Dec 2009 20:38:36 +0100 diff --git a/debian/patches/cve-2010-2891.patch b/debian/patches/cve-2010-2891.patch new file mode 100644 index 0000000..832524f --- /dev/null +++ b/debian/patches/cve-2010-2891.patch @@ -0,0 +1,23 @@ +Fix for CVE-2010-2891 + +Index: libsmi/lib/smi.c +=================================================================== +--- libsmi/lib/smi.c (révision 29144) ++++ libsmi/lib/smi.c (révision 29145) +@@ -1793,10 +1793,15 @@ + } + + if (isdigit((int)node2[0])) { +- for (oidlen = 0, p = strtok(node2, ". "); p; ++ for (oidlen = 0, p = strtok(node2, ". "); ++ p && oidlen < sizeof(oid)/sizeof(oid[0]); + oidlen++, p = strtok(NULL, ". ")) { + oid[oidlen] = strtoul(p, NULL, 0); + } ++ if (p) { ++ /* the numeric OID is too long */ ++ return NULL; ++ } + nodePtr = getNode(oidlen, oid); + if (nodePtr) { + if (modulePtr) { diff --git a/debian/patches/series b/debian/patches/series index 3d94a38..57e8181 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ smi-display-string.patch smistrip.patch +cve-2010-2891.patch
-- Make the coupling between modules visible. - The Elements of Programming Style (Kernighan & Plauger)
Attachment:
pgpgB1oNWLVZd.pgp
Description: PGP signature