Hello, Please unblock libsmi. It fixes CVE-2010-2891. I also ship correctly Debian.NEWS in this release.
diff --git a/debian/NEWS.Debian b/debian/NEWS.Debian
deleted file mode 100644
index 7ffe084..0000000
--- a/debian/NEWS.Debian
+++ /dev/null
@@ -1,9 +0,0 @@
-libsmi (0.4.8+dfsg2-2) unstable; urgency=low
-
- * MIB that were shipped in libsmi2-common were non-free: most of them
- were licensed under the same license than the corresponding IETF
- RFC. Therefore, libsmi2-common package becomes empty and suggests
- snmp-mibs-downloader instead which should propose to download MIB from
- Internet.
-
- -- Vincent Bernat <bernat@debian.org> Thu, 03 Dec 2009 20:38:36 +0100
diff --git a/debian/changelog b/debian/changelog
index aaeae6e..dfd1783 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libsmi (0.4.8+dfsg2-3) unstable; urgency=high
+
+ * Really ship Debian.NEWS.
+ * Fix CVE-2010-2891: buffer overflow when handling large OID.
+ * Update Standards-Version to 3.9.1.
+
+ -- Vincent Bernat <bernat@debian.org> Sat, 23 Oct 2010 15:17:37 +0200
+
libsmi (0.4.8+dfsg2-2) unstable; urgency=low
* Suggest snmp-mibs-downloader, a package in contrib that will download
diff --git a/debian/control b/debian/control
index 48723e8..1692bec 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Priority: optional
Maintainer: Vincent Bernat <bernat@debian.org>
Build-Depends: flex, bison, debhelper (>= 5), autotools-dev, quilt
Section: libs
-Standards-Version: 3.8.3
+Standards-Version: 3.9.1
Homepage: http://www.ibr.cs.tu-bs.de/projects/libsmi/
Vcs-Browser: http://git.debian.org/?p=collab-maint/libsmi.git
Vcs-Git: git://git.debian.org/git/collab-maint/libsmi.git
diff --git a/debian/libsmi2-common.NEWS b/debian/libsmi2-common.NEWS
new file mode 100644
index 0000000..82f2e24
--- /dev/null
+++ b/debian/libsmi2-common.NEWS
@@ -0,0 +1,9 @@
+libsmi (0.4.8+dfsg2-3) unstable; urgency=high
+
+ MIB that were shipped in libsmi2-common were non-free: most of them
+ were licensed under the same license than the corresponding IETF
+ RFC. Therefore, libsmi2-common package becomes empty and suggests
+ snmp-mibs-downloader instead which should propose to download MIB
+ from Internet.
+
+ -- Vincent Bernat <bernat@debian.org> Thu, 03 Dec 2009 20:38:36 +0100
diff --git a/debian/patches/cve-2010-2891.patch b/debian/patches/cve-2010-2891.patch
new file mode 100644
index 0000000..832524f
--- /dev/null
+++ b/debian/patches/cve-2010-2891.patch
@@ -0,0 +1,23 @@
+Fix for CVE-2010-2891
+
+Index: libsmi/lib/smi.c
+===================================================================
+--- libsmi/lib/smi.c (révision 29144)
++++ libsmi/lib/smi.c (révision 29145)
+@@ -1793,10 +1793,15 @@
+ }
+
+ if (isdigit((int)node2[0])) {
+- for (oidlen = 0, p = strtok(node2, ". "); p;
++ for (oidlen = 0, p = strtok(node2, ". ");
++ p && oidlen < sizeof(oid)/sizeof(oid[0]);
+ oidlen++, p = strtok(NULL, ". ")) {
+ oid[oidlen] = strtoul(p, NULL, 0);
+ }
++ if (p) {
++ /* the numeric OID is too long */
++ return NULL;
++ }
+ nodePtr = getNode(oidlen, oid);
+ if (nodePtr) {
+ if (modulePtr) {
diff --git a/debian/patches/series b/debian/patches/series
index 3d94a38..57e8181 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
smi-display-string.patch
smistrip.patch
+cve-2010-2891.patch
--
Make the coupling between modules visible.
- The Elements of Programming Style (Kernighan & Plauger)
Attachment:
pgpgB1oNWLVZd.pgp
Description: PGP signature