Proposed upload of tinyproxy to stable

To: debian-release@lists.debian.org
Subject: Proposed upload of tinyproxy to stable
From: Jordi Mallach <jordi@debian.org>
Date: Mon, 2 Jan 2012 16:47:58 +0100
Message-id: <[🔎] 20120102154758.GA27606@aigua.oskuro.net>
Mail-followup-to: Jordi Mallach <jordi@debian.org>, debian-release@lists.debian.org

Hi,

In response to #627503, I had prepared a stable-security upload of
tinyproxy to address this issue.

After discussing with jmm, we're discarding doing a DSA for this issue as
an exploit can't happen if an attacker doesn't control the configuration
file.

He thinks the patch would be fine for s-p-u though, so I'm attaching the
following patch so the upload can be considered.

-- 
Jordi Mallach Pérez  --  Debian developer     http://www.debian.org/
jordi@sindominio.net     jordi@debian.org     http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/

Index: squeeze/debian/changelog
===================================================================
--- squeeze/debian/changelog	(revision 18458)
+++ squeeze/debian/changelog	(revision 19756)
@@ -1,3 +1,13 @@
+tinyproxy (1.8.2-1squeeze2) stable; urgency=low
+
+  * Add validate_port_number.patch: validate port number specified in Port
+    directive, to avoid possible buffer overflows that could allow for
+    access restriction bypasses [CVE-2011-1843] (closes: #627503).
+    As the configuration file is under the control of the admin, this is
+    not considered a security issue.
+
+ -- Jordi Mallach <jordi@debian.org>  Mon, 02 Jan 2012 15:05:27 +0100
+
 tinyproxy (1.8.2-1squeeze1) stable-security; urgency=low
 
   * Add netmask_generation.patch: fix bug in ACL netmask generation,
Index: squeeze/debian/patches/validate_port_number.patch
===================================================================
--- squeeze/debian/patches/validate_port_number.patch	(revision 0)
+++ squeeze/debian/patches/validate_port_number.patch	(revision 19756)
@@ -0,0 +1,29 @@
+From: Mukund Sivaraman <muks@banu.com>
+Subject: Validate port number specified in Port directive
+Origin: https://banu.com/cgit/tinyproxy/commit/?h=1.8&id=95a6f8259c0e19d980f8dfe54c33c21d4ab9fe86
+Forwarded: not-needed
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627503
+---
+diff --git a/src/conf.c b/src/conf.c
+index b16b8e9..59630a2 100644
+--- a/src/conf.c
++++ b/src/conf.c
+@@ -779,7 +779,15 @@ static HANDLE_FUNC (handle_bindsame)
+ 
+ static HANDLE_FUNC (handle_port)
+ {
+-        return set_int_arg (&conf->port, line, &match[2]);
++        set_int_arg (&conf->port, line, &match[2]);
++
++        if (conf->port > 65535) {
++                fprintf (stderr, "Bad port number (%d) supplied for Port.\n",
++                         conf->port);
++                return 1;
++        }
++
++        return 0;
+ }
+ 
+ static HANDLE_FUNC (handle_maxclients)
+--
+cgit 
Index: squeeze/debian/patches/series
===================================================================
--- squeeze/debian/patches/series	(revision 18458)
+++ squeeze/debian/patches/series	(revision 19756)
@@ -1,3 +1,4 @@
 # Series of quilt patches.
 upstream_matching_fix.patch
 netmask_generation.patch
+validate_port_number.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Proposed upload of tinyproxy to stable
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Proposed upload of tinyproxy to stable
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Debian artwork call for proposals on next DPN
Next by Date: Re: Proposed upload of tinyproxy to stable
Previous by thread: Re: Debian artwork call for proposals on next DPN
Next by thread: Re: Proposed upload of tinyproxy to stable
Index(es):
- Date
- Thread