[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#782349: marked as done (unblock: libtasn1-6/4.2-3)

Your message dated Fri, 10 Apr 2015 19:28:57 +0100
with message-id <1428690537.14592.0.camel@adam-barratt.org.uk>
and subject line Re: Bug#782349: unblock: libtasn1-6/4.2-3
has caused the Debian Bug report #782349,
regarding unblock: libtasn1-6/4.2-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
782349: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782349
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libtasn1-6:
 * Pull 20_CVE-2015-2806.diff from upstream 4.4 release to correct a
   two-byte stack overflow in asn1_der_decoding. CVE-2015-2806.

I have tried to make a minimal upload but have accidentally pulled
another one-line-change from experimental:
-Standards-Version: 3.9.6
+Standards-Version: 3.9.5

Please tell if that a blocker for the unblock.

cu Andreas


Hope you do not mind too badly.
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files only in first set of .debs, found in package libtasn1-6-dbg
-----------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/06/4a3407490e9ec4b4c0246698ab85d0f8111e57.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/35/08b98f822cd502a960ffae3675d10abc6087d2.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/42/b6f5a4d276910c06a73d9881f2265dd8230f99.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/ff/9340e6a5429f65e0975c78253cc14beb70d18e.debug

New files in second set of .debs, found in package libtasn1-6-dbg
-----------------------------------------------------------------
-rw-r--r--  root/root   /usr/lib/debug/.build-id/48/8079d17ff66d0d5f020bad8064461738a517f3.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/79/26cc1d28119e02941c706c0081d41583becec1.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/8f/137df2d7900897b4e1a8de1da1008d91d0adb7.debug
-rw-r--r--  root/root   /usr/lib/debug/.build-id/e7/38fc95f429961b5ad0df3a39ba7e9b0741df90.debug


Control files of package libtasn1-3-bin: lines which differ (wdiff format)
--------------------------------------------------------------------------
Depends: libtasn1-bin (>= [-4.2-2)-] {+4.2-3)+}
Version: [-4.2-2-] {+4.2-3+}

Control files of package libtasn1-6: lines which differ (wdiff format)
----------------------------------------------------------------------
Version: [-4.2-2-] {+4.2-3+}

Control files of package libtasn1-6-dbg: lines which differ (wdiff format)
--------------------------------------------------------------------------
Depends: libtasn1-6 (= [-4.2-2)-] {+4.2-3)+}
Version: [-4.2-2-] {+4.2-3+}

Control files of package libtasn1-6-dev: lines which differ (wdiff format)
--------------------------------------------------------------------------
Depends: libtasn1-6 (= [-4.2-2)-] {+4.2-3)+}
Recommends: libtasn1-doc (= [-4.2-2)-] {+4.2-3)+}
Version: [-4.2-2-] {+4.2-3+}

Control files of package libtasn1-bin: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.2-2-] {+4.2-3+}

Control files of package libtasn1-doc: lines which differ (wdiff format)
------------------------------------------------------------------------
Version: [-4.2-2-] {+4.2-3+}
diff -Nru libtasn1-6-4.2/debian/changelog libtasn1-6-4.2/debian/changelog
--- libtasn1-6-4.2/debian/changelog	2014-10-07 19:23:13.000000000 +0200
+++ libtasn1-6-4.2/debian/changelog	2015-04-04 08:04:36.000000000 +0200
@@ -1,3 +1,10 @@
+libtasn1-6 (4.2-3) unstable; urgency=medium
+
+  * Pull 20_CVE-2015-2806.diff from upstream 4.4 release to correct a
+    two-byte stack overflow in asn1_der_decoding. CVE-2015-2806.
+
+ -- Andreas Metzler <ametzler@debian.org>  Sat, 04 Apr 2015 08:04:32 +0200
+
 libtasn1-6 (4.2-2) unstable; urgency=medium
 
   * libtasn1-doc also needs to have a versioned Breaks/Replaces against
diff -Nru libtasn1-6-4.2/debian/control libtasn1-6-4.2/debian/control
--- libtasn1-6-4.2/debian/control	2014-10-07 19:24:10.000000000 +0200
+++ libtasn1-6-4.2/debian/control	2015-04-04 08:01:37.000000000 +0200
@@ -4,7 +4,7 @@
 Uploaders: Andreas Metzler <ametzler@debian.org>, Eric Dorland <eric@debian.org>, James Westby <jw+debian@jameswestby.net>, Simon Josefsson <simon@josefsson.org>
 Build-Depends: debhelper (>= 9), bison,  autotools-dev
 Build-Depends-Indep: gtk-doc-tools, texinfo, texlive-latex-base
-Standards-Version: 3.9.6
+Standards-Version: 3.9.5
 Priority: standard
 Vcs-Git: git://anonscm.debian.org/pkg-gnutls/libtasn1.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-gnutls/libtasn1.git
diff -Nru libtasn1-6-4.2/debian/patches/20_CVE-2015-2806.diff libtasn1-6-4.2/debian/patches/20_CVE-2015-2806.diff
--- libtasn1-6-4.2/debian/patches/20_CVE-2015-2806.diff	1970-01-01 01:00:00.000000000 +0100
+++ libtasn1-6-4.2/debian/patches/20_CVE-2015-2806.diff	2015-04-04 08:02:55.000000000 +0200
@@ -0,0 +1,56 @@
+From 4d4f992826a4962790ecd0cce6fbba4a415ce149 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Thu, 26 Mar 2015 18:34:57 +0100
+Subject: [PATCH] increased size of LTOSTR_MAX_SIZE to account for sign and
+ null byte
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This address an overflow found by Hanno Böck in DER decoding.
+---
+ lib/parser_aux.c | 4 ++--
+ lib/parser_aux.h | 5 +++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/parser_aux.c b/lib/parser_aux.c
+index d3e9009..da9a388 100644
+--- a/lib/parser_aux.c
++++ b/lib/parser_aux.c
+@@ -543,7 +543,7 @@ _asn1_delete_list_and_nodes (void)
+ 
+ 
+ char *
+-_asn1_ltostr (long v, char *str)
++_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE])
+ {
+   long d, r;
+   char temp[LTOSTR_MAX_SIZE];
+@@ -567,7 +567,7 @@ _asn1_ltostr (long v, char *str)
+       count++;
+       v = d;
+     }
+-  while (v);
++  while (v && ((start+count) < LTOSTR_MAX_SIZE-1));
+ 
+   for (k = 0; k < count; k++)
+     str[k + start] = temp[start + count - k - 1];
+diff --git a/lib/parser_aux.h b/lib/parser_aux.h
+index 55d9061..437f1c8 100644
+--- a/lib/parser_aux.h
++++ b/lib/parser_aux.h
+@@ -52,8 +52,9 @@ void _asn1_delete_list (void);
+ 
+ void _asn1_delete_list_and_nodes (void);
+ 
+-#define LTOSTR_MAX_SIZE 20
+-char *_asn1_ltostr (long v, char *str);
++/* Max 64-bit integer length is 20 chars + 1 for sign + 1 for null termination */
++#define LTOSTR_MAX_SIZE 22
++char *_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE]);
+ 
+ asn1_node _asn1_find_up (asn1_node node);
+ 
+-- 
+2.1.4
+
diff -Nru libtasn1-6-4.2/debian/patches/series libtasn1-6-4.2/debian/patches/series
--- libtasn1-6-4.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libtasn1-6-4.2/debian/patches/series	2015-04-04 08:03:09.000000000 +0200
@@ -0,0 +1 @@
+20_CVE-2015-2806.diff

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On Fri, 2015-04-10 at 19:30 +0200, Andreas Metzler wrote:
> Please unblock package libtasn1-6:
>  * Pull 20_CVE-2015-2806.diff from upstream 4.4 release to correct a
>    two-byte stack overflow in asn1_der_decoding. CVE-2015-2806.

Unblocked, thanks.

Regards,

Adam

--- End Message ---
Reply to: