Package: release.debian.org Severity: normal Tags: jessie wheezy User: release.debian.org@packages.debian.org Usertags: pu Hi, pgbouncer has a remote crash problem. As discussed with the security people, the update isn't totally urgent, so I'm proposing this for a (old)stable update. Unstable is already fixed. The diffs for wheezy/jessie are attached. I've uploaded the packages to DELAYED. If you give me a go, I'd reschedule them for immediate release. Christoph -- cb@df7cb.de | http://www.df7cb.de/
No differences were encountered between the control files diff -Nru pgbouncer-1.5.2/debian/changelog pgbouncer-1.5.2/debian/changelog --- pgbouncer-1.5.2/debian/changelog 2012-11-02 10:07:46.000000000 +0100 +++ pgbouncer-1.5.2/debian/changelog 2015-05-23 23:12:28.000000000 +0200 @@ -1,3 +1,11 @@ +pgbouncer (1.5.2-4+deb7u1) jessie; urgency=medium + + * Fix remote crash - invalid packet order causes lookup of NULL pointer. + Not exploitable, just DoS. (CVE-2015-4054) + Cherry-picked from upstream 1.5.5. + + -- Christoph Berg <myon@debian.org> Sat, 23 May 2015 22:58:29 +0200 + pgbouncer (1.5.2-4) unstable; urgency=medium * Cherry-pick from 1.5.3: Closes: #692103. diff -Nru pgbouncer-1.5.2/debian/patches/1.5.5.diff pgbouncer-1.5.2/debian/patches/1.5.5.diff --- pgbouncer-1.5.2/debian/patches/1.5.5.diff 1970-01-01 01:00:00.000000000 +0100 +++ pgbouncer-1.5.2/debian/patches/1.5.5.diff 2015-05-23 23:11:09.000000000 +0200 @@ -0,0 +1,23 @@ +From upstream 1.5.5: + + Fix remote crash - invalid packet order causes lookup of NULL pointer. + Not exploitable, just DoS. + +CVE-2015-4054 +http://www.openwall.com/lists/oss-security/2015/05/22/5 + +--- a/src/client.c ++++ b/src/client.c +@@ -262,6 +262,12 @@ static bool handle_client_startup(PgSock + } + break; + case 'p': /* PasswordMessage */ ++ /* too early */ ++ if (!client->auth_user) { ++ disconnect_client(client, true, "client password pkt before startup packet"); ++ return false; ++ } ++ + /* haven't requested it */ + if (cf_auth_type <= AUTH_TRUST) { + disconnect_client(client, true, "unrequested passwd pkt"); diff -Nru pgbouncer-1.5.2/debian/patches/series pgbouncer-1.5.2/debian/patches/series --- pgbouncer-1.5.2/debian/patches/series 2012-11-02 10:09:33.000000000 +0100 +++ pgbouncer-1.5.2/debian/patches/series 2015-05-23 23:11:09.000000000 +0200 @@ -1,2 +1,3 @@ 692103-long-db-name debian-config +1.5.5.diff
No differences were encountered between the control files diff -Nru pgbouncer-1.5.4/debian/changelog pgbouncer-1.5.4/debian/changelog --- pgbouncer-1.5.4/debian/changelog 2014-07-16 16:49:50.000000000 +0200 +++ pgbouncer-1.5.4/debian/changelog 2015-05-23 23:00:42.000000000 +0200 @@ -1,3 +1,11 @@ +pgbouncer (1.5.4-6+deb8u1) jessie; urgency=medium + + * Fix remote crash - invalid packet order causes lookup of NULL pointer. + Not exploitable, just DoS. (CVE-2015-4054) + Cherry-picked from upstream 1.5.5. + + -- Christoph Berg <myon@debian.org> Sat, 23 May 2015 22:58:29 +0200 + pgbouncer (1.5.4-6) unstable; urgency=low * Fix duplicate install file which caused pgbouncer.ini to get lost. diff -Nru pgbouncer-1.5.4/debian/patches/1.5.5.diff pgbouncer-1.5.4/debian/patches/1.5.5.diff --- pgbouncer-1.5.4/debian/patches/1.5.5.diff 1970-01-01 01:00:00.000000000 +0100 +++ pgbouncer-1.5.4/debian/patches/1.5.5.diff 2015-05-23 23:03:18.000000000 +0200 @@ -0,0 +1,23 @@ +From upstream 1.5.5: + + Fix remote crash - invalid packet order causes lookup of NULL pointer. + Not exploitable, just DoS. + +CVE-2015-4054 +http://www.openwall.com/lists/oss-security/2015/05/22/5 + +--- a/src/client.c ++++ b/src/client.c +@@ -262,6 +262,12 @@ static bool handle_client_startup(PgSock + } + break; + case 'p': /* PasswordMessage */ ++ /* too early */ ++ if (!client->auth_user) { ++ disconnect_client(client, true, "client password pkt before startup packet"); ++ return false; ++ } ++ + /* haven't requested it */ + if (cf_auth_type <= AUTH_TRUST) { + disconnect_client(client, true, "unrequested passwd pkt"); diff -Nru pgbouncer-1.5.4/debian/patches/series pgbouncer-1.5.4/debian/patches/series --- pgbouncer-1.5.4/debian/patches/series 2013-05-24 04:25:12.000000000 +0200 +++ pgbouncer-1.5.4/debian/patches/series 2015-05-23 23:01:34.000000000 +0200 @@ -1 +1,2 @@ debian-config +1.5.5.diff
Attachment:
signature.asc
Description: Digital signature