Package: release.debian.org Severity: normal Tags: jessie wheezy User: release.debian.org@packages.debian.org Usertags: pu Hi, pgbouncer has a remote crash problem. As discussed with the security people, the update isn't totally urgent, so I'm proposing this for a (old)stable update. Unstable is already fixed. The diffs for wheezy/jessie are attached. I've uploaded the packages to DELAYED. If you give me a go, I'd reschedule them for immediate release. Christoph -- cb@df7cb.de | http://www.df7cb.de/
No differences were encountered between the control files
diff -Nru pgbouncer-1.5.2/debian/changelog pgbouncer-1.5.2/debian/changelog
--- pgbouncer-1.5.2/debian/changelog 2012-11-02 10:07:46.000000000 +0100
+++ pgbouncer-1.5.2/debian/changelog 2015-05-23 23:12:28.000000000 +0200
@@ -1,3 +1,11 @@
+pgbouncer (1.5.2-4+deb7u1) jessie; urgency=medium
+
+ * Fix remote crash - invalid packet order causes lookup of NULL pointer.
+ Not exploitable, just DoS. (CVE-2015-4054)
+ Cherry-picked from upstream 1.5.5.
+
+ -- Christoph Berg <myon@debian.org> Sat, 23 May 2015 22:58:29 +0200
+
pgbouncer (1.5.2-4) unstable; urgency=medium
* Cherry-pick from 1.5.3: Closes: #692103.
diff -Nru pgbouncer-1.5.2/debian/patches/1.5.5.diff pgbouncer-1.5.2/debian/patches/1.5.5.diff
--- pgbouncer-1.5.2/debian/patches/1.5.5.diff 1970-01-01 01:00:00.000000000 +0100
+++ pgbouncer-1.5.2/debian/patches/1.5.5.diff 2015-05-23 23:11:09.000000000 +0200
@@ -0,0 +1,23 @@
+From upstream 1.5.5:
+
+ Fix remote crash - invalid packet order causes lookup of NULL pointer.
+ Not exploitable, just DoS.
+
+CVE-2015-4054
+http://www.openwall.com/lists/oss-security/2015/05/22/5
+
+--- a/src/client.c
++++ b/src/client.c
+@@ -262,6 +262,12 @@ static bool handle_client_startup(PgSock
+ }
+ break;
+ case 'p': /* PasswordMessage */
++ /* too early */
++ if (!client->auth_user) {
++ disconnect_client(client, true, "client password pkt before startup packet");
++ return false;
++ }
++
+ /* haven't requested it */
+ if (cf_auth_type <= AUTH_TRUST) {
+ disconnect_client(client, true, "unrequested passwd pkt");
diff -Nru pgbouncer-1.5.2/debian/patches/series pgbouncer-1.5.2/debian/patches/series
--- pgbouncer-1.5.2/debian/patches/series 2012-11-02 10:09:33.000000000 +0100
+++ pgbouncer-1.5.2/debian/patches/series 2015-05-23 23:11:09.000000000 +0200
@@ -1,2 +1,3 @@
692103-long-db-name
debian-config
+1.5.5.diff
No differences were encountered between the control files
diff -Nru pgbouncer-1.5.4/debian/changelog pgbouncer-1.5.4/debian/changelog
--- pgbouncer-1.5.4/debian/changelog 2014-07-16 16:49:50.000000000 +0200
+++ pgbouncer-1.5.4/debian/changelog 2015-05-23 23:00:42.000000000 +0200
@@ -1,3 +1,11 @@
+pgbouncer (1.5.4-6+deb8u1) jessie; urgency=medium
+
+ * Fix remote crash - invalid packet order causes lookup of NULL pointer.
+ Not exploitable, just DoS. (CVE-2015-4054)
+ Cherry-picked from upstream 1.5.5.
+
+ -- Christoph Berg <myon@debian.org> Sat, 23 May 2015 22:58:29 +0200
+
pgbouncer (1.5.4-6) unstable; urgency=low
* Fix duplicate install file which caused pgbouncer.ini to get lost.
diff -Nru pgbouncer-1.5.4/debian/patches/1.5.5.diff pgbouncer-1.5.4/debian/patches/1.5.5.diff
--- pgbouncer-1.5.4/debian/patches/1.5.5.diff 1970-01-01 01:00:00.000000000 +0100
+++ pgbouncer-1.5.4/debian/patches/1.5.5.diff 2015-05-23 23:03:18.000000000 +0200
@@ -0,0 +1,23 @@
+From upstream 1.5.5:
+
+ Fix remote crash - invalid packet order causes lookup of NULL pointer.
+ Not exploitable, just DoS.
+
+CVE-2015-4054
+http://www.openwall.com/lists/oss-security/2015/05/22/5
+
+--- a/src/client.c
++++ b/src/client.c
+@@ -262,6 +262,12 @@ static bool handle_client_startup(PgSock
+ }
+ break;
+ case 'p': /* PasswordMessage */
++ /* too early */
++ if (!client->auth_user) {
++ disconnect_client(client, true, "client password pkt before startup packet");
++ return false;
++ }
++
+ /* haven't requested it */
+ if (cf_auth_type <= AUTH_TRUST) {
+ disconnect_client(client, true, "unrequested passwd pkt");
diff -Nru pgbouncer-1.5.4/debian/patches/series pgbouncer-1.5.4/debian/patches/series
--- pgbouncer-1.5.4/debian/patches/series 2013-05-24 04:25:12.000000000 +0200
+++ pgbouncer-1.5.4/debian/patches/series 2015-05-23 23:01:34.000000000 +0200
@@ -1 +1,2 @@
debian-config
+1.5.5.diff
Attachment:
signature.asc
Description: Digital signature