Bug#860058: marked as done (unblock: libnl3/3.2.27-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 11 Apr 2017 14:16:00 +0000
with message-id <848eddd0-83cf-e2b5-3c43-b3f20aa3509b@thykier.net>
and subject line Re: Bug#860058: unblock: libnl3/3.2.27-2
has caused the Debian Bug report #860058,
regarding unblock: libnl3/3.2.27-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860058
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libnl3/3.2.27-2
• From: Heiko Stuebner <heiko@sntech.de>
• Date: Tue, 11 Apr 2017 00:17:48 +0200
• Message-id: <[🔎] 149186266848.9998.7929294788575704133.reportbug@diego.sntech>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libnl3

In CVE-2017-0553 a possible (but moderate) security issue was found
which resulted in bug #859948 against the Debian libnl3 package.

The 3.2.27-2 fixes this (and only this) issue.

debdiff:
diff -Nru libnl3-3.2.27/debian/changelog libnl3-3.2.27/debian/changelog
--- libnl3-3.2.27/debian/changelog      2016-01-24 23:54:53.000000000 +0100
+++ libnl3-3.2.27/debian/changelog      2017-04-10 11:48:23.000000000 +0200
@@ -1,3 +1,9 @@
+libnl3 (3.2.27-2) unstable; urgency=low
+
+  * Add upstream fix for CVE-2017-0553 (Closes: #859948)
+
+ -- Heiko Stuebner <mmind@debian.org>  Mon, 10 Apr 2017 11:48:23 +0200
+
 libnl3 (3.2.27-1) unstable; urgency=low

   * New upstream release
diff -Nru libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
--- libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
1970-01-01 01:00:00.000000000 +0100
+++ libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
2017-04-10 10:55:21.000000000 +0200
@@ -0,0 +1,38 @@
+From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 6 Feb 2017 22:23:52 +0100
+Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
+
+In general, libnl functions are not robust against calling with
+invalid arguments. Thus, never call libnl functions with invalid
+arguments. In case of nlmsg_reserve() this means never provide
+a @len argument that causes overflow.
+
+Still, add an additional safeguard to avoid exploiting such bugs.
+
+Assume that @pad is a trusted, small integer.
+Assume that n->nm_size is a valid number of allocated bytes (and thus
+much smaller then SIZE_T_MAX).
+Assume, that @len may be set to an untrusted value. Then the patch
+avoids an integer overflow resulting in reserving too few bytes.
+---
+ lib/msg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/msg.c b/lib/msg.c
+index 9af3f3a..3e27d4e 100644
+--- a/lib/msg.c
++++ b/lib/msg.c
+@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
+       size_t nlmsg_len = n->nm_nlh->nlmsg_len;
+       size_t tlen;
+
++      if (len > n->nm_size)
++              return NULL;
++
+       tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
+
+       if ((tlen + nlmsg_len) > n->nm_size)
+--
+2.9.3
+
diff -Nru libnl3-3.2.27/debian/patches/series
libnl3-3.2.27/debian/patches/series
--- libnl3-3.2.27/debian/patches/series 2016-01-24 00:36:27.000000000 +0100
+++ libnl3-3.2.27/debian/patches/series 2017-04-10 10:57:45.000000000 +0200
@@ -3,3 +3,4 @@
 debian/no-symvers.diff -p1
 debian/__nl_cache_ops_lookup-unstatic.diff -p1
 debian/_nl_socket_generate_local_port_no_release.diff -p1
+debian/nlmsg_reserve-overflow.patch -p1


unblock libnl3/3.2.27-2

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

--- End Message ---

--- Begin Message ---

• To: Cyril Brulebois <kibi@debian.org>
• Cc: Heiko Stuebner <heiko@sntech.de>, 860058-done@bugs.debian.org
• Subject: Re: Bug#860058: unblock: libnl3/3.2.27-2
• From: Niels Thykier <niels@thykier.net>
• Date: Tue, 11 Apr 2017 14:16:00 +0000
• Message-id: <848eddd0-83cf-e2b5-3c43-b3f20aa3509b@thykier.net>
• In-reply-to: <[🔎] 20170411112647.GA16486@mraw.org>
• References: <[🔎] 149186266848.9998.7929294788575704133.reportbug@diego.sntech> <[🔎] 038e9795-393e-3200-d528-a2535beda027@thykier.net> <[🔎] 20170411112647.GA16486@mraw.org>

Cyril Brulebois:
> Niels Thykier <niels@thykier.net> (2017-04-11):
>> Heiko Stuebner:
>>> Please unblock package libnl3
>>>
>>> In CVE-2017-0553 a possible (but moderate) security issue was found
>>> which resulted in bug #859948 against the Debian libnl3 package.
>>>
>>> The 3.2.27-2 fixes this (and only this) issue.
>>>
>>
>> Ack from here, CC'ing KiBi for a d-i ack (and keeping the debdiff for
>> his sake).
> 
> No objections, thanks.
> 
> 
> KiBi.
> 

Unblocked, thanks.

~Niels

--- End Message ---