[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#860265: (pre-approval) unblock: apt-cacher-ng/2-2

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please approve the upload of new version of apt-cacher-ng. See #860243
for details. Here is a minimum viable patch included below.

This is made under protest because I still consider the "reasons" for
rejecting #860243 specious and unfair. But anyhow, this changeset should
do the job for a (short) while.

unblock apt-cacher-ng/2-2

diff -Nru apt-cacher-ng-2/debian/changelog apt-cacher-ng-2/debian/changelog
--- apt-cacher-ng-2/debian/changelog	2016-11-22 21:39:43.000000000 +0100
+++ apt-cacher-ng-2/debian/changelog	2017-04-13 18:11:17.000000000 +0200
@@ -1,3 +1,17 @@
+apt-cacher-ng (2-2) testing; urgency=high
+
+  * Special version only for Debian Stretch, solving moderate security issues:
+    + hardening against HTTP header splitting attack (no user input printed in
+      the HTTP headers anymore; backport from Sid, related to CVE-2017-7443)
+    + hardening against unintended or malicious triggering of hidden space
+      allocation, by disabling the fallocate completely. This is ultima ratio,
+      trading code simplicity for fragmentation avoiding efforts; a smarter
+      solution is found in upstream version 3; closes: #856635)
+    + handle a corner case of bad TLS handshake with invalid certificate
+      (related to #839751)
+
+ -- Eduard Bloch <blade@debian.org>  Thu, 13 Apr 2017 18:11:17 +0200
+
 apt-cacher-ng (2-1) unstable; urgency=low
 
   * New upstream version
diff -Nru apt-cacher-ng-2/debian/patches/debian-changes apt-cacher-ng-2/debian/patches/debian-changes
--- apt-cacher-ng-2/debian/patches/debian-changes	1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-2/debian/patches/debian-changes	2017-04-13 18:11:17.000000000 +0200
@@ -0,0 +1,81 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ apt-cacher-ng (2-2) testing; urgency=high
+ .
+   * Special version only for Debian Stretch, solving moderate security issues:
+     + hardening against HTTP header splitting attack (no user input printed in
+       the HTTP headers anymore; backport from Sid, related to CVE-2017-7443)
+     + hardening against unintended or malicious triggering of hidden space
+       allocation, by disabling the fallocate completely. This is ultima ratio,
+       trading code simplicity for fragmentation avoiding efforts; a smarter
+       solution is found in upstream version 3; closes: #856635)
+     + handle a corner case of bad TLS handshake with invalid certificate
+       (related to #839751)
+Author: Eduard Bloch <blade@debian.org>
+Bug-Debian: https://bugs.debian.org/856635
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: 2017-04-13
+
+--- apt-cacher-ng-2.orig/source/fileio.cc
++++ apt-cacher-ng-2/source/fileio.cc
+@@ -17,7 +17,7 @@ using namespace std;
+ namespace acng
+ {
+ 
+-#ifdef HAVE_LINUX_FALLOCATE
++#ifdef DISABLED_FOR_NOW
+ 
+ int falloc_helper(int fd, off_t start, off_t len)
+ {
+--- apt-cacher-ng-2.orig/source/job.cc
++++ apt-cacher-ng-2/source/job.cc
+@@ -712,9 +712,7 @@ report_overload:
+     return ;
+ 
+ report_notallowed:
+-	SetErrorResponse((tSS() << "403 Forbidden file type or location: " << sReqPath).c_str(),
+-			nullptr, "403 Forbidden file type or location");
+-//    USRDBG( sRawUriPath + " -- ACCESS FORBIDDEN");
++	SetErrorResponse("403 Forbidden file type or location");
+     return ;
+ 
+ report_offlineconf:
+--- apt-cacher-ng-2.orig/source/tcpconnect.cc
++++ apt-cacher-ng-2/source/tcpconnect.cc
+@@ -585,11 +585,19 @@ bool tcpconnect::SSLinit(mstring &sErr,
+ 	if(!cfg::nsafriendly)
+ 	{
+ 		hret=SSL_get_verify_result(ssl);
+-		if( hret != X509_V_OK)
++		if(hret != X509_V_OK)
+ 		{
+ 			perr=X509_verify_cert_error_string(hret);
+ 			goto ssl_init_fail;
+ 		}
++		auto server_cert = SSL_get_peer_certificate(ssl);
++		if(server_cert)
++			X509_free(server_cert);
++		else
++		{
++			perr="Incompatible remote certificate";
++			goto ssl_init_fail;
++		}
+ 	}
+ 
+ 	return true;
diff -Nru apt-cacher-ng-2/debian/patches/series apt-cacher-ng-2/debian/patches/series
--- apt-cacher-ng-2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ apt-cacher-ng-2/debian/patches/series	2017-04-13 18:11:17.000000000 +0200
@@ -0,0 +1 @@
+debian-changes
Reply to: