Bug#864152: unblock: msgpuck/1.0.3-1.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#864152: unblock: msgpuck/1.0.3-1.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 04 Jun 2017 15:16:18 +0200
Message-id: <[🔎] 149658217863.12904.12878045716379543767.reportbug@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 864152@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package msgpuck

It fixes CVE-2016-9036 (Invalid handling of map16 format in
mp_check()), which is #849212.

unblock msgpuck/1.0.3-1.1

Full debdiff against version in testing attached.

Regards,
Salvatore

diff -Nru msgpuck-1.0.3/debian/changelog msgpuck-1.0.3/debian/changelog
--- msgpuck-1.0.3/debian/changelog	2016-08-09 21:14:15.000000000 +0200
+++ msgpuck-1.0.3/debian/changelog	2017-06-04 12:49:08.000000000 +0200
@@ -1,3 +1,10 @@
+msgpuck (1.0.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-9036 (Closes: #849212)
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Sun, 04 Jun 2017 12:49:08 +0200
+
 msgpuck (1.0.3-1) unstable; urgency=medium
 
   * Fix GCC 6.0 and Doxygen warnings
diff -Nru msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch
--- msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch	1970-01-01 01:00:00.000000000 +0100
+++ msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch	2017-06-04 12:49:05.000000000 +0200
@@ -0,0 +1,186 @@
+From d2c366e27eea4a5a24c6ec36ffcc4f4fd5b361ac Mon Sep 17 00:00:00 2001
+From: Roman Tsisyk <roman@tsisyk.com>
+Date: Thu, 15 Dec 2016 19:28:23 +0300
+Subject: [PATCH] Fix handling of map16 format in mp_check()
+
+Fixes TALOS-2016-0254
+Fixes CVE-2016-9036
+Fixes #12
+
+[adjusted for 1.0.3]
+--- msgpuck-1.0.3.orig/msgpuck.h
++++ msgpuck-1.0.3/msgpuck.h
+@@ -1940,7 +1940,7 @@ mp_check(const char **data, const char *
+ 		case MP_HINT_MAP_16:
+ 			/* MP_MAP (16) */
+ 			if (mp_unlikely(*data + sizeof(uint16_t) > end))
+-				return false;
++				return 1;
+ 			k += 2 * mp_load_u16(data);
+ 			break;
+ 		case MP_HINT_MAP_32:
+--- msgpuck-1.0.3.orig/test/msgpuck.c
++++ msgpuck-1.0.3/test/msgpuck.c
+@@ -771,9 +771,153 @@ test_mp_print()
+ 	return check_plan();
+ }
+ 
++int
++test_mp_check()
++{
++	plan(65);
++	header();
++
++#define invalid(data, fmt, ...) ({ \
++	const char *p = data; \
++	isnt(mp_check(&p, p + sizeof(data) - 1), 0, fmt, ## __VA_ARGS__); \
++});
++
++	/* fixmap */
++	invalid("\x81", "invalid fixmap 1");
++	invalid("\x81\x01", "invalid fixmap 2");
++	invalid("\x8f\x01", "invalid fixmap 3");
++
++	/* fixarray */
++	invalid("\x91", "invalid fixarray 1");
++	invalid("\x92\x01", "invalid fixarray 2");
++	invalid("\x9f\x01", "invalid fixarray 3");
++
++	/* fixstr */
++	invalid("\xa1", "invalid fixstr 1");
++	invalid("\xa2\x00", "invalid fixstr 2");
++	invalid("\xbf\x00", "invalid fixstr 3");
++
++	/* bin8 */
++	invalid("\xc4", "invalid bin8 1");
++	invalid("\xc4\x01", "invalid bin8 2");
++
++	/* bin16 */
++	invalid("\xc5", "invalid bin16 1");
++	invalid("\xc5\x00\x01", "invalid bin16 2");
++
++	/* bin32 */
++	invalid("\xc6", "invalid bin32 1");
++	invalid("\xc6\x00\x00\x00\x01", "invalid bin32 2");
++
++	/* ext8 */
++	invalid("\xc7", "invalid ext8 1");
++	invalid("\xc7\x00", "invalid ext8 2");
++	invalid("\xc7\x01\xff", "invalid ext8 3");
++	invalid("\xc7\x02\xff\x00", "invalid ext8 4");
++
++	/* ext16 */
++	invalid("\xc8", "invalid ext16 1");
++	invalid("\xc8\x00\x00", "invalid ext16 2");
++	invalid("\xc8\x00\x01\xff", "invalid ext16 3");
++	invalid("\xc8\x00\x02\xff\x00", "invalid ext16 4");
++
++	/* ext32 */
++	invalid("\xc9", "invalid ext32 1");
++	invalid("\xc9\x00\x00\x00\x00", "invalid ext32 2");
++	invalid("\xc9\x00\x00\x00\x01\xff", "invalid ext32 3");
++	invalid("\xc9\x00\x00\x00\x02\xff\x00", "invalid ext32 4");
++
++	/* float32 */
++	invalid("\xca", "invalid float32 1");
++	invalid("\xca\x00\x00\x00", "invalid float32 2");
++
++	/* float64 */
++	invalid("\xcb", "invalid float64 1");
++	invalid("\xcb\x00\x00\x00\x00\x00\x00\x00", "invalid float64 2");
++
++	/* uint8 */
++	invalid("\xcc", "invalid uint8 1");
++
++	/* uint16 */
++	invalid("\xcd\x00", "invalid uint16 1");
++
++	/* uint32 */
++	invalid("\xce\x00\x00\x00", "invalid uint32 1");
++
++	/* uint64 */
++	invalid("\xcf\x00\x00\x00\x00\x00\x00\x00", "invalid uint64 1");
++
++	/* int8 */
++	invalid("\xd0", "invalid int8 1");
++
++	/* int16 */
++	invalid("\xd1\x00", "invalid int16 1");
++
++	/* int32 */
++	invalid("\xd2\x00\x00\x00", "invalid int32 1");
++
++	/* int64 */
++	invalid("\xd3\x00\x00\x00\x00\x00\x00\x00", "invalid int64 1");
++
++	/* fixext8 */
++	invalid("\xd4", "invalid fixext8 1");
++	invalid("\xd4\x05", "invalid fixext8 2");
++
++	/* fixext16 */
++	invalid("\xd5", "invalid fixext16 1");
++	invalid("\xd5\x05\x05", "invalid fixext16 2");
++
++	/* fixext32 */
++	invalid("\xd6", "invalid fixext32 1");
++	invalid("\xd6\x00\x00\x05\x05", "invalid fixext32 2");
++
++	/* fixext64 */
++	invalid("\xd7", "invalid fixext64 1");
++	invalid("\xd7\x00\x00\x00\x00\x00\x00\x05\x05", "invalid fixext64 2");
++
++	/* fixext128 */
++	invalid("\xd8", "invalid fixext128 1");
++	invalid("\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
++		"\x00\x05\x05", "invalid fixext128 2");
++
++	/* str8 */
++	invalid("\xd9", "invalid str8 1");
++	invalid("\xd9\x01", "invalid str8 2");
++
++	/* str16 */
++	invalid("\xda", "invalid str16 1");
++	invalid("\xda\x00\x01", "invalid str16 2");
++
++	/* str32 */
++	invalid("\xdb", "invalid str32 1");
++	invalid("\xdb\x00\x00\x00\x01", "invalid str32 2");
++
++	/* array16 */
++	invalid("\xdc", "invalid array16 1");
++	invalid("\xdc\x00\x01", "invalid array16 2");
++
++	/* array32 */
++	invalid("\xdd", "invalid array32 1");
++	invalid("\xdd\x00\x00\x00\x01", "invalid array32 2");
++
++	/* map16 */
++	invalid("\xde", "invalid map16 1");
++	invalid("\xde\x00\x01", "invalid map16 2");
++	invalid("\xde\x00\x01\x5", "invalid map16 2");
++
++	/* map32 */
++	invalid("\xdf", "invalid map32 1");
++	invalid("\xdf\x00\x00\x00\x01", "invalid map32 2");
++	invalid("\xdf\x00\x00\x00\x01\x5", "invalid map32 3");
++
++	footer();
++
++	return check_plan();
++}
++
+ int main()
+ {
+-	plan(17);
++	plan(18);
+ 
+ 	test_uints();
+ 	test_ints();
+@@ -792,6 +936,7 @@ int main()
+ 	test_compare_uints();
+ 	test_format();
+ 	test_mp_print();
++	test_mp_check();
+ 
+ 	return check_plan();
+ }
diff -Nru msgpuck-1.0.3/debian/patches/series msgpuck-1.0.3/debian/patches/series
--- msgpuck-1.0.3/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ msgpuck-1.0.3/debian/patches/series	2017-06-04 12:49:05.000000000 +0200
@@ -0,0 +1 @@
+CVE-2016-9036.patch

Reply to:

Follow-Ups:
- Bug#864152: marked as done (unblock: msgpuck/1.0.3-1.1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#863472: unblock: openssl/1.1.0f-1
Next by Date: Processed: retitle 864091 to unblock ettercap/1:0.8.2-5
Previous by thread: Re: Coordinating Debian Stretch & Tails 3.0 releases?
Next by thread: Bug#864152: marked as done (unblock: msgpuck/1.0.3-1.1)
Index(es):
- Date
- Thread