Bug#864152: marked as done (unblock: msgpuck/1.0.3-1.1)

To: Jonathan Wiltshire <jmw@debian.org>
Subject: Bug#864152: marked as done (unblock: msgpuck/1.0.3-1.1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 04 Jun 2017 15:15:09 +0000
Message-id: <[🔎] handler.864152.D864152.149658906825331.ackdone@bugs.debian.org>
References: <20170604151105.sygj4izgm2bxouvm@powdarrmonkey.net> <[🔎] 149658217863.12904.12878045716379543767.reportbug@eldamar.local>

Your message dated Sun, 4 Jun 2017 16:11:05 +0100
with message-id <20170604151105.sygj4izgm2bxouvm@powdarrmonkey.net>
and subject line Re: Bug#864152: unblock: msgpuck/1.0.3-1.1
has caused the Debian Bug report #864152,
regarding unblock: msgpuck/1.0.3-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
864152: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864152
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: msgpuck/1.0.3-1.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 04 Jun 2017 15:16:18 +0200
Message-id: <[🔎] 149658217863.12904.12878045716379543767.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package msgpuck

It fixes CVE-2016-9036 (Invalid handling of map16 format in
mp_check()), which is #849212.

unblock msgpuck/1.0.3-1.1

Full debdiff against version in testing attached.

Regards,
Salvatore

diff -Nru msgpuck-1.0.3/debian/changelog msgpuck-1.0.3/debian/changelog
--- msgpuck-1.0.3/debian/changelog	2016-08-09 21:14:15.000000000 +0200
+++ msgpuck-1.0.3/debian/changelog	2017-06-04 12:49:08.000000000 +0200
@@ -1,3 +1,10 @@
+msgpuck (1.0.3-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-9036 (Closes: #849212)
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Sun, 04 Jun 2017 12:49:08 +0200
+
 msgpuck (1.0.3-1) unstable; urgency=medium
 
   * Fix GCC 6.0 and Doxygen warnings
diff -Nru msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch
--- msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch	1970-01-01 01:00:00.000000000 +0100
+++ msgpuck-1.0.3/debian/patches/CVE-2016-9036.patch	2017-06-04 12:49:05.000000000 +0200
@@ -0,0 +1,186 @@
+From d2c366e27eea4a5a24c6ec36ffcc4f4fd5b361ac Mon Sep 17 00:00:00 2001
+From: Roman Tsisyk <roman@tsisyk.com>
+Date: Thu, 15 Dec 2016 19:28:23 +0300
+Subject: [PATCH] Fix handling of map16 format in mp_check()
+
+Fixes TALOS-2016-0254
+Fixes CVE-2016-9036
+Fixes #12
+
+[adjusted for 1.0.3]
+--- msgpuck-1.0.3.orig/msgpuck.h
++++ msgpuck-1.0.3/msgpuck.h
+@@ -1940,7 +1940,7 @@ mp_check(const char **data, const char *
+ 		case MP_HINT_MAP_16:
+ 			/* MP_MAP (16) */
+ 			if (mp_unlikely(*data + sizeof(uint16_t) > end))
+-				return false;
++				return 1;
+ 			k += 2 * mp_load_u16(data);
+ 			break;
+ 		case MP_HINT_MAP_32:
+--- msgpuck-1.0.3.orig/test/msgpuck.c
++++ msgpuck-1.0.3/test/msgpuck.c
+@@ -771,9 +771,153 @@ test_mp_print()
+ 	return check_plan();
+ }
+ 
++int
++test_mp_check()
++{
++	plan(65);
++	header();
++
++#define invalid(data, fmt, ...) ({ \
++	const char *p = data; \
++	isnt(mp_check(&p, p + sizeof(data) - 1), 0, fmt, ## __VA_ARGS__); \
++});
++
++	/* fixmap */
++	invalid("\x81", "invalid fixmap 1");
++	invalid("\x81\x01", "invalid fixmap 2");
++	invalid("\x8f\x01", "invalid fixmap 3");
++
++	/* fixarray */
++	invalid("\x91", "invalid fixarray 1");
++	invalid("\x92\x01", "invalid fixarray 2");
++	invalid("\x9f\x01", "invalid fixarray 3");
++
++	/* fixstr */
++	invalid("\xa1", "invalid fixstr 1");
++	invalid("\xa2\x00", "invalid fixstr 2");
++	invalid("\xbf\x00", "invalid fixstr 3");
++
++	/* bin8 */
++	invalid("\xc4", "invalid bin8 1");
++	invalid("\xc4\x01", "invalid bin8 2");
++
++	/* bin16 */
++	invalid("\xc5", "invalid bin16 1");
++	invalid("\xc5\x00\x01", "invalid bin16 2");
++
++	/* bin32 */
++	invalid("\xc6", "invalid bin32 1");
++	invalid("\xc6\x00\x00\x00\x01", "invalid bin32 2");
++
++	/* ext8 */
++	invalid("\xc7", "invalid ext8 1");
++	invalid("\xc7\x00", "invalid ext8 2");
++	invalid("\xc7\x01\xff", "invalid ext8 3");
++	invalid("\xc7\x02\xff\x00", "invalid ext8 4");
++
++	/* ext16 */
++	invalid("\xc8", "invalid ext16 1");
++	invalid("\xc8\x00\x00", "invalid ext16 2");
++	invalid("\xc8\x00\x01\xff", "invalid ext16 3");
++	invalid("\xc8\x00\x02\xff\x00", "invalid ext16 4");
++
++	/* ext32 */
++	invalid("\xc9", "invalid ext32 1");
++	invalid("\xc9\x00\x00\x00\x00", "invalid ext32 2");
++	invalid("\xc9\x00\x00\x00\x01\xff", "invalid ext32 3");
++	invalid("\xc9\x00\x00\x00\x02\xff\x00", "invalid ext32 4");
++
++	/* float32 */
++	invalid("\xca", "invalid float32 1");
++	invalid("\xca\x00\x00\x00", "invalid float32 2");
++
++	/* float64 */
++	invalid("\xcb", "invalid float64 1");
++	invalid("\xcb\x00\x00\x00\x00\x00\x00\x00", "invalid float64 2");
++
++	/* uint8 */
++	invalid("\xcc", "invalid uint8 1");
++
++	/* uint16 */
++	invalid("\xcd\x00", "invalid uint16 1");
++
++	/* uint32 */
++	invalid("\xce\x00\x00\x00", "invalid uint32 1");
++
++	/* uint64 */
++	invalid("\xcf\x00\x00\x00\x00\x00\x00\x00", "invalid uint64 1");
++
++	/* int8 */
++	invalid("\xd0", "invalid int8 1");
++
++	/* int16 */
++	invalid("\xd1\x00", "invalid int16 1");
++
++	/* int32 */
++	invalid("\xd2\x00\x00\x00", "invalid int32 1");
++
++	/* int64 */
++	invalid("\xd3\x00\x00\x00\x00\x00\x00\x00", "invalid int64 1");
++
++	/* fixext8 */
++	invalid("\xd4", "invalid fixext8 1");
++	invalid("\xd4\x05", "invalid fixext8 2");
++
++	/* fixext16 */
++	invalid("\xd5", "invalid fixext16 1");
++	invalid("\xd5\x05\x05", "invalid fixext16 2");
++
++	/* fixext32 */
++	invalid("\xd6", "invalid fixext32 1");
++	invalid("\xd6\x00\x00\x05\x05", "invalid fixext32 2");
++
++	/* fixext64 */
++	invalid("\xd7", "invalid fixext64 1");
++	invalid("\xd7\x00\x00\x00\x00\x00\x00\x05\x05", "invalid fixext64 2");
++
++	/* fixext128 */
++	invalid("\xd8", "invalid fixext128 1");
++	invalid("\xd8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
++		"\x00\x05\x05", "invalid fixext128 2");
++
++	/* str8 */
++	invalid("\xd9", "invalid str8 1");
++	invalid("\xd9\x01", "invalid str8 2");
++
++	/* str16 */
++	invalid("\xda", "invalid str16 1");
++	invalid("\xda\x00\x01", "invalid str16 2");
++
++	/* str32 */
++	invalid("\xdb", "invalid str32 1");
++	invalid("\xdb\x00\x00\x00\x01", "invalid str32 2");
++
++	/* array16 */
++	invalid("\xdc", "invalid array16 1");
++	invalid("\xdc\x00\x01", "invalid array16 2");
++
++	/* array32 */
++	invalid("\xdd", "invalid array32 1");
++	invalid("\xdd\x00\x00\x00\x01", "invalid array32 2");
++
++	/* map16 */
++	invalid("\xde", "invalid map16 1");
++	invalid("\xde\x00\x01", "invalid map16 2");
++	invalid("\xde\x00\x01\x5", "invalid map16 2");
++
++	/* map32 */
++	invalid("\xdf", "invalid map32 1");
++	invalid("\xdf\x00\x00\x00\x01", "invalid map32 2");
++	invalid("\xdf\x00\x00\x00\x01\x5", "invalid map32 3");
++
++	footer();
++
++	return check_plan();
++}
++
+ int main()
+ {
+-	plan(17);
++	plan(18);
+ 
+ 	test_uints();
+ 	test_ints();
+@@ -792,6 +936,7 @@ int main()
+ 	test_compare_uints();
+ 	test_format();
+ 	test_mp_print();
++	test_mp_check();
+ 
+ 	return check_plan();
+ }
diff -Nru msgpuck-1.0.3/debian/patches/series msgpuck-1.0.3/debian/patches/series
--- msgpuck-1.0.3/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ msgpuck-1.0.3/debian/patches/series	2017-06-04 12:49:05.000000000 +0200
@@ -0,0 +1 @@
+CVE-2016-9036.patch

--- End Message ---

--- Begin Message ---

To: Salvatore Bonaccorso <carnil@debian.org>, 864152-done@bugs.debian.org

Subject: Re: Bug#864152: unblock: msgpuck/1.0.3-1.1

From: Jonathan Wiltshire <jmw@debian.org>

Date: Sun, 4 Jun 2017 16:11:05 +0100

Message-id: <20170604151105.sygj4izgm2bxouvm@powdarrmonkey.net>

In-reply-to: <[🔎] 149658217863.12904.12878045716379543767.reportbug@eldamar.local>

References: <[🔎] 149658217863.12904.12878045716379543767.reportbug@eldamar.local>
On Sun, Jun 04, 2017 at 03:16:18PM +0200, Salvatore Bonaccorso wrote:
> Please unblock package msgpuck
> 
> It fixes CVE-2016-9036 (Invalid handling of map16 format in
> mp_check()), which is #849212.

Already unblocked by Niels.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
--- End Message ---

Reply to:

References:
- Bug#864152: unblock: msgpuck/1.0.3-1.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#864091: marked as done (unblock: ettercap/1:0.8.2-5)
Next by Date: Bug#864092: marked as done (unblock: llvm-toolchain-3.8)
Previous by thread: Bug#864152: unblock: msgpuck/1.0.3-1.1
Next by thread: Processed: retitle 864091 to unblock ettercap/1:0.8.2-5
Index(es):
- Date
- Thread