Bug#866332: stretch-pu: package c-ares/1.12.0-1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
recently a buffer overlow in c-ares has been fixed and the Security Team
asked me to prepare an upload to stretch (see #865360).
Attached you'll find the debdiff.
Thanks,
Gregor
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru c-ares-1.12.0/debian/changelog c-ares-1.12.0/debian/changelog
--- c-ares-1.12.0/debian/changelog 2016-09-29 18:19:09.000000000 +0200
+++ c-ares-1.12.0/debian/changelog 2017-06-26 22:00:03.000000000 +0200
@@ -1,3 +1,9 @@
+c-ares (1.12.0-1+deb9u1) stretch; urgency=medium
+
+ * Add patch for CVE-2017-1000381 (Closes: #865360)
+
+ -- Gregor Jasny <gjasny@googlemail.com> Mon, 26 Jun 2017 22:00:03 +0200
+
c-ares (1.12.0-1) unstable; urgency=high
[ Daniel Stenberg ]
diff -Nru c-ares-1.12.0/debian/gbp.conf c-ares-1.12.0/debian/gbp.conf
--- c-ares-1.12.0/debian/gbp.conf 2016-02-12 22:09:13.000000000 +0100
+++ c-ares-1.12.0/debian/gbp.conf 2017-06-26 22:00:03.000000000 +0200
@@ -1,6 +1,6 @@
[DEFAULT]
upstream-branch = upstream
-debian-branch = master
+debian-branch = stretch
upstream-tag = upstream/%(version)s
debian-tag = debian/%(version)s
pristine-tar = True
diff -Nru c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff
--- c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff 1970-01-01 01:00:00.000000000 +0100
+++ c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff 2017-06-26 22:00:03.000000000 +0200
@@ -0,0 +1,30 @@
+Origin: upstream, e1f43d4d7e89ef8db479d6efd0389c6b6ee1d116
+From: David Drysdale <drysdale@google.com>
+Date: Mon, 22 May 2017 10:54:10 +0100
+Subject: [PATCH 5/5] ares_parse_naptr_reply: check sufficient data
+Bug-Debian: http://bugs.debian.org/865360
+
+Check that there is enough data for the required elements
+of an NAPTR record (2 int16, 3 bytes for string lengths)
+before processing a record.
+
+--- a/ares_parse_naptr_reply.c
++++ b/ares_parse_naptr_reply.c
+@@ -110,6 +110,12 @@
+ status = ARES_EBADRESP;
+ break;
+ }
++ /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
++ if (rr_len < 7)
++ {
++ status = ARES_EBADRESP;
++ break;
++ }
+
+ /* Check if we are really looking at a NAPTR record */
+ if (rr_class == C_IN && rr_type == T_NAPTR)
+@@ -185,4 +191,3 @@
+
+ return ARES_SUCCESS;
+ }
+-
diff -Nru c-ares-1.12.0/debian/patches/series c-ares-1.12.0/debian/patches/series
--- c-ares-1.12.0/debian/patches/series 2016-02-12 22:09:13.000000000 +0100
+++ c-ares-1.12.0/debian/patches/series 2017-06-26 22:00:03.000000000 +0200
@@ -1 +1,2 @@
disable-cflags-rewrite.diff
+CVE-2017-1000381.diff
Reply to: