Bug#838396: marked as done (jessie-pu: package zookeeper/3.4.5+dfsg-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #838396,
regarding jessie-pu: package zookeeper/3.4.5+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
838396: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838396
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: jessie-pu: package zookeeper/3.4.5+dfsg-2
• From: Markus Koschany <apo@debian.org>
• Date: Tue, 20 Sep 2016 21:45:51 +0200
• Message-id: <147440075108.25541.12188491451865306769.reportbug@conan>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I would like to update zookeeper in Jessie which is currently affected
by CVE-2016-5017. The security team does not intend to release a DSA
for this issue.

Please find attached the debdiff against the current version in
Jessie.

Regards,

Markus

diff -Nru zookeeper-3.4.5+dfsg/debian/changelog zookeeper-3.4.5+dfsg/debian/changelog
--- zookeeper-3.4.5+dfsg/debian/changelog	2014-03-16 21:07:30.000000000 +0100
+++ zookeeper-3.4.5+dfsg/debian/changelog	2016-09-18 20:14:02.000000000 +0200
@@ -1,3 +1,15 @@
+zookeeper (3.4.5+dfsg-2+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Fix CVE-2016-5017:
+    Lyon Yang discovered that the C client shells cli_st and cli_mt of Apache
+    Zookeeper, a high-performance coordination service for distributed
+    applications, were affected by a buffer overflow vulnerability associated
+    with parsing of the input command when using the "cmd:" batch mode syntax.
+    If the command string exceeds 1024 characters a buffer overflow will occur.
+
+ -- Markus Koschany <apo@debian.org>  Sun, 18 Sep 2016 20:14:02 +0200
+
 zookeeper (3.4.5+dfsg-2) unstable; urgency=high
 
   [ tony mancill ]
diff -Nru zookeeper-3.4.5+dfsg/debian/patches/CVE-2016-5017.patch zookeeper-3.4.5+dfsg/debian/patches/CVE-2016-5017.patch
--- zookeeper-3.4.5+dfsg/debian/patches/CVE-2016-5017.patch	1970-01-01 01:00:00.000000000 +0100
+++ zookeeper-3.4.5+dfsg/debian/patches/CVE-2016-5017.patch	2016-09-18 20:14:02.000000000 +0200
@@ -0,0 +1,37 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 18 Sep 2016 19:57:53 +0200
+Subject: CVE-2016-5017
+
+Lyon Yang discovered that the C client shells cli_st and cli_mt of Apache
+Zookeeper, a high-performance coordination service for distributed
+applications, were affected by a buffer overflow vulnerability associated with
+parsing of the input command when using the "cmd:" batch mode syntax. If the
+command string exceeds 1024 characters a buffer overflow will occur.
+
+
+Origin: https://git-wip-us.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=27ecf981a15554dc8e64a28630af7a5c9e2bdf4f
+---
+ src/c/src/cli.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/c/src/cli.c b/src/c/src/cli.c
+index c4538a6..959dd99 100644
+--- a/src/c/src/cli.c
++++ b/src/c/src/cli.c
+@@ -486,7 +486,15 @@ int main(int argc, char **argv) {
+     }
+     if (argc > 2) {
+       if(strncmp("cmd:",argv[2],4)==0){
+-        strcpy(cmd,argv[2]+4);
++        size_t cmdlen = strlen(argv[2]);
++        if (cmdlen > sizeof(cmd)) {
++            fprintf(stderr,
++                    "Command length %zu exceeds max length of %zu\n",
++                    cmdlen,
++                    sizeof(cmd));
++            return 2;
++        }
++        strncpy(cmd, argv[2]+4, sizeof(cmd));
+         batchMode=1;
+         fprintf(stderr,"Batch mode: %s\n",cmd);
+       }else{
diff -Nru zookeeper-3.4.5+dfsg/debian/patches/series zookeeper-3.4.5+dfsg/debian/patches/series
--- zookeeper-3.4.5+dfsg/debian/patches/series	2014-03-15 18:45:57.000000000 +0100
+++ zookeeper-3.4.5+dfsg/debian/patches/series	2016-09-18 20:14:02.000000000 +0200
@@ -4,3 +4,4 @@
 fixes/ZOOKEEPER-705
 ftbfs-gcc-4.7.diff
 fixes/ZOOKEEPER-770
+CVE-2016-5017.patch

--- End Message ---

--- Begin Message ---

• To: 823517-done@bugs.debian.org, 829606-done@bugs.debian.org, 836795-done@bugs.debian.org, 836823-done@bugs.debian.org, 837105-done@bugs.debian.org, 837428-done@bugs.debian.org, 837558-done@bugs.debian.org, 837575-done@bugs.debian.org, 837607-done@bugs.debian.org, 838396-done@bugs.debian.org, 838780-done@bugs.debian.org, 838869-done@bugs.debian.org, 838882-done@bugs.debian.org, 839242-done@bugs.debian.org, 839531-done@bugs.debian.org, 839656-done@bugs.debian.org, 839731-done@bugs.debian.org, 839814-done@bugs.debian.org, 839907-done@bugs.debian.org, 839927-done@bugs.debian.org, 840127-done@bugs.debian.org, 840188-done@bugs.debian.org, 840191-done@bugs.debian.org, 840350-done@bugs.debian.org, 840378-done@bugs.debian.org, 840379-done@bugs.debian.org, 840942-done@bugs.debian.org, 841462-done@bugs.debian.org, 841681-done@bugs.debian.org, 841767-done@bugs.debian.org, 841979-done@bugs.debian.org, 842013-done@bugs.debian.org, 842509-done@bugs.debian.org, 842938-done@bugs.debian.org, 843171-done@bugs.debian.org, 843268-done@bugs.debian.org, 843411-done@bugs.debian.org, 843426-done@bugs.debian.org, 843508-done@bugs.debian.org, 843775-done@bugs.debian.org, 843999-done@bugs.debian.org, 844150-done@bugs.debian.org, 844161-done@bugs.debian.org, 844746-done@bugs.debian.org, 845156-done@bugs.debian.org, 845263-done@bugs.debian.org, 845387-done@bugs.debian.org, 845443-done@bugs.debian.org, 845474-done@bugs.debian.org, 845564-done@bugs.debian.org, 845570-done@bugs.debian.org, 846017-done@bugs.debian.org, 846031-done@bugs.debian.org, 846352-done@bugs.debian.org, 846948-done@bugs.debian.org, 847273-done@bugs.debian.org, 847921-done@bugs.debian.org, 848341-done@bugs.debian.org, 848610-done@bugs.debian.org, 848829-done@bugs.debian.org, 848908-done@bugs.debian.org, 848926-done@bugs.debian.org, 848942-done@bugs.debian.org, 849004-done@bugs.debian.org, 849020-done@bugs.debian.org, 849175-done@bugs.debian.org, 849438-done@bugs.debian.org, 849467-done@bugs.debian.org, 849538-done@bugs.debian.org, 849698-done@bugs.debian.org, 849725-done@bugs.debian.org, 849865-done@bugs.debian.org, 849869-done@bugs.debian.org, 849962-done@bugs.debian.org, 849967-done@bugs.debian.org, 850084-done@bugs.debian.org, 850154-done@bugs.debian.org, 850214-done@bugs.debian.org, 850539-done@bugs.debian.org, 850542-done@bugs.debian.org, 850563-done@bugs.debian.org, 850566-done@bugs.debian.org, 850567-done@bugs.debian.org, 838109-done@bugs.debian.org, 849488-done@bugs.debian.org
• Subject: Closing requests included in today's point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 14 Jan 2017 12:37:03 +0000
• Message-id: <1484397423.1091.25.camel@adam-barratt.org.uk>

Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---