Bug#890105: stretch-pu: package uwsgi/2.0.14+20161117-3+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
The attached debdiff adresses CVE-2018-6758 / 889753 for uwsgi in
stretch. Cf.
http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html . The
issue does not warrant a DSA.
+uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+ (Closes: #889753)
Can it be considered for the upcoming stretch point release?
Regards,
Salvatore
diff -Nru uwsgi-2.0.14+20161117/debian/changelog uwsgi-2.0.14+20161117/debian/changelog
--- uwsgi-2.0.14+20161117/debian/changelog 2016-12-07 17:01:16.000000000 +0100
+++ uwsgi-2.0.14+20161117/debian/changelog 2018-02-06 22:31:14.000000000 +0100
@@ -1,3 +1,11 @@
+uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+ (Closes: #889753)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 06 Feb 2018 22:31:14 +0100
+
uwsgi (2.0.14+20161117-3) unstable; urgency=medium
* Add patch 1007 to fix build router_basicauth for GNU/kFreeBSD.
diff -Nru uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
--- uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 1970-01-01 01:00:00.000000000 +0100
+++ uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 2018-02-06 22:31:14.000000000 +0100
@@ -0,0 +1,46 @@
+From: Unbit <info@unbit.it>
+Date: Tue, 6 Feb 2018 16:01:47 +0100
+Subject: improve uwsgi_expand_path() to sanitize input, avoiding stack
+ corruption and potential security issue
+Origin: https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
+Bug-Debian: https://bugs.debian.org/889753
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6758
+
+---
+ core/utils.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/core/utils.c b/core/utils.c
+index b4c98dfd..fd886932 100644
+--- a/core/utils.c
++++ b/core/utils.c
+@@ -3674,9 +3674,12 @@ void uwsgi_write_pidfile_explicit(char *pidfile_name, pid_t pid) {
+ }
+
+ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
+- char src[PATH_MAX + 1];
+- memcpy(src, dir, dir_len);
+- src[dir_len] = 0;
++ if (dir_len > PATH_MAX)
++ {
++ uwsgi_log("invalid path size: %d (max %d)\n", dir_len, PATH_MAX);
++ return NULL;
++ }
++ char *src = uwsgi_concat2n(dir, dir_len, "", 0);
+ char *dst = ptr;
+ if (!dst)
+ dst = uwsgi_malloc(PATH_MAX + 1);
+@@ -3684,8 +3687,10 @@ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
+ uwsgi_error_realpath(src);
+ if (!ptr)
+ free(dst);
++ free(src);
+ return NULL;
+ }
++ free(src);
+ return dst;
+ }
+
+--
+2.11.0
+
diff -Nru uwsgi-2.0.14+20161117/debian/patches/series uwsgi-2.0.14+20161117/debian/patches/series
--- uwsgi-2.0.14+20161117/debian/patches/series 2016-12-07 16:24:30.000000000 +0100
+++ uwsgi-2.0.14+20161117/debian/patches/series 2018-02-06 22:31:14.000000000 +0100
@@ -1,4 +1,5 @@
020161123~6b48ac0.patch
+0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
1001_avoid_setting_RPATH.patch
1002_fix-reload-process-name.patch
1003_remove-php-libs.patch
Reply to: