Bug#913881: stretch-pu: package uriparser/0.8.4-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#913881: stretch-pu: package uriparser/0.8.4-1
From: Jörg Frings-Fürst <debian@jff.email>
Date: Fri, 16 Nov 2018 12:29:09 +0100
Message-id: <[🔎] 154236774913.10806.914685719796383066.reportbug@merkur.jff-webhosting.net>
Reply-to: Jörg Frings-Fürst <debian@jff.email>, 913881@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

the attached debdiff fix the

CVE-2018-19198,
CVE-2018-19199 and
CVE-2018-19200.

The maintainer email address and the Vcs-* location are
also changed.

CU
Jörg

- -- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (300, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAlvuqgUACgkQCfifPIyh
0l2zqhAAq0bStaT+o8QELmNS2OZBFLGrv/Li3g5DHnEee5juZLQ9VgLIh5eXb96f
ycgBpuItaCfLbMM5WnKGXnmEnB37gMlReYR8nMIF2eVLTeS124SUa6Qeyp/nh3bg
5waNanD9KbxuJDLKzNgeERdf1QKD78VPTnaIPvMQzb6k5ole6PqzxzgqLaOicR/X
omYT26BvG9sDnLGtVPuyYqEeiZm575qTpjqUPJzHJd9styiRQiICwiWBfB7D02U0
OoorOWwm/rvDafhrlyxitpvj15pEg97gcyXkKdBhO+PYM5zIDGemDAGh1T/qlkyl
FQTiZVgHj23udtS+UnpWeJgFpm9E+9/s6gcXdg+b3P/K/zNHFL6wfnlHNYzfp3mz
2OCHi7UKlkFxkkdn8uA50V2VpULUramKWupe2KGYPS7XXDn+Qh+6vbnNncqacAfp
8noPhUo2woT7Gd4HHUOf0size7BLLeDGL+HrbCQzmSKoIjhxBjQ7IjbXsw4Alstv
WZJQWEov+n8ISSJvFuuYkbghbopzsmbDNJvIIUOhKmdbC1yBuGDpY2OaAxahohRy
eG2fIg1ku0txTYgCyYk+5JeO3QQu6hvNGjzdanuVuCKJr+eVHQOKQ5gzx9XP/ffM
82myXAlVHITOUQTMR70NQQ4B4NEvPAMTaQYAWUiVEG03G2rovQ4=
=HbnA
-----END PGP SIGNATURE-----

diff -Nru uriparser-0.8.4/debian/changelog uriparser-0.8.4/debian/changelog
--- uriparser-0.8.4/debian/changelog	2015-11-04 07:02:13.000000000 +0100
+++ uriparser-0.8.4/debian/changelog	2018-11-16 09:43:24.000000000 +0100
@@ -1,3 +1,15 @@
+uriparser (0.8.4-1+deb9u1) stable; urgency=medium
+
+  * Fix multiple CVEs (Closes: #913817):
+    - New debian/patches/CVE-2018-19198.patch to fix CVE-2018-19198.
+    - New debian/patches/CVE-2018-19199.patch to fix CVE-2018-19199.
+    - New debian/patches/CVE-2018-19200.patch to fix CVE-2018-19200.
+  * debian/control:
+    - Change to my new email address.
+    - Switch Vcs-* to new location.
+
+ -- Jörg Frings-Fürst <debian@jff.email>  Fri, 16 Nov 2018 09:43:24 +0100
+
 uriparser (0.8.4-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru uriparser-0.8.4/debian/control uriparser-0.8.4/debian/control
--- uriparser-0.8.4/debian/control	2015-11-02 07:02:50.000000000 +0100
+++ uriparser-0.8.4/debian/control	2018-11-16 09:37:15.000000000 +0100
@@ -1,7 +1,7 @@
 Source: uriparser
 Section: libs
 Priority: optional
-Maintainer: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Maintainer: Jörg Frings-Fürst <debian@jff.email>
 Build-Depends:
  debhelper (>= 9),
  dh-autoreconf,
@@ -14,8 +14,8 @@
  libqt5sql5-sqlite
 Standards-Version: 3.9.6
 Homepage: http://uriparser.sourceforge.net
-Vcs-Git: git://anonscm.debian.org/collab-maint/uriparser.git
-Vcs-Browser: http://anonscm.debian.org/cgit/collab-maint/uriparser.git
+Vcs-Git: git://jff.email/opt/git/uriparser.git
+Vcs-Browser: https://jff.email/cgit/uriparser.git
 
 Package: liburiparser1
 Architecture: any
diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19198.patch uriparser-0.8.4/debian/patches/CVE-2018-19198.patch
--- uriparser-0.8.4/debian/patches/CVE-2018-19198.patch	1970-01-01 01:00:00.000000000 +0100
+++ uriparser-0.8.4/debian/patches/CVE-2018-19198.patch	2018-11-16 09:19:24.000000000 +0100
@@ -0,0 +1,73 @@
+From 864f5d4c127def386dd5cc926ad96934b297f04e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 23 Sep 2018 20:07:25 +0200
+Subject: [PATCH] UriQuery.c: Fix out-of-bounds-write in ComposeQuery and ...Ex
+
+Reported by Google Autofuzz team
+---
+ src/UriQuery.c |  1 +
+ test/test.cpp  | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+Index: stretch/src/UriQuery.c
+===================================================================
+--- stretch.orig/src/UriQuery.c
++++ stretch/src/UriQuery.c
+@@ -223,6 +223,7 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHA
+ 
+ 			/* Copy key */
+ 			if (firstItem == URI_TRUE) {
++				ampersandLen = 1;
+ 				firstItem = URI_FALSE;
+ 			} else {
+ 				write[0] = _UT('&');
+Index: stretch/test/test.cpp
+===================================================================
+--- stretch.orig/test/test.cpp
++++ stretch/test/test.cpp
+@@ -102,6 +102,7 @@ public:
+ 		TEST_ADD(UriSuite::testQueryList)
+ 		TEST_ADD(UriSuite::testQueryListPair)
+ 		TEST_ADD(UriSuite::testQueryDissection_Bug3590761)
++		TEST_ADD(UriSuite::testQueryCompositionMathWrite_GoogleAutofuzz113244572)
+ 		TEST_ADD(UriSuite::testFreeCrash_Bug20080827)
+ 		TEST_ADD(UriSuite::testParseInvalid_Bug16)
+ 		TEST_ADD(UriSuite::testRangeComparison)
+@@ -1718,6 +1719,37 @@ Rule                                | Ex
+ 		uriFreeQueryListA(queryList);
+ 	}
+ 
++	void testQueryCompositionMathWrite_GoogleAutofuzz113244572() {
++		UriQueryListA second = { .key = "\x11", .value = NULL, .next = NULL };
++		UriQueryListA first = { .key = "\x01", .value = "\x02", .next = &second };
++
++		const UriBool spaceToPlus = URI_TRUE;
++		const UriBool normalizeBreaks = URI_FALSE;  /* for factor 3 but 6 */
++
++		const int charsRequired = (3 + 1 + 3) + 1 + (3);
++
++		{
++			// Minimum space to hold everything fine
++			const char * const expected = "%01=%02" "&" "%11";
++			char dest[charsRequired + 1];
++			int charsWritten;
++			TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest),
++					&charsWritten, spaceToPlus, normalizeBreaks)
++				== URI_SUCCESS);
++			TEST_ASSERT(! strcmp(dest, expected));
++			TEST_ASSERT(charsWritten == strlen(expected) + 1);
++		}
++
++		{
++			// Previous math failed to take ampersand into account
++			char dest[charsRequired + 1 - 1];
++			int charsWritten;
++			TEST_ASSERT(uriComposeQueryExA(dest, &first, sizeof(dest),
++					&charsWritten, spaceToPlus, normalizeBreaks)
++				== URI_ERROR_OUTPUT_TOO_LARGE);
++		}
++	}
++
+ 	void testFreeCrash_Bug20080827() {
+ 		char const * const sourceUri = "abc";
+ 		char const * const baseUri = "http://www.example.org/";;
diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19199.patch uriparser-0.8.4/debian/patches/CVE-2018-19199.patch
--- uriparser-0.8.4/debian/patches/CVE-2018-19199.patch	1970-01-01 01:00:00.000000000 +0100
+++ uriparser-0.8.4/debian/patches/CVE-2018-19199.patch	2018-11-16 09:20:41.000000000 +0100
@@ -0,0 +1,43 @@
+From f76275d4a91b28d687250525d3a0c5509bbd666f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 23 Sep 2018 21:30:39 +0200
+Subject: [PATCH] UriQuery.c: Catch integer overflow in ComposeQuery and ...Ex
+
+---
+ ChangeLog      |  2 ++
+ src/UriQuery.c | 14 ++++++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+Index: stretch/src/UriQuery.c
+===================================================================
+--- stretch.orig/src/UriQuery.c
++++ stretch/src/UriQuery.c
+@@ -68,6 +68,10 @@
+ 
+ 
+ 
++#include <limits.h>
++
++
++
+ static int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
+ 		const URI_TYPE(QueryList) * queryList,
+ 		int maxChars, int * charsWritten, int * charsRequired,
+@@ -201,9 +205,15 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHA
+ 		const URI_CHAR * const value = queryList->value;
+ 		const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
+ 		const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
+-		const int keyRequiredChars = worstCase * keyLen;
++		int keyRequiredChars;
+ 		const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);
+-		const int valueRequiredChars = worstCase * valueLen;
++		int valueRequiredChars;
++
++		if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) {
++			return URI_ERROR_OUTPUT_TOO_LARGE;
++		}
++		keyRequiredChars = worstCase * keyLen;
++		valueRequiredChars = worstCase * valueLen;
+ 
+ 		if (dest == NULL) {
+ 			if (firstItem == URI_TRUE) {
diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19200.patch uriparser-0.8.4/debian/patches/CVE-2018-19200.patch
--- uriparser-0.8.4/debian/patches/CVE-2018-19200.patch	1970-01-01 01:00:00.000000000 +0100
+++ uriparser-0.8.4/debian/patches/CVE-2018-19200.patch	2018-11-16 08:49:00.000000000 +0100
@@ -0,0 +1,23 @@
+From f58c25069cf4a986fe17a80c5b38687e31feb539 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 10 Oct 2018 14:49:51 +0200
+Subject: [PATCH] ResetUri: Protect against NULL
+
+---
+ src/UriCommon.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/UriCommon.c b/src/UriCommon.c
+index 3775306..039beda 100644
+--- a/src/UriCommon.c
++++ b/src/UriCommon.c
+@@ -75,6 +75,9 @@
+ 
+ 
+ void URI_FUNC(ResetUri)(URI_TYPE(Uri) * uri) {
++	if (uri == NULL) {
++		return;
++	}
+ 	memset(uri, 0, sizeof(URI_TYPE(Uri)));
+ }
+ 
diff -Nru uriparser-0.8.4/debian/patches/series uriparser-0.8.4/debian/patches/series
--- uriparser-0.8.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ uriparser-0.8.4/debian/patches/series	2018-11-16 09:18:50.000000000 +0100
@@ -0,0 +1,3 @@
+CVE-2018-19198.patch
+CVE-2018-19199.patch
+CVE-2018-19200.patch

Reply to:

Prev by Date: Bug#907199: weboob, Gratuitous sexual references
Next by Date: Bug#913885: stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1
Previous by thread: Bug#910825: marked as done (transition: libtidy)
Next by thread: Bug#913885: stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1
Index(es):
- Date
- Thread