Bug#942110: stretch-pu: package gnustep-base/1.24.9-3.1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to fix a vulnerability in the gdomap daemon (no DSA). It is
fixed in testing/unstable and already approved/uploaded for buster
(release.d.o #940943). The patch is the same.
Debdiff attached.
diff -Nru gnustep-base-1.24.9/debian/changelog gnustep-base-1.24.9/debian/changelog
--- gnustep-base-1.24.9/debian/changelog 2017-02-02 21:12:50.000000000 +0200
+++ gnustep-base-1.24.9/debian/changelog 2019-10-10 08:33:21.000000000 +0300
@@ -1,3 +1,12 @@
+gnustep-base (1.24.9-3.1+deb9u1) stretch; urgency=medium
+
+ * debian/patches/gdomap-udp-amplification.patch: New; fix UDP
+ amplification vulnerability. Thanks to Alan Jenkins.
+ * debian/patches/series: Update.
+ * debian/gbp.conf: New file.
+
+ -- Yavor Doganov <yavor@gnu.org> Thu, 10 Oct 2019 08:33:21 +0300
+
gnustep-base (1.24.9-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru gnustep-base-1.24.9/debian/gbp.conf gnustep-base-1.24.9/debian/gbp.conf
--- gnustep-base-1.24.9/debian/gbp.conf 1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.24.9/debian/gbp.conf 2019-10-10 08:33:08.000000000 +0300
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = stretch
diff -Nru gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch
--- gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch 1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch 2019-10-10 08:32:24.000000000 +0300
@@ -0,0 +1,61 @@
+Description: Fix UDP amplification vulnerability
+ A couple of is_local_net() tests were wrong: they used "&&" with
+ masks, but that is the logical shortcut operator. The correct
+ bitwise operator is "&". The result was that is_local_net() was
+ always returning true.
+ .
+ Only allow local processes to send GDO_SERVERS requests. This
+ request is only useful locally. Do not allow remote requests for the
+ server list. Our response can be large, so it would make a great UDP
+ amplification attack.
+ .
+ Patch by Alan Jenkins <alan.christopher.jenkins@gmail.com>; issue
+ reported to the Debian security team.
+Origin: upstream, commit:de9740c
+Last-Update: 2019-10-10
+---
+
+--- gnustep-base.orig/Tools/gdomap.c
++++ gnustep-base/Tools/gdomap.c
+@@ -419,7 +419,7 @@
+
+ for (i = 0; i < interfaces; i++)
+ {
+- if ((mask[i].s_addr && addr[i].s_addr) == (mask[i].s_addr && a.s_addr))
++ if ((mask[i].s_addr & addr[i].s_addr) == (mask[i].s_addr & a.s_addr))
+ {
+ return 1;
+ }
+@@ -3090,6 +3090,21 @@
+ unsigned int i;
+ unsigned int j;
+
++ /*
++ * See if this is a request from a local process.
++ *
++ * This request is only useful locally. Do not allow remote
++ * requests for the server list. Our response can be large,
++ * so it would make a great UDP amplification attack.
++ */
++ if (is_local_host(ri->addr.sin_addr) == 0)
++ {
++ snprintf(ebuf, sizeof(ebuf), "Illegal attempt to list servers!");
++ gdomap_log(LOG_ERR);
++ clear_chan(desc);
++ return;
++ }
++
+ free(wi->buf);
+ wi->buf = (char*)calloc(sizeof(uint32_t)
+ + (prb_used+1)*IASIZE, 1);
+@@ -3250,8 +3265,8 @@
+ {
+ continue;
+ }
+- if ((mask[i].s_addr && addr[i].s_addr) ==
+- (mask[i].s_addr && ri->addr.sin_addr.s_addr))
++ if ((mask[i].s_addr & addr[i].s_addr) ==
++ (mask[i].s_addr & ri->addr.sin_addr.s_addr))
+ {
+ laddr = addr[i];
+ memcpy(wbuf, &laddr, IASIZE);
diff -Nru gnustep-base-1.24.9/debian/patches/series gnustep-base-1.24.9/debian/patches/series
--- gnustep-base-1.24.9/debian/patches/series 2016-08-09 18:49:12.000000000 +0300
+++ gnustep-base-1.24.9/debian/patches/series 2019-10-09 19:25:53.000000000 +0300
@@ -19,3 +19,4 @@
fix-gdnc.patch
fix-tests-timings.patch
fix-test-icu2.patch
+gdomap-udp-amplification.patch
Reply to: