Bug#930637: unblock: monit/1:5.25.2-3+deb10u1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package monit in t-p-u. The version
1:5.25.2-3+deb10u1 has only targeted fixes for security
issue #927775 (two CVE's). See attached diff.
diff --git a/debian/changelog b/debian/changelog
index bd3d9b0..8712671 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+monit (1:5.25.2-3+deb10u1) testing-proposed-updates; urgency=medium
+
+ * Backport upstream fixes (Closes: #927775):
+ + CVE-2019-11454 Persistent cross-site scripting (XSS) in http/cervlet.c
+ + CVE-2019-11455 A buffer over-read in Util_urlDecode in util.c
+
+ -- Sergey B Kirpichev <skirpichev@gmail.com> Mon, 17 Jun 2019 10:57:40 +0300
+
monit (1:5.25.2-3) unstable; urgency=medium
* Spelling fixes in manpage
diff --git a/debian/patches/CVE-2019-11454.patch b/debian/patches/CVE-2019-11454.patch
new file mode 100644
index 0000000..ce73e8d
--- /dev/null
+++ b/debian/patches/CVE-2019-11454.patch
@@ -0,0 +1,20 @@
+Description: Fix CVE-2019-11454
+Origin: https://bitbucket.org/tildeslash/monit/commits/328f607
+Forwarded: not needed
+Bug-Debian: https://bugs.debian.org/927775
+
+---
+ src/http/cervlet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/http/cervlet.c
++++ b/src/http/cervlet.c
+@@ -906,7 +906,7 @@ static void do_viewlog(HttpRequest req,
+ StringBuffer_append(res->outputbuffer, "<br><p><form><textarea cols=120 rows=30 readonly>");
+ while ((n = fread(buf, sizeof(char), sizeof(buf) - 1, f)) > 0) {
+ buf[n] = 0;
+- StringBuffer_append(res->outputbuffer, "%s", buf);
++ escapeHTML(res->outputbuffer, buf);
+ }
+ fclose(f);
+ StringBuffer_append(res->outputbuffer, "</textarea></form>");
diff --git a/debian/patches/CVE-2019-11455.patch b/debian/patches/CVE-2019-11455.patch
new file mode 100644
index 0000000..3845fd3
--- /dev/null
+++ b/debian/patches/CVE-2019-11455.patch
@@ -0,0 +1,58 @@
+Description: Fix CVE-2019-11455
+Origin: https://bitbucket.org/tildeslash/monit/commits/f12d0cdb
+Forwarded: not needed
+Bug-Debian: https://bugs.debian.org/927775
+
+---
+ src/util.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/src/util.c
++++ b/src/util.c
+@@ -233,7 +233,7 @@ static char *is_str_defined(char *s) {
+ /**
+ * Convert a hex char to a char
+ */
+-static char x2c(char *hex) {
++static char _x2c(char *hex) {
+ register char digit;
+ digit = ((hex[0] >= 'A') ? ((hex[0] & 0xdf) - 'A')+10 : (hex[0] - '0'));
+ digit *= 16;
+@@ -535,7 +535,7 @@ void Util_handleEscapes(char *buf) {
+ */
+ *(buf + insertpos) = *(buf+editpos);
+ } else {
+- *(buf + insertpos) = x2c(&buf[editpos + 3]);
++ *(buf + insertpos) = _x2c(&buf[editpos + 3]);
+ editpos += 4;
+ }
+ }
+@@ -571,7 +571,7 @@ int Util_handle0Escapes(char *buf) {
+ switch (*(buf + editpos + 1)) {
+ case '0':
+ if (*(buf + editpos + 2) == 'x') {
+- *(buf + insertpos) = x2c(&buf[editpos+3]);
++ *(buf + insertpos) = _x2c(&buf[editpos+3]);
+ editpos += 4;
+ }
+ break;
+@@ -1561,13 +1561,15 @@ char *Util_urlDecode(char *url) {
+ if (url && *url) {
+ register int x, y;
+ for (x = 0, y = 0; url[y]; x++, y++) {
+- if ((url[x] = url[y]) == '+')
++ if (url[y] == '+') {
+ url[x] = ' ';
+- else if (url[x] == '%') {
+- if (! (url[x + 1] && url[x + 2]))
++ } else if (url[y] == '%') {
++ if (! url[y + 1] || ! url[y + 2])
+ break;
+- url[x] = x2c(url + y + 1);
++ url[x] = _x2c(url + y + 1);
+ y += 2;
++ } else {
++ url[x] = url[y];
+ }
+ }
+ url[x] = 0;
diff --git a/debian/patches/series b/debian/patches/series
index 98bcb60..fc04d2d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
05_monitrc.patch
07_cross.patch
11_enable_hurd.patch
+CVE-2019-11455.patch
+CVE-2019-11454.patch
Reply to: