Bug#940943: buster-pu: package gnustep-base/1.26.0-4+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
I'd like to update the gnustep-base package in buster to fix #939119.
Additionally, the OP has also discovered a vulnerability in the gdomap
daemon which was reported to the Debian security team. Haven't got a
response from them but the patch was approved by the upstream
maintainer and subsequently committed to the upstream repository.
Tested on a buster system; debdiff attached.
diff -Nru gnustep-base-1.26.0/debian/changelog gnustep-base-1.26.0/debian/changelog
--- gnustep-base-1.26.0/debian/changelog 2019-02-01 23:20:45.000000000 +0200
+++ gnustep-base-1.26.0/debian/changelog 2019-09-22 12:44:38.000000000 +0300
@@ -1,3 +1,16 @@
+gnustep-base (1.26.0-4+deb10u1) buster; urgency=medium
+
+ * debian/gnustep-base-runtime.preinst: New file; handle the poor
+ upgrade from stretch to buster which left the gdomap daemon enabled
+ (Closes: #939119). Thanks to Alan Jenkins.
+ * debian/NEWS: Document that the gdomap daemon is disabled forcefully.
+ * debian/patches/gdomap-udp-amplification.patch: New; fix UDP
+ amplification vulnerability. Patch by Alan Jenkins.
+ * debian/patches/series: Update.
+ * debian/gbp.conf: Set debian-branch to buster.
+
+ -- Yavor Doganov <yavor@gnu.org> Sun, 22 Sep 2019 12:44:38 +0300
+
gnustep-base (1.26.0-4) unstable; urgency=medium
* debian/patches/armhf-test.patch: New; ignore a failing test on armhf
diff -Nru gnustep-base-1.26.0/debian/gbp.conf gnustep-base-1.26.0/debian/gbp.conf
--- gnustep-base-1.26.0/debian/gbp.conf 2019-01-10 14:50:12.000000000 +0200
+++ gnustep-base-1.26.0/debian/gbp.conf 2019-09-22 12:44:07.000000000 +0300
@@ -1,2 +1,3 @@
[DEFAULT]
pristine-tar = True
+debian-branch = buster
diff -Nru gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst
--- gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst 1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.26.0/debian/gnustep-base-runtime.preinst 2019-09-22 12:26:06.000000000 +0300
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+set -e
+set -u
+
+# Upgrades from stretch to buster have made the gdomap daemon enabled
+# by default which is undesirable. Explicitly delete the symlinks and
+# let update-rc.d recreate them in postinst. See #939119.
+# Remove after bullseye is released.
+if [ "$1" = "upgrade" ]; then
+ if dpkg --compare-versions "$2" lt 1.26.0-4+deb10u1; then
+ ENABLED=no
+ if [ -f /etc/default/gdomap ]; then
+ . /etc/default/gdomap
+ fi
+ if [ "$ENABLED" != "yes" ]; then
+ find /etc/rc?.d -name "*gdomap" -delete
+ fi
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
diff -Nru gnustep-base-1.26.0/debian/NEWS gnustep-base-1.26.0/debian/NEWS
--- gnustep-base-1.26.0/debian/NEWS 2018-01-01 12:39:24.000000000 +0200
+++ gnustep-base-1.26.0/debian/NEWS 2019-09-22 12:32:35.000000000 +0300
@@ -1,3 +1,12 @@
+gnustep-base (1.26.0-4+deb10u1) buster; urgency=medium
+
+ The gdomap daemon has been inadvertently enabled in 1.25.1-1 while
+ implementing a new Debian Policy requirement (§9.3.3.1). This version
+ forcefully disables it again. If you want the daemon running, run
+ "update-rc.d gdomap enable" to enable it.
+
+ -- Yavor Doganov <yavor@gnu.org> Sun, 22 Sep 2019 12:32:33 +0300
+
gnustep-base (1.25.0-1) experimental; urgency=medium
The example programs using the GNUstep Base library have been moved to
diff -Nru gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch
--- gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch 1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.26.0/debian/patches/gdomap-udp-amplification.patch 2019-09-22 12:40:24.000000000 +0300
@@ -0,0 +1,61 @@
+Description: Fix UDP amplification vulnerability
+ A couple of is_local_net() tests were wrong: they used "&&" with
+ masks, but that is the logical shortcut operator. The correct
+ bitwise operator is "&". The result was that is_local_net() was
+ always returning true.
+ .
+ Only allow local processes to send GDO_SERVERS requests. This
+ request is only useful locally. Do not allow remote requests for the
+ server list. Our response can be large, so it would make a great UDP
+ amplification attack.
+ .
+ Patch by Alan Jenkins <alan.christopher.jenkins@gmail.com>; issue
+ reported to the Debian security team.
+Origin: upstream, commit:de9740c
+Last-Update: 2019-09-22
+---
+
+--- gnustep-base.orig/Tools/gdomap.c
++++ gnustep-base/Tools/gdomap.c
+@@ -419,7 +419,7 @@
+
+ for (i = 0; i < interfaces; i++)
+ {
+- if ((mask[i].s_addr && addr[i].s_addr) == (mask[i].s_addr && a.s_addr))
++ if ((mask[i].s_addr & addr[i].s_addr) == (mask[i].s_addr & a.s_addr))
+ {
+ return 1;
+ }
+@@ -3100,6 +3100,21 @@
+ unsigned int i;
+ unsigned int j;
+
++ /*
++ * See if this is a request from a local process.
++ *
++ * This request is only useful locally. Do not allow remote
++ * requests for the server list. Our response can be large,
++ * so it would make a great UDP amplification attack.
++ */
++ if (is_local_host(ri->addr.sin_addr) == 0)
++ {
++ snprintf(ebuf, sizeof(ebuf), "Illegal attempt to list servers!");
++ gdomap_log(LOG_ERR);
++ clear_chan(desc);
++ return;
++ }
++
+ free(wi->buf);
+ wi->buf = (char*)calloc(sizeof(uint32_t)
+ + (prb_used+1)*IASIZE, 1);
+@@ -3260,8 +3275,8 @@
+ {
+ continue;
+ }
+- if ((mask[i].s_addr && addr[i].s_addr) ==
+- (mask[i].s_addr && ri->addr.sin_addr.s_addr))
++ if ((mask[i].s_addr & addr[i].s_addr) ==
++ (mask[i].s_addr & ri->addr.sin_addr.s_addr))
+ {
+ laddr = addr[i];
+ memcpy(wbuf, &laddr, IASIZE);
diff -Nru gnustep-base-1.26.0/debian/patches/series gnustep-base-1.26.0/debian/patches/series
--- gnustep-base-1.26.0/debian/patches/series 2019-02-01 22:19:23.000000000 +0200
+++ gnustep-base-1.26.0/debian/patches/series 2019-09-22 12:41:27.000000000 +0300
@@ -8,3 +8,4 @@
fix-tests-timings.patch
autogsdoc-reproducibility.patch
armhf-test.patch
+gdomap-udp-amplification.patch
Reply to: