Bug#950280: buster-pu: package libsolv/0.6.35-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
I have just uploaded libsolv/0.6.35-2+deb10u1 to buster.
+ * debian/patches:
+ + CVE-2019-20387: Add 0001_CVE-2019-20387.patch. Resolves heap-based buffer
+ over-read in repodata.c (Closes: #949611).
-> ... fixing CVE-2019-20387.
+ + 1006_various-types.patch: Trivial rebase.
+
-> ... and fixing lines in patch 1006.
Greets,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libsolv-0.6.35/debian/changelog libsolv-0.6.35/debian/changelog
--- libsolv-0.6.35/debian/changelog 2018-09-03 11:14:21.000000000 +0200
+++ libsolv-0.6.35/debian/changelog 2020-01-30 22:35:28.000000000 +0100
@@ -1,3 +1,12 @@
+libsolv (0.6.35-2+deb10u1) buster; urgency=medium
+
+ * debian/patches:
+ + CVE-2019-20387: Add 0001_CVE-2019-20387.patch. Resolves heap-based buffer
+ over-read in repodata.c (Closes: #949611).
+ + 1006_various-types.patch: Trivial rebase.
+
+ -- Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Thu, 30 Jan 2020 22:35:28 +0100
+
libsolv (0.6.35-2) unstable; urgency=medium
* debian/changelog: White-space cleanup in previous stanza.
diff -Nru libsolv-0.6.35/debian/patches/0001_CVE-2019-20387.patch libsolv-0.6.35/debian/patches/0001_CVE-2019-20387.patch
--- libsolv-0.6.35/debian/patches/0001_CVE-2019-20387.patch 1970-01-01 01:00:00.000000000 +0100
+++ libsolv-0.6.35/debian/patches/0001_CVE-2019-20387.patch 2020-01-30 18:50:22.000000000 +0100
@@ -0,0 +1,32 @@
+From fdb9c9c03508990e4583046b590c30d958f272da Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 6 Aug 2019 09:50:57 +0800
+Subject: [PATCH] repodata_schema2id: fix heap-buffer-overflow in memcmp
+
+When the length of last schema in data->schemadata is
+less than length of input schema, we got a read overflow
+in asan test.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ src/repodata.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/src/repodata.c
++++ b/src/repodata.c
+@@ -205,11 +205,13 @@
+ cid = schematahash[h];
+ if (cid)
+ {
+- if (!memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
++ if ((data->schemata[cid] + len <= data->schemadatalen) &&
++ !memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
+ return cid;
+ /* cache conflict, do a slow search */
+ for (cid = 1; cid < data->nschemata; cid++)
+- if (!memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
++ if ((data->schemata[cid] + len <= data->schemadatalen) &&
++ !memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
+ return cid;
+ }
+ /* a new one */
diff -Nru libsolv-0.6.35/debian/patches/1006_various-types.patch libsolv-0.6.35/debian/patches/1006_various-types.patch
--- libsolv-0.6.35/debian/patches/1006_various-types.patch 2018-08-20 12:35:15.000000000 +0200
+++ libsolv-0.6.35/debian/patches/1006_various-types.patch 2020-01-30 22:35:14.000000000 +0100
@@ -87,7 +87,7 @@
*-l* 'PKGSPEC'::
--- a/src/rules.c
+++ b/src/rules.c
-@@ -1583,7 +1583,7 @@
+@@ -1607,7 +1607,7 @@
if (allowedarchs.count && pool->implicitobsoleteusescolors && installed && bestscore)
{
diff -Nru libsolv-0.6.35/debian/patches/series libsolv-0.6.35/debian/patches/series
--- libsolv-0.6.35/debian/patches/series 2018-04-24 12:45:47.000000000 +0200
+++ libsolv-0.6.35/debian/patches/series 2020-01-30 22:35:14.000000000 +0100
@@ -1,2 +1,3 @@
1004_cmake-module-path-fix.patch
1006_various-types.patch
+0001_CVE-2019-20387.patch
Reply to: