Bug#942110: marked as done (stretch-pu: package gnustep-base/1.24.9-3.1+deb9u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 08 Feb 2020 14:23:35 +0000
with message-id <a894a0233c2d264936953d7a69507573c4a5742a.camel@adam-barratt.org.uk>
and subject line Closing bugs included in 9.12
has caused the Debian Bug report #942110,
regarding stretch-pu: package gnustep-base/1.24.9-3.1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
942110: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942110
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: stretch-pu: package gnustep-base/1.24.9-3.1+deb9u1
• From: Yavor Doganov <yavor@gnu.org>
• Date: Thu, 10 Oct 2019 16:42:55 +0300
• Message-id: <157071497546.28132.14560286302053999736.reportbug@aneto>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

I'd like to fix a vulnerability in the gdomap daemon (no DSA).  It is
fixed in testing/unstable and already approved/uploaded for buster
(release.d.o #940943).  The patch is the same.

Debdiff attached.

diff -Nru gnustep-base-1.24.9/debian/changelog gnustep-base-1.24.9/debian/changelog
--- gnustep-base-1.24.9/debian/changelog	2017-02-02 21:12:50.000000000 +0200
+++ gnustep-base-1.24.9/debian/changelog	2019-10-10 08:33:21.000000000 +0300
@@ -1,3 +1,12 @@
+gnustep-base (1.24.9-3.1+deb9u1) stretch; urgency=medium
+
+  * debian/patches/gdomap-udp-amplification.patch: New; fix UDP
+    amplification vulnerability.  Thanks to Alan Jenkins.
+  * debian/patches/series: Update.
+  * debian/gbp.conf: New file.
+
+ -- Yavor Doganov <yavor@gnu.org>  Thu, 10 Oct 2019 08:33:21 +0300
+
 gnustep-base (1.24.9-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru gnustep-base-1.24.9/debian/gbp.conf gnustep-base-1.24.9/debian/gbp.conf
--- gnustep-base-1.24.9/debian/gbp.conf	1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.24.9/debian/gbp.conf	2019-10-10 08:33:08.000000000 +0300
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = stretch
diff -Nru gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch
--- gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch	1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch	2019-10-10 08:32:24.000000000 +0300
@@ -0,0 +1,61 @@
+Description: Fix UDP amplification vulnerability
+ A couple of is_local_net() tests were wrong: they used "&&" with
+ masks, but that is the logical shortcut operator.  The correct
+ bitwise operator is "&".  The result was that is_local_net() was
+ always returning true.
+ .
+ Only allow local processes to send GDO_SERVERS requests.  This
+ request is only useful locally.  Do not allow remote requests for the
+ server list.  Our response can be large, so it would make a great UDP
+ amplification attack.
+ . 
+ Patch by Alan Jenkins <alan.christopher.jenkins@gmail.com>; issue
+ reported to the Debian security team.
+Origin: upstream, commit:de9740c
+Last-Update: 2019-10-10
+---
+
+--- gnustep-base.orig/Tools/gdomap.c
++++ gnustep-base/Tools/gdomap.c
+@@ -419,7 +419,7 @@
+ 
+   for (i = 0; i < interfaces; i++)
+     {
+-      if ((mask[i].s_addr && addr[i].s_addr) == (mask[i].s_addr && a.s_addr))
++      if ((mask[i].s_addr & addr[i].s_addr) == (mask[i].s_addr & a.s_addr))
+ 	{
+ 	  return 1;
+ 	}
+@@ -3090,6 +3090,21 @@
+       unsigned int	i;
+       unsigned int	j;
+ 
++      /*
++       *	See if this is a request from a local process.
++       *
++       *	This request is only useful locally.  Do not allow remote
++       *	requests for the server list.  Our response can be large,
++       *	so it would make a great UDP amplification attack.
++       */
++      if (is_local_host(ri->addr.sin_addr) == 0)
++	{
++	  snprintf(ebuf, sizeof(ebuf), "Illegal attempt to list servers!");
++	  gdomap_log(LOG_ERR);
++	  clear_chan(desc);
++	  return;
++	}
++
+       free(wi->buf);
+       wi->buf = (char*)calloc(sizeof(uint32_t)
+ 	+ (prb_used+1)*IASIZE, 1);
+@@ -3250,8 +3265,8 @@
+ 		    {
+ 		      continue;
+ 		    }
+-		  if ((mask[i].s_addr && addr[i].s_addr) ==
+-			(mask[i].s_addr && ri->addr.sin_addr.s_addr))
++		  if ((mask[i].s_addr & addr[i].s_addr) ==
++			(mask[i].s_addr & ri->addr.sin_addr.s_addr))
+ 		    {
+ 		      laddr = addr[i];
+ 		      memcpy(wbuf, &laddr, IASIZE);
diff -Nru gnustep-base-1.24.9/debian/patches/series gnustep-base-1.24.9/debian/patches/series
--- gnustep-base-1.24.9/debian/patches/series	2016-08-09 18:49:12.000000000 +0300
+++ gnustep-base-1.24.9/debian/patches/series	2019-10-09 19:25:53.000000000 +0300
@@ -19,3 +19,4 @@
 fix-gdnc.patch
 fix-tests-timings.patch
 fix-test-icu2.patch
+gdomap-udp-amplification.patch

--- End Message ---

--- Begin Message ---

• To: 887324-done@bugs.debian.org, 902487-done@bugs.debian.org, 933263-done@bugs.debian.org, 935728-done@bugs.debian.org, 935970-done@bugs.debian.org, 939364-done@bugs.debian.org, 939897-done@bugs.debian.org, 939907-done@bugs.debian.org, 939967-done@bugs.debian.org, 940246-done@bugs.debian.org, 940477-done@bugs.debian.org, 940714-done@bugs.debian.org, 940715-done@bugs.debian.org, 941126-done@bugs.debian.org, 941169-done@bugs.debian.org, 941350-done@bugs.debian.org, 941452-done@bugs.debian.org, 942024-done@bugs.debian.org, 942110-done@bugs.debian.org, 942839-done@bugs.debian.org, 942840-done@bugs.debian.org, 942841-done@bugs.debian.org, 943352-done@bugs.debian.org, 943564-done@bugs.debian.org, 943606-done@bugs.debian.org, 944186-done@bugs.debian.org, 944233-done@bugs.debian.org, 944282-done@bugs.debian.org, 944794-done@bugs.debian.org, 944866-done@bugs.debian.org, 945821-done@bugs.debian.org, 945944-done@bugs.debian.org, 946159-done@bugs.debian.org, 946185-done@bugs.debian.org, 946558-done@bugs.debian.org, 946560-done@bugs.debian.org, 946570-done@bugs.debian.org, 946654-done@bugs.debian.org, 946704-done@bugs.debian.org, 946824-done@bugs.debian.org, 946907-done@bugs.debian.org, 947204-done@bugs.debian.org, 947255-done@bugs.debian.org, 947747-done@bugs.debian.org, 947834-done@bugs.debian.org, 948219-done@bugs.debian.org, 948391-done@bugs.debian.org, 948401-done@bugs.debian.org, 948465-done@bugs.debian.org, 948649-done@bugs.debian.org, 948704-done@bugs.debian.org, 948715-done@bugs.debian.org, 948730-done@bugs.debian.org, 948737-done@bugs.debian.org, 948898-done@bugs.debian.org, 949838-done@bugs.debian.org, 949853-done@bugs.debian.org, 949900-done@bugs.debian.org, 949905-done@bugs.debian.org, 949907-done@bugs.debian.org, 949909-done@bugs.debian.org, 950156-done@bugs.debian.org, 950256-done@bugs.debian.org, 950281-done@bugs.debian.org, 950309-done@bugs.debian.org
• Subject: Closing bugs included in 9.12
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 08 Feb 2020 14:23:35 +0000
• Message-id: <a894a0233c2d264936953d7a69507573c4a5742a.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 9.12

Hi,

Each of the uploads referred to by these bugs was included in today's
oldstable point release.

Regards,

Adam

--- End Message ---