--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package libsolv/0.6.24-1+deb9u2
- From: Mike Gabriel <sunweaver@debian.org>
- Date: Fri, 31 Jan 2020 00:32:33 +0100
- Message-id: <158042715303.24807.13116741590529366616.reportbug@minobo.das-netzwerkteam.de>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
I have just uploaded libsolv/0.6.24-1+deb9u2 to stretch...
+ * debian/patches:
+ + CVE-2019-20387: Add 0001_CVE-2019-20387.patch. Resolves heap-based
+ buffer over-read in repodata.c (Closes: #949611).
-> ... fixing CVE-2019-20387.
+ + Trivial rebase of patches 1004, 1006 and 2001.
-> ... and fixing line numbers in patchs 1004, 1006, and 2001.
Greets,
Mike
-- System Information:
Debian Release: 10.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libsolv-0.6.24/debian/changelog libsolv-0.6.24/debian/changelog
--- libsolv-0.6.24/debian/changelog 2017-09-18 17:33:32.000000000 +0200
+++ libsolv-0.6.24/debian/changelog 2020-01-30 18:49:35.000000000 +0100
@@ -1,3 +1,12 @@
+libsolv (0.6.24-1+deb9u2) stretch; urgency=medium
+
+ * debian/patches:
+ + CVE-2019-20387: Add 0001_CVE-2019-20387.patch. Resolves heap-based
+ buffer over-read in repodata.c (Closes: #949611).
+ + Trivial rebase of patches 1004, 1006 and 2001.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 30 Jan 2020 18:49:35 +0100
+
libsolv (0.6.24-1+deb9u1) stretch; urgency=medium
* debian/control:
diff -Nru libsolv-0.6.24/debian/patches/0001_CVE-2019-20387.patch libsolv-0.6.24/debian/patches/0001_CVE-2019-20387.patch
--- libsolv-0.6.24/debian/patches/0001_CVE-2019-20387.patch 1970-01-01 01:00:00.000000000 +0100
+++ libsolv-0.6.24/debian/patches/0001_CVE-2019-20387.patch 2020-01-30 18:49:35.000000000 +0100
@@ -0,0 +1,32 @@
+From fdb9c9c03508990e4583046b590c30d958f272da Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 6 Aug 2019 09:50:57 +0800
+Subject: [PATCH] repodata_schema2id: fix heap-buffer-overflow in memcmp
+
+When the length of last schema in data->schemadata is
+less than length of input schema, we got a read overflow
+in asan test.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ src/repodata.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/src/repodata.c
++++ b/src/repodata.c
+@@ -205,11 +205,13 @@
+ cid = schematahash[h];
+ if (cid)
+ {
+- if (!memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
++ if ((data->schemata[cid] + len <= data->schemadatalen) &&
++ !memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
+ return cid;
+ /* cache conflict, do a slow search */
+ for (cid = 1; cid < data->nschemata; cid++)
+- if (!memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
++ if ((data->schemata[cid] + len <= data->schemadatalen) &&
++ !memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
+ return cid;
+ }
+ /* a new one */
diff -Nru libsolv-0.6.24/debian/patches/1004_cmake-module-path-fix.patch libsolv-0.6.24/debian/patches/1004_cmake-module-path-fix.patch
--- libsolv-0.6.24/debian/patches/1004_cmake-module-path-fix.patch 2017-09-18 17:31:26.000000000 +0200
+++ libsolv-0.6.24/debian/patches/1004_cmake-module-path-fix.patch 2020-01-30 18:49:35.000000000 +0100
@@ -11,7 +11,7 @@
OPTION (ENABLE_STATIC "Build a static version of the libraries?" OFF)
OPTION (DISABLE_SHARED "Do not build a shared version of the libraries?" OFF)
-@@ -71,7 +71,7 @@
+@@ -70,7 +70,7 @@
# where to look first for cmake modules, before ${CMAKE_ROOT}/Modules/ is checked
SET (CMAKE_MODULE_PATH ${CMAKE_SOURCE_DIR}/cmake/modules)
diff -Nru libsolv-0.6.24/debian/patches/1006_various-types.patch libsolv-0.6.24/debian/patches/1006_various-types.patch
--- libsolv-0.6.24/debian/patches/1006_various-types.patch 2017-09-18 17:31:26.000000000 +0200
+++ libsolv-0.6.24/debian/patches/1006_various-types.patch 2020-01-30 18:49:35.000000000 +0100
@@ -120,7 +120,7 @@
FOR_PROVIDES(p, pp, s->name)
--- a/src/solver.h
+++ b/src/solver.h
-@@ -149,10 +149,10 @@
+@@ -143,10 +143,10 @@
* Solver configuration
*-------------------------------------------------------------------------------------------------------------*/
@@ -135,7 +135,7 @@
int allowuninstall; /* allow removal of installed solvables */
int noupdateprovide; /* true: update packages needs not to provide old package */
int needupdateprovide; /* true: update packages must provide old package */
-@@ -172,10 +172,10 @@
+@@ -167,10 +167,10 @@
Map dupmap; /* dup these packages*/
int dupmap_all; /* dup all packages */
Map dupinvolvedmap; /* packages involved in dup process */
diff -Nru libsolv-0.6.24/debian/patches/2001_build-for-SUSE-and-find-rpmdb.patch libsolv-0.6.24/debian/patches/2001_build-for-SUSE-and-find-rpmdb.patch
--- libsolv-0.6.24/debian/patches/2001_build-for-SUSE-and-find-rpmdb.patch 2017-09-18 17:31:26.000000000 +0200
+++ libsolv-0.6.24/debian/patches/2001_build-for-SUSE-and-find-rpmdb.patch 2020-01-30 18:49:35.000000000 +0100
@@ -14,7 +14,7 @@
--- a/ext/repo_rpmdb.c
+++ b/ext/repo_rpmdb.c
-@@ -32,7 +32,7 @@
+@@ -34,7 +34,7 @@
#include <rpm/rpmdb.h>
#ifndef DB_CREATE
diff -Nru libsolv-0.6.24/debian/patches/series libsolv-0.6.24/debian/patches/series
--- libsolv-0.6.24/debian/patches/series 2017-09-18 17:31:26.000000000 +0200
+++ libsolv-0.6.24/debian/patches/series 2020-01-30 18:49:35.000000000 +0100
@@ -1,3 +1,4 @@
1004_cmake-module-path-fix.patch
1006_various-types.patch
2001_build-for-SUSE-and-find-rpmdb.patch
+0001_CVE-2019-20387.patch
--- End Message ---