Bug#970655: marked as done (buster-pu: package sleuthkit/4.6.5-1+deb10u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#970655: marked as done (buster-pu: package sleuthkit/4.6.5-1+deb10u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 05 Dec 2020 11:06:06 +0000
Message-id: <[🔎] handler.970655.D970655.160716616516800.ackdone@bugs.debian.org>
Reply-to: 970655@bugs.debian.org
References: <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk> <356c410f-2f51-9aff-64e9-a19fba1b2651@riseup.net>

Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #970655,
regarding buster-pu: package sleuthkit/4.6.5-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970655: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970655
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: buster-pu: package sleuthkit/4.6.5-1+deb10u1
From: Francisco Vilmar Cardoso Ruviaro <francisco.ruviaro@riseup.net>
Date: Sun, 20 Sep 2020 20:01:16 +0000
Message-id: <356c410f-2f51-9aff-64e9-a19fba1b2651@riseup.net>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Release Team,

I would like to update the sleuthkit on the buster to prevent a stack buffer
overflow in yaffsfs_istat, because during a review of the Debian Security
Tracker, I found CVE-2020-10232.

There is no DSA assigned to the bug and it was marked "no-dsa" and so I'm doing
a normal upload.


"This is potentially exploitable by an attacker creating a file in a yaffs
image with abnormally large time values", as reported in:
https://github.com/sleuthkit/sleuthkit/pull/1836

Vulnerable code follows:

tsk/fs/yaffs.cpp line 2442:
    char timeBuf[32];

This vulnerability has been assigned the CVE id CVE-2020-10232.

Upstream fixed the bug at:
https://github.com/sleuthkit/sleuthkit/pull/1836/commits/459ae818fc8dae717549810150de4d191ce158f1

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10232
[1] https://security-tracker.debian.org/tracker/CVE-2020-10232
[2] https://bugs.debian.org/953976

Sincerely,
Francisco


diff -Nru sleuthkit-4.6.5/debian/changelog sleuthkit-4.6.5/debian/changelog
--- sleuthkit-4.6.5/debian/changelog	2019-01-22 11:53:42.000000000 +0000
+++ sleuthkit-4.6.5/debian/changelog	2020-09-16 23:47:07.000000000 +0000
@@ -1,3 +1,11 @@
+sleuthkit (4.6.5-1+deb10u1) buster; urgency=high
+
+  * Team upload.
+  * Add patch to fix stack buffer overflow in yaffsfs_istat.
+    (Closes: #953976, CVE-2020-10232)
+
+ -- Francisco Vilmar Cardoso Ruviaro <francisco.ruviaro@riseup.net>  Wed, 16
Sep 2020 23:47:07 +0000
+
 sleuthkit (4.6.5-1) unstable; urgency=medium

   * Team upload
diff -Nru sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch
sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch
--- sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch	1970-01-01
00:00:00.000000000 +0000
+++ sleuthkit-4.6.5/debian/patches/CVE-2020-10232.patch	2020-09-16
23:47:07.000000000 +0000
@@ -0,0 +1,21 @@
+Description: Fix stack buffer overflow in yaffsfs_istat.
+ Prevent a stack buffer overflow in yaffsfs_istat by increasing
+ the buffer size to the size required by tsk_fs_time_to_str.
+Author: micrictor <mic.ric.tor@gmail.com>
+Origin:
https://github.com/sleuthkit/sleuthkit/commit/459ae818fc8dae717549810150de4d191ce158f1
+Bug: https://github.com/sleuthkit/sleuthkit/pull/1836
+Forwarded: not-needed
+Reviewed-By: Francisco Vilmar Cardoso Ruviaro <francisco.ruviaro@riseup.net>
+Last-Update: 2020-08-28
+
+--- sleuthkit-4.6.5.orig/tsk/fs/yaffs.cpp
++++ sleuthkit-4.6.5/tsk/fs/yaffs.cpp
+@@ -2439,7 +2439,7 @@ static uint8_t
+     YAFFSFS_INFO *yfs = (YAFFSFS_INFO *)fs;
+     char ls[12];
+     YAFFSFS_PRINT_ADDR print;
+-    char timeBuf[32];
++    char timeBuf[128];
+     YaffsCacheObject * obj = NULL;
+     YaffsCacheVersion * version = NULL;
+     YaffsHeader * header = NULL;
diff -Nru sleuthkit-4.6.5/debian/patches/series
sleuthkit-4.6.5/debian/patches/series
--- sleuthkit-4.6.5/debian/patches/series	2019-01-22 11:52:14.000000000 +0000
+++ sleuthkit-4.6.5/debian/patches/series	2020-09-16 23:47:07.000000000 +0000
@@ -3,4 +3,4 @@
 50_disable-ant-clean.patch
 60_fix-FTBFS-HURD.patch
 0005-Disable-test_libraries.sh.patch
-
+CVE-2020-10232.patch


-- 
Francisco Vilmar Cardoso Ruviaro <francisco.ruviaro@riseup.net>
4096R: 1B8C F656 EF3B 8447 2F48 F0E7 82FB F706 0B2F 7D00

--- End Message ---

--- Begin Message ---

To: 963340-done@bugs.debian.org, 970518-done@bugs.debian.org, 970655-done@bugs.debian.org, 970816-done@bugs.debian.org, 970999-done@bugs.debian.org, 971062-done@bugs.debian.org, 971277-done@bugs.debian.org, 971392-done@bugs.debian.org, 971685-done@bugs.debian.org, 971807-done@bugs.debian.org, 971808-done@bugs.debian.org, 971809-done@bugs.debian.org, 971866-done@bugs.debian.org, 971869-done@bugs.debian.org, 971915-done@bugs.debian.org, 971944-done@bugs.debian.org, 971954-done@bugs.debian.org, 972001-done@bugs.debian.org, 972115-done@bugs.debian.org, 972161-done@bugs.debian.org, 972183-done@bugs.debian.org, 972310-done@bugs.debian.org, 972351-done@bugs.debian.org, 972389-done@bugs.debian.org, 972651-done@bugs.debian.org, 972694-done@bugs.debian.org, 972796-done@bugs.debian.org, 972814-done@bugs.debian.org, 972839-done@bugs.debian.org, 972903-done@bugs.debian.org, 972963-done@bugs.debian.org, 973655-done@bugs.debian.org, 973695-done@bugs.debian.org, 973917-done@bugs.debian.org, 974695-done@bugs.debian.org, 975086-done@bugs.debian.org, 975297-done@bugs.debian.org, 975425-done@bugs.debian.org, 975514-done@bugs.debian.org, 975616-done@bugs.debian.org, 975837-done@bugs.debian.org, 975870-done@bugs.debian.org, 975874-done@bugs.debian.org, 975975-done@bugs.debian.org, 976018-done@bugs.debian.org, 976019-done@bugs.debian.org

Subject: Closing bugs for updates in 10.7 point release

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 05 Dec 2020 11:02:00 +0000

Message-id: <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 10.7

Hi,

Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#970518: marked as done (buster-pu: package edk2/0~20181115.85588389-3+deb10u1)
Next by Date: Bug#970816: marked as done (buster-pu: package libimobiledevice/1.2.1~git20181030.92c5462-2+deb10u1)
Previous by thread: Bug#970518: marked as done (buster-pu: package edk2/0~20181115.85588389-3+deb10u1)
Next by thread: Bug#970816: marked as done (buster-pu: package libimobiledevice/1.2.1~git20181030.92c5462-2+deb10u1)
Index(es):
- Date
- Thread