[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#979724: marked as done (buster-pu: package libmaxminddb/1.3.2-1+deb10u1)

Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id <6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #979724,
regarding buster-pu: package libmaxminddb/1.3.2-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
979724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979724
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi there,

This is an buster proposed update to fix CVE-2020-28241:
| libmaxminddb before 1.4.3 has a heap-based buffer over-read in
| dump_entry_data_list in maxminddb.c.

The security team has marked the CVE as "<no-dsa> (Minor issue)", and
filed #973878 against the package.

The fix was part of the 1.4.3 upstream version; bullseye has 1.4.3-1,
sid has 1.5.0-1, so it's fixed in both.

You'll find the source debdiff below (and also in salsa).

Thanks!
Faidon


diff -Nru libmaxminddb-1.3.2/debian/changelog libmaxminddb-1.3.2/debian/changelog
--- libmaxminddb-1.3.2/debian/changelog	2018-05-26 19:37:59.000000000 +0300
+++ libmaxminddb-1.3.2/debian/changelog	2021-01-10 21:10:00.000000000 +0200
@@ -1,3 +1,10 @@
+libmaxminddb (1.3.2-1+deb10u1) buster; urgency=medium
+
+  * Backport upstream fix for CVE-2020-28241, heap-based buffer over-read in
+    dump_entry_data_list in maxminddb.c. (Closes: #973878)
+
+ -- Faidon Liambotis <paravoid@debian.org>  Sun, 10 Jan 2021 21:10:00 +0200
+
 libmaxminddb (1.3.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libmaxminddb-1.3.2/debian/gbp.conf libmaxminddb-1.3.2/debian/gbp.conf
--- libmaxminddb-1.3.2/debian/gbp.conf	2018-05-26 19:28:43.000000000 +0300
+++ libmaxminddb-1.3.2/debian/gbp.conf	2021-01-10 21:10:00.000000000 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-tree=tag
-debian-branch=debian
+debian-branch=debian/buster
 upstream-tag = %(version)s
 no-create-orig = False
 submodules = True
diff -Nru libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch
--- libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch	1970-01-01 02:00:00.000000000 +0200
+++ libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch	2021-01-10 21:10:00.000000000 +0200
@@ -0,0 +1,113 @@
+From: Gregory Oschwald <goschwald@maxmind.com>
+Date: Wed, 5 Aug 2020 14:16:17 -0700
+Subject: [PATCH] Replace most malloc uses with calloc
+
+Closes #236.
+---
+ bin/mmdblookup.c    |  2 +-
+ doc/libmaxminddb.md |  2 +-
+ src/maxminddb.c     | 16 ++++++++--------
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c
+index 030d88c..513ad2d 100644
+--- a/bin/mmdblookup.c
++++ b/bin/mmdblookup.c
+@@ -263,7 +263,7 @@ LOCAL const char **get_options(
+     }
+ 
+     const char **lookup_path =
+-        malloc(sizeof(const char *) * ((argc - optind) + 1));
++        calloc((argc - optind) + 1, sizeof(const char *));
+     int i;
+     for (i = 0; i < argc - optind; i++) {
+         lookup_path[i] = argv[i + optind];
+diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md
+index e6de9d5..15433c3 100644
+--- a/doc/libmaxminddb.md
++++ b/doc/libmaxminddb.md
+@@ -307,7 +307,7 @@ libmaxminddb code.
+ 
+ The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this structure
+ are all pointers directly into the database's data section. This can either be
+-a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will
++a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will
+ become invalid after `MMDB_close()` is called.
+ 
+ If you need to refer to this data after that time you should copy the data
+diff --git a/src/maxminddb.c b/src/maxminddb.c
+index 7580e1e..ec547d6 100644
+--- a/src/maxminddb.c
++++ b/src/maxminddb.c
+@@ -35,7 +35,7 @@
+     do {                                                        \
+         char *binary = byte_to_binary(byte);                    \
+         if (NULL == binary) {                                   \
+-            fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \
++            fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \
+             abort();                                            \
+         }                                                       \
+         fprintf(stderr, fmt "\n", binary);                      \
+@@ -54,7 +54,7 @@
+ #ifdef MMDB_DEBUG
+ DEBUG_FUNC char *byte_to_binary(uint8_t byte)
+ {
+-    char *bits = malloc(sizeof(char) * 9);
++    char *bits = calloc(9, sizeof(char));
+     if (NULL == bits) {
+         return bits;
+     }
+@@ -687,7 +687,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
+                               MMDB_INVALID_METADATA_ERROR);
+ 
+     mmdb->metadata.languages.count = 0;
+-    mmdb->metadata.languages.names = malloc(array_size * sizeof(char *));
++    mmdb->metadata.languages.names = calloc(array_size, sizeof(char *));
+     if (NULL == mmdb->metadata.languages.names) {
+         return MMDB_OUT_OF_MEMORY_ERROR;
+     }
+@@ -705,7 +705,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
+         if (NULL == mmdb->metadata.languages.names[i]) {
+             return MMDB_OUT_OF_MEMORY_ERROR;
+         }
+-        // We assign this as we go so that if we fail a malloc and need to
++        // We assign this as we go so that if we fail a calloc and need to
+         // free it, the count is right.
+         mmdb->metadata.languages.count = i + 1;
+     }
+@@ -757,7 +757,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
+                               MMDB_INVALID_METADATA_ERROR);
+ 
+     mmdb->metadata.description.descriptions =
+-        malloc(map_size * sizeof(MMDB_description_s *));
++        calloc(map_size, sizeof(MMDB_description_s *));
+     if (NULL == mmdb->metadata.description.descriptions) {
+         status = MMDB_OUT_OF_MEMORY_ERROR;
+         goto cleanup;
+@@ -765,7 +765,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db,
+ 
+     for (uint32_t i = 0; i < map_size; i++) {
+         mmdb->metadata.description.descriptions[i] =
+-            malloc(sizeof(MMDB_description_s));
++            calloc(1, sizeof(MMDB_description_s));
+         if (NULL == mmdb->metadata.description.descriptions[i]) {
+             status = MMDB_OUT_OF_MEMORY_ERROR;
+             goto cleanup;
+@@ -1172,7 +1172,7 @@ int MMDB_vget_value(MMDB_entry_s *const start,
+     MAYBE_CHECK_SIZE_OVERFLOW(length, SIZE_MAX / sizeof(const char *) - 1,
+                               MMDB_INVALID_METADATA_ERROR);
+ 
+-    const char **path = malloc((length + 1) * sizeof(const char *));
++    const char **path = calloc(length + 1, sizeof(const char *));
+     if (NULL == path) {
+         return MMDB_OUT_OF_MEMORY_ERROR;
+     }
+@@ -2130,7 +2130,7 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size)
+     char *hex_string;
+     MAYBE_CHECK_SIZE_OVERFLOW(size, SIZE_MAX / 2 - 1, NULL);
+ 
+-    hex_string = malloc((size * 2) + 1);
++    hex_string = calloc((size * 2) + 1, sizeof(char));
+     if (NULL == hex_string) {
+         return NULL;
+     }
diff -Nru libmaxminddb-1.3.2/debian/patches/series libmaxminddb-1.3.2/debian/patches/series
--- libmaxminddb-1.3.2/debian/patches/series	2018-05-26 19:29:20.000000000 +0300
+++ libmaxminddb-1.3.2/debian/patches/series	2021-01-10 21:10:00.000000000 +0200
@@ -1 +1,2 @@
 0001-Remove-Pandoc-version-from-manpages.patch
+0002-CVE-2020-28241.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.8

Hi,

Each of the updates referenced by these bugs was included in today's
10.8 point release.

Regards,

Adam

--- End Message ---
Reply to: