Bug#983918: buster-pu: package libbsd/0.9.1-2
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal
CVE-2019-20367 (no DSA) has been fixed for stretch in 0.8.3-1+deb9u1 and
for bullseye, sid with version 0.10.0-1
Buster has been left out from the patches, and since the patch is
trivial, I propose to apply it for buster too
diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
--- libbsd-0.9.1/debian/changelog 2019-02-25 01:33:03.000000000 +0100
+++ libbsd-0.9.1/debian/changelog 2021-03-03 12:03:12.000000000 +0100
@@ -1,3 +1,12 @@
+libbsd (0.9.1-2+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-20367
+ A non-NUL terminated symbol name in the string table might
+ result in a out-of-bounds read.
+
+ -- Gianfranco Costamagna <locutusofborg@debian.org> Wed, 03 Mar 2021 12:03:12 +0100
+
libbsd (0.9.1-2) unstable; urgency=medium
* Perform a proper and correct /usr-merge transition by moving the package
diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch libbsd-0.9.1/debian/patches/CVE-2019-20367.patch
--- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 1970-01-01 01:00:00.000000000 +0100
+++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 2021-03-03 12:00:40.000000000 +0100
@@ -0,0 +1,42 @@
+From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@hadrons.org>
+Date: Wed, 7 Aug 2019 22:58:30 +0200
+Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
+
+When doing a string comparison for a symbol name from the string table,
+we should make sure we do a bounded comparison, otherwise a non-NUL
+terminated string might make the code read out-of-bounds.
+
+Warned-by: coverity
+---
+ src/nlist.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/nlist.c b/src/nlist.c
+index 8aa46a2..228c220 100644
+--- a/src/nlist.c
++++ b/src/nlist.c
+@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
+ symsize -= cc;
+ for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) {
+ char *name;
++ Elf_Word size;
+ struct nlist *p;
+
+ name = strtab + s->st_name;
+ if (name[0] == '\0')
+ continue;
++ size = symstrsize - s->st_name;
+
+ for (p = list; !ISLAST(p); p++) {
+ if ((p->n_un.n_name[0] == '_' &&
+- strcmp(name, p->n_un.n_name+1) == 0)
+- || strcmp(name, p->n_un.n_name) == 0) {
++ strncmp(name, p->n_un.n_name+1, size) == 0) ||
++ strncmp(name, p->n_un.n_name, size) == 0) {
+ elf_sym_to_nlist(p, s, shdr,
+ ehdr.e_shnum);
+ if (--nent <= 0)
+--
+GitLab
+
diff -Nru libbsd-0.9.1/debian/patches/series libbsd-0.9.1/debian/patches/series
--- libbsd-0.9.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libbsd-0.9.1/debian/patches/series 2021-03-03 12:01:48.000000000 +0100
@@ -0,0 +1 @@
+CVE-2019-20367.patch
diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
--- libbsd-0.9.1/debian/changelog 2019-02-25 01:33:03.000000000 +0100
+++ libbsd-0.9.1/debian/changelog 2021-03-03 12:03:12.000000000 +0100
@@ -1,3 +1,12 @@
+libbsd (0.9.1-2+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-20367
+ A non-NUL terminated symbol name in the string table might
+ result in a out-of-bounds read.
+
+ -- Gianfranco Costamagna <locutusofborg@debian.org> Wed, 03 Mar 2021 12:03:12 +0100
+
libbsd (0.9.1-2) unstable; urgency=medium
* Perform a proper and correct /usr-merge transition by moving the package
diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch libbsd-0.9.1/debian/patches/CVE-2019-20367.patch
--- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 1970-01-01 01:00:00.000000000 +0100
+++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 2021-03-03 12:00:40.000000000 +0100
@@ -0,0 +1,42 @@
+From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@hadrons.org>
+Date: Wed, 7 Aug 2019 22:58:30 +0200
+Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
+
+When doing a string comparison for a symbol name from the string table,
+we should make sure we do a bounded comparison, otherwise a non-NUL
+terminated string might make the code read out-of-bounds.
+
+Warned-by: coverity
+---
+ src/nlist.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/nlist.c b/src/nlist.c
+index 8aa46a2..228c220 100644
+--- a/src/nlist.c
++++ b/src/nlist.c
+@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
+ symsize -= cc;
+ for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) {
+ char *name;
++ Elf_Word size;
+ struct nlist *p;
+
+ name = strtab + s->st_name;
+ if (name[0] == '\0')
+ continue;
++ size = symstrsize - s->st_name;
+
+ for (p = list; !ISLAST(p); p++) {
+ if ((p->n_un.n_name[0] == '_' &&
+- strcmp(name, p->n_un.n_name+1) == 0)
+- || strcmp(name, p->n_un.n_name) == 0) {
++ strncmp(name, p->n_un.n_name+1, size) == 0) ||
++ strncmp(name, p->n_un.n_name, size) == 0) {
+ elf_sym_to_nlist(p, s, shdr,
+ ehdr.e_shnum);
+ if (--nent <= 0)
+--
+GitLab
+
diff -Nru libbsd-0.9.1/debian/patches/series libbsd-0.9.1/debian/patches/series
--- libbsd-0.9.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libbsd-0.9.1/debian/patches/series 2021-03-03 12:01:48.000000000 +0100
@@ -0,0 +1 @@
+CVE-2019-20367.patch
Reply to: