Bug#986112: buster-pu: package freediameter/1.2.1-7
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The attached debdiff for freediameter fixes CVE-2020-6098 in Buster.
It is marked as no-dsa by the security team.
After uploading the patch in 1.2.1-8 to unstable, nobody complained
about something broken yet.
Thorsten
diff -Nru freediameter-1.2.1/debian/changelog freediameter-1.2.1/debian/changelog
--- freediameter-1.2.1/debian/changelog 2018-10-14 10:26:18.000000000 +0200
+++ freediameter-1.2.1/debian/changelog 2020-07-13 20:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+freediameter (1.2.1-7+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * CVE-2020-6098 (Closes: #985088)
+ Anybody can send a specially crafted Diameter request, which triggers
+ a memory corruption and thus results in a denial-of-service.
+
+ -- Thorsten Alteholz <debian@alteholz.de> Mon, 13 Jul 2020 19:03:02 +0100
+
freediameter (1.2.1-7) unstable; urgency=medium
* Build using "old" SCTP API since the new one fails to build in Debian
diff -Nru freediameter-1.2.1/debian/patches/CVE-2020-6098.patch freediameter-1.2.1/debian/patches/CVE-2020-6098.patch
--- freediameter-1.2.1/debian/patches/CVE-2020-6098.patch 1970-01-01 01:00:00.000000000 +0100
+++ freediameter-1.2.1/debian/patches/CVE-2020-6098.patch 2020-07-13 20:03:02.000000000 +0200
@@ -0,0 +1,32 @@
+Description: Anybody can send a specially cafted Diameter request, which triggers
+ a memory corruption and thus results in a denial-of-service.
+Index: freediameter-1.2.1/libfdproto/messages.c
+===================================================================
+--- freediameter-1.2.1.orig/libfdproto/messages.c 2021-03-22 16:47:24.581610685 +0100
++++ freediameter-1.2.1/libfdproto/messages.c 2021-03-22 16:47:24.573610508 +0100
+@@ -1945,6 +1945,14 @@
+ offset += 4;
+ }
+
++ /* Check the length is valid */
++ if ( avp->avp_public.avp_len < GETAVPHDRSZ(avp->avp_public.avp_flags) ) {
++ TRACE_DEBUG(INFO, "Invalid AVP size %d",
++ avp->avp_public.avp_len);
++ free(avp);
++ return EBADMSG;
++ }
++
+ /* Check there is enough remaining data in the buffer */
+ if ( (avp->avp_public.avp_len > GETAVPHDRSZ(avp->avp_public.avp_flags))
+ && (buflen - offset < avp->avp_public.avp_len - GETAVPHDRSZ(avp->avp_public.avp_flags))) {
+@@ -1991,6 +1999,10 @@
+ TRACE_DEBUG(INFO, "Truncated message (%zd / %d)", buflen, msglen );
+ return EBADMSG;
+ }
++ if ( msglen < GETMSGHDRSZ() ) {
++ TRACE_DEBUG(INFO, "Invalid message length (%d)", msglen );
++ return EBADMSG;
++ }
+
+ /* Create a new object */
+ CHECK_MALLOC( new = malloc (sizeof(struct msg)) );
diff -Nru freediameter-1.2.1/debian/patches/series freediameter-1.2.1/debian/patches/series
--- freediameter-1.2.1/debian/patches/series 2018-10-14 10:26:18.000000000 +0200
+++ freediameter-1.2.1/debian/patches/series 2020-07-13 20:03:02.000000000 +0200
@@ -3,3 +3,5 @@
0003-Set-default-debian-location-for-freeDiameter-configu.patch
0004-Disable-running-tests-that-require-the-kernel-module.patch
0005-Build-using-old-API-since-the-new-FTBFS-on-sid.patch
+
+CVE-2020-6098.patch
Reply to: