--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
- From: Arnaud Rebillout <arnaud.rebillout@collabora.com>
- Date: Thu, 08 Aug 2019 14:47:55 +0700
- Message-id: <156525047577.16101.8153094058534261452.reportbug@xps>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
The debdiff attached brings in an upstream patch to fix
CVE-2019-1020014, hence closes #933801.
This is my first contribution to Debian Stable, please check for
beginners mistake ;)
Also, the devel-announce "Bits from the Stable Release Managers"
mentions:
* Fixes for security issues should be co-ordinated with the
Security Team, unless they have explicitly stated that they
will not issue an DSA for the bug (e.g. via a "no-dsa" marker
in the Security Tracker) [SECURITY-TRACKER]
So, is there anything else I should do here? Like, CC them or something?
Thanks!
Arnaud
-- Related links:
- <https://bugs.debian.org/933801>
- <https://security-tracker.debian.org/tracker/CVE-2019-1020014>
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog 2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog 2019-08-05 15:04:28.000000000 +0700
@@ -1,3 +1,11 @@
+golang-github-docker-docker-credential-helpers (0.6.1-2+deb10u1) buster; urgency=medium
+
+ * Add myself to uploaders.
+ * Adjust gbp.conf for buster.
+ * Add upstream patch to fix CVE-2019-1020014 (Closes: #933801).
+
+ -- Arnaud Rebillout <arnaud.rebillout@collabora.com> Mon, 05 Aug 2019 15:04:28 +0700
+
golang-github-docker-docker-credential-helpers (0.6.1-2) unstable; urgency=medium
* Team upload.
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/control golang-github-docker-docker-credential-helpers-0.6.1/debian/control
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/control 2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/control 2019-08-05 15:04:28.000000000 +0700
@@ -3,7 +3,8 @@
Priority: optional
Maintainer: Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>
Uploaders: Tim Potter <tpot@hpe.com>,
- Jordi Mallach <jordi@debian.org>
+ Jordi Mallach <jordi@debian.org>,
+ Arnaud Rebillout <arnaud.rebillout@collabora.com>,
Build-Depends: debhelper (>= 11~),
dh-golang,
golang-any,
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf 2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf 2019-08-05 15:04:28.000000000 +0700
@@ -1,2 +1,3 @@
[DEFAULT]
+debian-branch = debian/buster
pristine-tar = True
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch 1970-01-01 08:00:00.000000000 +0800
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch 2019-08-05 15:04:28.000000000 +0700
@@ -0,0 +1,85 @@
+From: Justin Cormack <justin.cormack@docker.com>
+Date: Mon, 1 Jul 2019 14:37:24 +0100
+Subject: [PATCH] Fix a double free in the List functions
+
+The code was set up so that it would free the individual items and the data
+in `freeListData`, but there was already a Go `defer` to free the data item,
+resulting in a double free.
+
+Remove the `free` in `freeListData` and leave the original one.
+
+In addition, move the `defer` for freeing the list data before the error
+check, so that the data is also free in the error case. This just removes
+a minor leak.
+
+This vulnerability was discovered by:
+Jasiel Spelman of Trend Micro Zero Day Initiative and Trend Micro Team Nebula
+
+Signed-off-by: Justin Cormack <justin.cormack@docker.com>
+Origin: upstream, https://github.com/docker/docker-credential-helpers/commit/87c80bf
+---
+ osxkeychain/osxkeychain_darwin.c | 1 -
+ osxkeychain/osxkeychain_darwin.go | 5 ++---
+ secretservice/secretservice_linux.c | 1 -
+ secretservice/secretservice_linux.go | 4 ++--
+ 4 files changed, 4 insertions(+), 7 deletions(-)
+
+--- a/osxkeychain/osxkeychain_darwin.c
++++ b/osxkeychain/osxkeychain_darwin.c
+@@ -223,6 +223,5 @@
+ void freeListData(char *** data, unsigned int length) {
+ for(int i=0; i<length; i++) {
+ free((*data)[i]);
+ }
+- free(*data);
+ }
+--- a/osxkeychain/osxkeychain_darwin.go
++++ b/osxkeychain/osxkeychain_darwin.go
+@@ -109,17 +109,16 @@
+ var acctsC **C.char
+ defer C.free(unsafe.Pointer(acctsC))
+ var listLenC C.uint
+ errMsg := C.keychain_list(credsLabelC, &pathsC, &acctsC, &listLenC)
++ defer C.freeListData(&pathsC, listLenC)
++ defer C.freeListData(&acctsC, listLenC)
+ if errMsg != nil {
+ defer C.free(unsafe.Pointer(errMsg))
+ goMsg := C.GoString(errMsg)
+ return nil, errors.New(goMsg)
+ }
+
+- defer C.freeListData(&pathsC, listLenC)
+- defer C.freeListData(&acctsC, listLenC)
+-
+ var listLen int
+ listLen = int(listLenC)
+ pathTmp := (*[1 << 30]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
+ acctTmp := (*[1 << 30]*C.char)(unsafe.Pointer(acctsC))[:listLen:listLen]
+--- a/secretservice/secretservice_linux.c
++++ b/secretservice/secretservice_linux.c
+@@ -157,6 +157,5 @@
+ int i;
+ for(i=0; i<length; i++) {
+ free((*data)[i]);
+ }
+- free(*data);
+ }
+--- a/secretservice/secretservice_linux.go
++++ b/secretservice/secretservice_linux.go
+@@ -91,14 +91,14 @@
+ var acctsC **C.char
+ defer C.free(unsafe.Pointer(acctsC))
+ var listLenC C.uint
+ err := C.list(credsLabelC, &pathsC, &acctsC, &listLenC)
++ defer C.freeListData(&pathsC, listLenC)
++ defer C.freeListData(&acctsC, listLenC)
+ if err != nil {
+ defer C.g_error_free(err)
+ return nil, errors.New("Error from list function in secretservice_linux.c likely due to error in secretservice library")
+ }
+- defer C.freeListData(&pathsC, listLenC)
+- defer C.freeListData(&acctsC, listLenC)
+
+ resp := make(map[string]string)
+
+ listLen := int(listLenC)
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series 2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series 2019-08-05 15:04:28.000000000 +0700
@@ -1 +1,2 @@
fix-free-err.patch
+cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
--- End Message ---