Your message dated Wed, 21 Jul 2021 10:03:46 +0000 with message-id <E1m694s-0007k3-J4@respighi.debian.org> and subject line unblock aspell has caused the Debian Bug report #991345, regarding unblock: aspell/0.60.8-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 991345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991345 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: aspell/0.60.8-3
- From: Agustin Martin <agmartin@debian.org>
- Date: Wed, 21 Jul 2021 11:11:01 +0200
- Message-id: <[🔎] YPfkpblUbW+0f9QX@localhost>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package aspell This upload deals with CVE-2019-25051, fixing a buffer overflow. This has been reported in Debian BTS as severity grave #991307, closed by this upload. Package is already built for all arches. 000-objstack-assert-that-the-alloc-size-will-fit-within-.patch is borrowed from upstream (attached along with the debdiff for easier inspection). Pasting from #991307 for further info: --- 8< ------------------------------------------------------------------ The following vulnerability was published for aspell. CVE-2019-25051[0]: | objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in | acommon::ObjStack::dup_top (called from acommon::StringMap::add and | acommon::Config::lookup_list). https://github.com/google/oss-fuzz-vulns/blob/main/vulns/aspell/OSV-2020-521.yaml https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18462 Patch: https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-25051 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25051 Please adjust the affected versions in the BTS as needed. --- 8< ------------------------------------------------------------------ Regards, unblock aspell/0.60.8-3diff -Nru aspell-0.60.8/debian/changelog aspell-0.60.8/debian/changelog --- aspell-0.60.8/debian/changelog 2020-12-28 15:24:45.000000000 +0100 +++ aspell-0.60.8/debian/changelog 2021-07-20 23:42:34.000000000 +0200 @@ -1,3 +1,11 @@ +aspell (0.60.8-3) unstable; urgency=medium + + * 000-objstack-assert-that-the-alloc-size-will-fit-within-.patch: + Fix CVE-2019-25051: objstack in GNU Aspell 0.60.8 has a heap-based + buffer overflow (Closes: #991307). + + -- Agustin Martin Domingo <agmartin@debian.org> Tue, 20 Jul 2021 23:42:34 +0200 + aspell (0.60.8-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch --- aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch 1970-01-01 01:00:00.000000000 +0100 +++ aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch 2021-07-20 23:37:07.000000000 +0200 @@ -0,0 +1,102 @@ +From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 +From: Kevin Atkinson <kevina@gnu.org> +Date: Sat, 21 Dec 2019 20:32:47 +0000 +Bug-Debian: https://bugs.debian.org/991307 +Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk + to prevent a buffer overflow + +Bug found using OSS-Fuze. +- +https://security-tracker.debian.org/tracker/CVE-2019-25051 +--- + common/objstack.hpp | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/common/objstack.hpp b/common/objstack.hpp +index 3997bf7..bd97ccd 100644 +--- a/common/objstack.hpp ++++ b/common/objstack.hpp +@@ -5,6 +5,7 @@ + #include "parm_string.hpp" + #include <stdlib.h> + #include <assert.h> ++#include <stddef.h> + + namespace acommon { + +@@ -26,6 +27,12 @@ class ObjStack + byte * temp_end; + void setup_chunk(); + void new_chunk(); ++ bool will_overflow(size_t sz) const { ++ return offsetof(Node,data) + sz > chunk_size; ++ } ++ void check_size(size_t sz) { ++ assert(!will_overflow(sz)); ++ } + + ObjStack(const ObjStack &); + void operator=(const ObjStack &); +@@ -56,7 +63,7 @@ public: + void * alloc_bottom(size_t size) { + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} ++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} + return tmp; + } + // This alloc_bottom will insure that the object is aligned based on the +@@ -66,7 +73,7 @@ public: + align_bottom(align); + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); goto loop;} ++ if (bottom > top) {check_size(size); new_chunk(); goto loop;} + return tmp; + } + char * dup_bottom(ParmString str) { +@@ -79,7 +86,7 @@ public: + // always be aligned as such. + void * alloc_top(size_t size) { + top -= size; +- if (top < bottom) {new_chunk(); top -= size;} ++ if (top < bottom) {check_size(size); new_chunk(); top -= size;} + return top; + } + // This alloc_top will insure that the object is aligned based on +@@ -88,7 +95,7 @@ public: + {loop: + top -= size; + align_top(align); +- if (top < bottom) {new_chunk(); goto loop;} ++ if (top < bottom) {check_size(size); new_chunk(); goto loop;} + return top; + } + char * dup_top(ParmString str) { +@@ -117,6 +124,7 @@ public: + void * alloc_temp(size_t size) { + temp_end = bottom + size; + if (temp_end > top) { ++ check_size(size); + new_chunk(); + temp_end = bottom + size; + } +@@ -131,6 +139,7 @@ public: + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; +@@ -150,6 +159,7 @@ public: + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; +-- +2.32.0 + diff -Nru aspell-0.60.8/debian/patches/series aspell-0.60.8/debian/patches/series --- aspell-0.60.8/debian/patches/series 2020-04-29 11:24:37.000000000 +0200 +++ aspell-0.60.8/debian/patches/series 2021-07-20 23:32:13.000000000 +0200 @@ -5,3 +5,4 @@ 07_filter.diff 08_filters-info-installdir.diff 09_debian-dictdir.diff +1000-objstack-assert-that-the-alloc-size-will-fit-within-.patchFrom 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 From: Kevin Atkinson <kevina@gnu.org> Date: Sat, 21 Dec 2019 20:32:47 +0000 Bug-Debian: https://bugs.debian.org/991307 Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk to prevent a buffer overflow Bug found using OSS-Fuze. - https://security-tracker.debian.org/tracker/CVE-2019-25051 --- common/objstack.hpp | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/common/objstack.hpp b/common/objstack.hpp index 3997bf7..bd97ccd 100644 --- a/common/objstack.hpp +++ b/common/objstack.hpp @@ -5,6 +5,7 @@ #include "parm_string.hpp" #include <stdlib.h> #include <assert.h> +#include <stddef.h> namespace acommon { @@ -26,6 +27,12 @@ class ObjStack byte * temp_end; void setup_chunk(); void new_chunk(); + bool will_overflow(size_t sz) const { + return offsetof(Node,data) + sz > chunk_size; + } + void check_size(size_t sz) { + assert(!will_overflow(sz)); + } ObjStack(const ObjStack &); void operator=(const ObjStack &); @@ -56,7 +63,7 @@ public: void * alloc_bottom(size_t size) { byte * tmp = bottom; bottom += size; - if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} + if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} return tmp; } // This alloc_bottom will insure that the object is aligned based on the @@ -66,7 +73,7 @@ public: align_bottom(align); byte * tmp = bottom; bottom += size; - if (bottom > top) {new_chunk(); goto loop;} + if (bottom > top) {check_size(size); new_chunk(); goto loop;} return tmp; } char * dup_bottom(ParmString str) { @@ -79,7 +86,7 @@ public: // always be aligned as such. void * alloc_top(size_t size) { top -= size; - if (top < bottom) {new_chunk(); top -= size;} + if (top < bottom) {check_size(size); new_chunk(); top -= size;} return top; } // This alloc_top will insure that the object is aligned based on @@ -88,7 +95,7 @@ public: {loop: top -= size; align_top(align); - if (top < bottom) {new_chunk(); goto loop;} + if (top < bottom) {check_size(size); new_chunk(); goto loop;} return top; } char * dup_top(ParmString str) { @@ -117,6 +124,7 @@ public: void * alloc_temp(size_t size) { temp_end = bottom + size; if (temp_end > top) { + check_size(size); new_chunk(); temp_end = bottom + size; } @@ -131,6 +139,7 @@ public: } else { size_t s = temp_end - bottom; byte * p = bottom; + check_size(size); new_chunk(); memcpy(bottom, p, s); temp_end = bottom + size; @@ -150,6 +159,7 @@ public: } else { size_t s = temp_end - bottom; byte * p = bottom; + check_size(size); new_chunk(); memcpy(bottom, p, s); temp_end = bottom + size; -- 2.32.0Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 991345-done@bugs.debian.org
- Subject: unblock aspell
- From: Sebastian Ramacher <sramacher@respighi.debian.org>
- Date: Wed, 21 Jul 2021 10:03:46 +0000
- Message-id: <E1m694s-0007k3-J4@respighi.debian.org>
Unblocked.
--- End Message ---