Bug#994880: bullseye-pu: package ulfius/2.7.1-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#994880: bullseye-pu: package ulfius/2.7.1-1
From: Nicolas Mora <babelouest@debian.org>
Date: Wed, 22 Sep 2021 09:25:02 -0400
Message-id: <[🔎] 163231710248.1906448.13685920844741347015.reportbug@galahad>
Reply-to: Nicolas Mora <babelouest@debian.org>, 994880@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

Fix CVE-2021-40540 in Bullseye

[ Reason ]
Ulfius package contains the bug that is rewferred by CVE-2021-40540

[ Impact ]
Application segfault when a malformed http request is received

[ Tests ]
none

[ Risks ]
the patch is trivial, the risk is low

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
add 'memset(con_info, 0, sizeof(struct connection_info_struct));' after
con_info is malloced to initialize the structure and avoid testing an undefined
value.

[ Other info ]
(Anything else the release team should know.)

diff -Nru ulfius-2.7.1/debian/changelog ulfius-2.7.1/debian/changelog
--- ulfius-2.7.1/debian/changelog	2021-01-03 09:03:05.000000000 -0500
+++ ulfius-2.7.1/debian/changelog	2021-09-19 15:39:39.000000000 -0400
@@ -1,3 +1,9 @@
+ulfius (2.7.1-1+deb11u1) bullseye; urgency=medium
+
+  * d/patches: Fix CVE-2021-40540 (Closes: #994763)
+
+ -- Nicolas Mora <babelouest@debian.org>  Sun, 19 Sep 2021 15:39:39 -0400
+
 ulfius (2.7.1-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru ulfius-2.7.1/debian/patches/CVE-2021-40540.patch ulfius-2.7.1/debian/patches/CVE-2021-40540.patch
--- ulfius-2.7.1/debian/patches/CVE-2021-40540.patch	1969-12-31 19:00:00.000000000 -0500
+++ ulfius-2.7.1/debian/patches/CVE-2021-40540.patch	2021-09-19 15:39:20.000000000 -0400
@@ -0,0 +1,13 @@
+Description: Fix CVE-2021-40540
+Author: Nicolas Mora <babelouest@debian.org>
+Forwarded: not-needed
+--- a/src/ulfius.c
++++ b/src/ulfius.c
+@@ -207,6 +207,7 @@
+   UNUSED(cls);
+ 
+   if (con_info != NULL) {
++    memset(con_info, 0, sizeof(struct connection_info_struct));
+     con_info->callback_first_iteration = 1;
+     con_info->u_instance = NULL;
+     u_map_init(&con_info->map_url_initial);
diff -Nru ulfius-2.7.1/debian/patches/series ulfius-2.7.1/debian/patches/series
--- ulfius-2.7.1/debian/patches/series	2021-01-03 09:03:05.000000000 -0500
+++ ulfius-2.7.1/debian/patches/series	2021-09-19 15:39:39.000000000 -0400
@@ -1,2 +1,3 @@
 examples.patch
 doc.patch
+CVE-2021-40540.patch

Reply to:

Follow-Ups:
- Bug#994880: ulfius 2.7.1-1+deb11u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#994862: buster-pu: package node-ansi-regex/3.0.0-1+deb10u1
Next by Date: Bug#994881: bullseye-pu: package rhonabwy/0.9.13-3
Previous by thread: Bug#994862: buster-pu: package node-ansi-regex/3.0.0-1+deb10u1
Next by thread: Bug#994880: ulfius 2.7.1-1+deb11u1 flagged for acceptance
Index(es):
- Date
- Thread