Bug#1001149: buster-pu: package gerbv/2.7.0-1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
gerbv is a utility for viewing Gerber RS-274X files, Excellon drill files,
and CSV files for pick-and-place files. Gerber files are used for
communicating printed circuit board (PCB) designs to PCB manufacturers.
[ Reason ]
The gerbv upstream project was getting in contact via the
pkg-electronic-devel mailing list to inform about a security issue for
gerbv that was found by the Cisco Talos team. That issue got the CVE
number CVE-2021-40391.
https://alioth-lists.debian.net/pipermail/pkg-electronics-devel/2021-November/008221.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40391
This issue was fixed with the release of version 2.7.1, buster was
released with version 2.7.0, so this version is taking effect of the
CVE.
Debian testing and unstable are on version 2.8.1 for gerbv while writing.
[ Impact ]
Users of the unpatched gerbv version from the buster release might be
affected to get unwanted code exceution and loose of data.
[ Tests ]
Currently there are no automated or manuall test available to check the
fixing of this issue.
[ Risks ]
Nearlly to zero, the fix for this is quite non intrusive and really small
(basically it's just one line of code).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The whole change to get the CVE is fixed is adding one line of code
within the C-file drill.c, within the function drill_parse_T_code() a
'return -1' is need to solve the issue.
[ Other info ]
Anton Gladky within the LTS team did an upload of version 2.6.1-2+deb9u1
to fix this issue for Debian 9.
https://tracker.debian.org/news/1283553/accepted-gerbv-261-2deb9u1-source-into-oldoldstable/
The debdiff between the old version 2.7.0-1 in buster and prepared
version gerbv_2.7.0-1+deb10u1 is added here as it's not that big.
diff -Nru gerbv-2.7.0/debian/changelog gerbv-2.7.0/debian/changelog
--- gerbv-2.7.0/debian/changelog 2019-02-18 17:57:45.000000000 +0100
+++ gerbv-2.7.0/debian/changelog 2021-12-05 09:29:11.000000000 +0100
@@ -1,3 +1,14 @@
+gerbv (2.7.0-1+deb10u1) buster; urgency=medium
+
+ * Build for buster
+ * [c33610a] Rebuild patch queue from patch-queue branch
+ Added patch:
+ security/Fix-TALOS-2021-1402.patch
+ Fixing CVE-2021-40391
+ * [09244b9] d/gbp.conf: Adjust to branch debian/buster
+
+ -- Carsten Schoenert <c.schoenert@t-online.de> Sun, 05 Dec 2021 09:29:11 +0100
+
gerbv (2.7.0-1) unstable; urgency=medium
* [ac52385] d/gbp.conf: adding helper for git-buildpackage
diff -Nru gerbv-2.7.0/debian/gbp.conf gerbv-2.7.0/debian/gbp.conf
--- gerbv-2.7.0/debian/gbp.conf 2019-02-18 17:55:34.000000000 +0100
+++ gerbv-2.7.0/debian/gbp.conf 2021-12-05 09:29:03.000000000 +0100
@@ -5,7 +5,7 @@
pristine-tar = True
# generate gz compressed orig.tar file
compression = gz
-debian-branch = debian/sid
+debian-branch = debian/buster
upstream-branch = upstream
[pq]
@@ -13,7 +13,7 @@
[dch]
id-length = 7
-debian-branch = debian/sid
+debian-branch = debian/buster
[import-orig]
# filter out unwanted files/dirs from upstream
diff -Nru gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch
--- gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch 1970-01-01 01:00:00.000000000 +0100
+++ gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch 2021-12-05 09:26:42.000000000 +0100
@@ -0,0 +1,27 @@
+From: eyal0 <109809+eyal0@users.noreply.github.com>
+Date: Tue, 26 Oct 2021 21:39:25 -0600
+Subject: Fix TALOS-2021-1402
+
+See issue #30
+
+This commit fixes CVE-2021-40391. Background information can be found on
+this URL.
+https://talosintelligence.com/vulnerability_reports/TALOS-2021-1402
+
+Forwarded: https://github.com/gerbv/gerbv/commit/9f83950b772b37b49ee188300e444546e6aab17e
+---
+ src/drill.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/drill.c b/src/drill.c
+index bc90524..414872d 100644
+--- a/src/drill.c
++++ b/src/drill.c
+@@ -1115,6 +1115,7 @@ drill_parse_T_code(gerb_file_t *fd, drill_state_t *state,
+ _("Out of bounds drill number %d "
+ "at line %ld in file \"%s\""),
+ tool_num, file_line, fd->filename);
++ return -1;
+ }
+
+ /* Set the current tool to the correct one */
diff -Nru gerbv-2.7.0/debian/patches/series gerbv-2.7.0/debian/patches/series
--- gerbv-2.7.0/debian/patches/series 2019-02-18 17:56:38.000000000 +0100
+++ gerbv-2.7.0/debian/patches/series 2021-12-05 09:26:42.000000000 +0100
@@ -5,3 +5,4 @@
debian-hacks/crossbuild-use-PKG_PROG_PKG_CONFIG-instead-of-AC_PATH_PRO.patch
fixes/man-page-fix-misspelled-excercise-exercise.patch
fixes/Fix-Werror-format-security-problem.patch
+security/Fix-TALOS-2021-1402.patch
I've uploaded gerbv_2.7.0-1+deb10u1 with the target buster, please consider
accepting this upload to get into the next point release. Thanks!
Regards
Carsten
Reply to: