Bug#983918: marked as done (buster-pu: package libbsd/0.9.1-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 27 Mar 2021 10:26:45 +0000
with message-id <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.9 point release
has caused the Debian Bug report #983918,
regarding buster-pu: package libbsd/0.9.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
983918: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983918
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: buster-pu: package libbsd/0.9.1-2
• From: Gianfranco Costamagna <locutusofborg@debian.org>
• Date: Wed, 3 Mar 2021 12:05:00 +0100
• Message-id: <[🔎] f0c1204f-1a1e-1a3b-d450-7ecbbd18774a@debian.org>
• References: <f0c1204f-1a1e-1a3b-d450-7ecbbd18774a.ref@debian.org>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

CVE-2019-20367 (no DSA) has been fixed for stretch in 0.8.3-1+deb9u1 and
for bullseye, sid with version 0.10.0-1
Buster has been left out from the patches, and since the patch is
trivial, I propose to apply it for buster too


diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
--- libbsd-0.9.1/debian/changelog	2019-02-25 01:33:03.000000000 +0100
+++ libbsd-0.9.1/debian/changelog	2021-03-03 12:03:12.000000000 +0100
@@ -1,3 +1,12 @@
+libbsd (0.9.1-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-20367
+    A non-NUL terminated symbol name in the string table might
+    result in a out-of-bounds read.
+
+ -- Gianfranco Costamagna <locutusofborg@debian.org>  Wed, 03 Mar 2021 12:03:12 +0100
+
 libbsd (0.9.1-2) unstable; urgency=medium
 
   * Perform a proper and correct /usr-merge transition by moving the package
diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch libbsd-0.9.1/debian/patches/CVE-2019-20367.patch
--- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch	1970-01-01 01:00:00.000000000 +0100
+++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch	2021-03-03 12:00:40.000000000 +0100
@@ -0,0 +1,42 @@
+From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@hadrons.org>
+Date: Wed, 7 Aug 2019 22:58:30 +0200
+Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
+
+When doing a string comparison for a symbol name from the string table,
+we should make sure we do a bounded comparison, otherwise a non-NUL
+terminated string might make the code read out-of-bounds.
+
+Warned-by: coverity
+---
+ src/nlist.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/nlist.c b/src/nlist.c
+index 8aa46a2..228c220 100644
+--- a/src/nlist.c
++++ b/src/nlist.c
+@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
+ 		symsize -= cc;
+ 		for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) {
+ 			char *name;
++			Elf_Word size;
+ 			struct nlist *p;
+ 
+ 			name = strtab + s->st_name;
+ 			if (name[0] == '\0')
+ 				continue;
++			size = symstrsize - s->st_name;
+ 
+ 			for (p = list; !ISLAST(p); p++) {
+ 				if ((p->n_un.n_name[0] == '_' &&
+-				    strcmp(name, p->n_un.n_name+1) == 0)
+-				    || strcmp(name, p->n_un.n_name) == 0) {
++				     strncmp(name, p->n_un.n_name+1, size) == 0) ||
++				    strncmp(name, p->n_un.n_name, size) == 0) {
+ 					elf_sym_to_nlist(p, s, shdr,
+ 					    ehdr.e_shnum);
+ 					if (--nent <= 0)
+-- 
+GitLab
+
diff -Nru libbsd-0.9.1/debian/patches/series libbsd-0.9.1/debian/patches/series
--- libbsd-0.9.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libbsd-0.9.1/debian/patches/series	2021-03-03 12:01:48.000000000 +0100
@@ -0,0 +1 @@
+CVE-2019-20367.patch

diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
--- libbsd-0.9.1/debian/changelog	2019-02-25 01:33:03.000000000 +0100
+++ libbsd-0.9.1/debian/changelog	2021-03-03 12:03:12.000000000 +0100
@@ -1,3 +1,12 @@
+libbsd (0.9.1-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-20367
+    A non-NUL terminated symbol name in the string table might
+    result in a out-of-bounds read.
+
+ -- Gianfranco Costamagna <locutusofborg@debian.org>  Wed, 03 Mar 2021 12:03:12 +0100
+
 libbsd (0.9.1-2) unstable; urgency=medium
 
   * Perform a proper and correct /usr-merge transition by moving the package
diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch libbsd-0.9.1/debian/patches/CVE-2019-20367.patch
--- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch	1970-01-01 01:00:00.000000000 +0100
+++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch	2021-03-03 12:00:40.000000000 +0100
@@ -0,0 +1,42 @@
+From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00 2001
+From: Guillem Jover <guillem@hadrons.org>
+Date: Wed, 7 Aug 2019 22:58:30 +0200
+Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
+
+When doing a string comparison for a symbol name from the string table,
+we should make sure we do a bounded comparison, otherwise a non-NUL
+terminated string might make the code read out-of-bounds.
+
+Warned-by: coverity
+---
+ src/nlist.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/nlist.c b/src/nlist.c
+index 8aa46a2..228c220 100644
+--- a/src/nlist.c
++++ b/src/nlist.c
+@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
+ 		symsize -= cc;
+ 		for (s = sbuf; cc > 0 && nent > 0; ++s, cc -= sizeof(*s)) {
+ 			char *name;
++			Elf_Word size;
+ 			struct nlist *p;
+ 
+ 			name = strtab + s->st_name;
+ 			if (name[0] == '\0')
+ 				continue;
++			size = symstrsize - s->st_name;
+ 
+ 			for (p = list; !ISLAST(p); p++) {
+ 				if ((p->n_un.n_name[0] == '_' &&
+-				    strcmp(name, p->n_un.n_name+1) == 0)
+-				    || strcmp(name, p->n_un.n_name) == 0) {
++				     strncmp(name, p->n_un.n_name+1, size) == 0) ||
++				    strncmp(name, p->n_un.n_name, size) == 0) {
+ 					elf_sym_to_nlist(p, s, shdr,
+ 					    ehdr.e_shnum);
+ 					if (--nent <= 0)
+-- 
+GitLab
+
diff -Nru libbsd-0.9.1/debian/patches/series libbsd-0.9.1/debian/patches/series
--- libbsd-0.9.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libbsd-0.9.1/debian/patches/series	2021-03-03 12:01:48.000000000 +0100
@@ -0,0 +1 @@
+CVE-2019-20367.patch

--- End Message ---

--- Begin Message ---

• To: 981453-done@bugs.debian.org, 981664-done@bugs.debian.org, 982002-done@bugs.debian.org, 982311-done@bugs.debian.org, 982571-done@bugs.debian.org, 982669-done@bugs.debian.org, 982796-done@bugs.debian.org, 983051-done@bugs.debian.org, 983113-done@bugs.debian.org, 983134-done@bugs.debian.org, 983485-done@bugs.debian.org, 983527-done@bugs.debian.org, 983918-done@bugs.debian.org, 984790-done@bugs.debian.org, 984886-done@bugs.debian.org, 984896-done@bugs.debian.org, 984899-done@bugs.debian.org, 985115-done@bugs.debian.org, 985359-done@bugs.debian.org, 985371-done@bugs.debian.org, 985450-done@bugs.debian.org, 985466-done@bugs.debian.org, 985472-done@bugs.debian.org, 985545-done@bugs.debian.org, 985609-done@bugs.debian.org, 985624-done@bugs.debian.org
• Subject: Closing p-u requests for fixes included in 10.9 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 27 Mar 2021 10:26:45 +0000
• Message-id: <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 10.9

Hi,

Each of the updates referenced in these bugs was included in the 10.9
point release today.

Regards,

Adam

--- End Message ---