Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10

To: gladk@debian.org, 988278@bugs.debian.org
Subject: Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
From: Sebastian Ramacher <sramacher@debian.org>
Date: Mon, 10 May 2021 22:27:39 +0200
Message-id: <[🔎] YJmXOypUxoKLhGo9@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 988278@bugs.debian.org
In-reply-to: <[🔎] 162056407809.678820.14740656094679083132.reportbug@thinkpad.debian>
References: <[🔎] 162056407809.678820.14740656094679083132.reportbug@thinkpad.debian> <[🔎] 162056407809.678820.14740656094679083132.reportbug@thinkpad.debian>

Control: tags -1 moreinfo

On 2021-05-09 14:41:18, Anton Gladky wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Dear release team,
> 
> this is the pre-approval request for libgetdata/0.10.0-10
> 
> It fixes CVE-2021-20204 (#988239). It is not a release critical bug,
> but security issue. Diff is attached.
> 
> Thanks
> 
> unblock libgetdata/0.10.0-10
> 

> diff --git a/debian/changelog b/debian/changelog
> index 2c30a9c..514058c 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +libgetdata (0.10.0-10) unstable; urgency=medium
> +
> +  * Team upload.
> +  * [4ee5ad0] Fix CVE-2021-20204. (Closes: #988239)
> +
> + -- Anton Gladky <gladk@debian.org>  Sun, 09 May 2021 14:27:38 +0200
> +
>  libgetdata (0.10.0-9) unstable; urgency=medium
>  
>    * Fix FTBFFS on binary-all build (missing file). Closes: #966522
> diff --git a/debian/patches/CVE-2021-20204.patch b/debian/patches/CVE-2021-20204.patch
> new file mode 100644
> index 0000000..08bb876
> --- /dev/null
> +++ b/debian/patches/CVE-2021-20204.patch
> @@ -0,0 +1,18 @@
> +Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL
> +  Fix for CVE-2021-20204
> +Author: Anton Gladky <gladk@debian.org>
> +Bug-Debian: https://bugs.debian.org/988239 
> +Last-Update: 2021-05-09
> +
> +--- libgetdata-0.10.0.orig/src/parse.c
> ++++ libgetdata-0.10.0/src/parse.c
> +@@ -2504,6 +2504,9 @@ char *_GD_ParseFragment(FILE *restrict f
> +     if (D->error == GD_E_OK && !match)
> +       first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, strlen(in_cols[0]),
> +           NULL, me, 0, 1, &outstring, tok_pos);
> ++      if (first_raw == NULL) {
> ++        _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL);
> ++      }

Is it intentional that newly addeded if is evaluated in any case or is
this patch missing curly brackets for the body of "if (D->error =
GD_E_OK && !match)"?

Cheers

> + 
> +     if (D->error == GD_E_FORMAT) {
> +       /* call the callback for this error */
> diff --git a/debian/patches/series b/debian/patches/series
> index 24c0911..cc09615 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -1 +1,2 @@
>  #python3.patch
> +CVE-2021-20204.patch


-- 
Sebastian Ramacher

Reply to:

Follow-Ups:
- Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
  - From: Anton Gladky <gladk@debian.org>

References:
- Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
  - From: Anton Gladky <gladk@debian.org>

Prev by Date: Processed: Re: Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
Next by Date: Bug#988293: unblock: hamlib/4.0-5
Previous by thread: Processed: Re: Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
Next by thread: Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
Index(es):
- Date
- Thread