Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
Control: tags -1 moreinfo
On 2021-05-09 14:41:18, Anton Gladky wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Dear release team,
>
> this is the pre-approval request for libgetdata/0.10.0-10
>
> It fixes CVE-2021-20204 (#988239). It is not a release critical bug,
> but security issue. Diff is attached.
>
> Thanks
>
> unblock libgetdata/0.10.0-10
>
> diff --git a/debian/changelog b/debian/changelog
> index 2c30a9c..514058c 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +libgetdata (0.10.0-10) unstable; urgency=medium
> +
> + * Team upload.
> + * [4ee5ad0] Fix CVE-2021-20204. (Closes: #988239)
> +
> + -- Anton Gladky <gladk@debian.org> Sun, 09 May 2021 14:27:38 +0200
> +
> libgetdata (0.10.0-9) unstable; urgency=medium
>
> * Fix FTBFFS on binary-all build (missing file). Closes: #966522
> diff --git a/debian/patches/CVE-2021-20204.patch b/debian/patches/CVE-2021-20204.patch
> new file mode 100644
> index 0000000..08bb876
> --- /dev/null
> +++ b/debian/patches/CVE-2021-20204.patch
> @@ -0,0 +1,18 @@
> +Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL
> + Fix for CVE-2021-20204
> +Author: Anton Gladky <gladk@debian.org>
> +Bug-Debian: https://bugs.debian.org/988239
> +Last-Update: 2021-05-09
> +
> +--- libgetdata-0.10.0.orig/src/parse.c
> ++++ libgetdata-0.10.0/src/parse.c
> +@@ -2504,6 +2504,9 @@ char *_GD_ParseFragment(FILE *restrict f
> + if (D->error == GD_E_OK && !match)
> + first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, strlen(in_cols[0]),
> + NULL, me, 0, 1, &outstring, tok_pos);
> ++ if (first_raw == NULL) {
> ++ _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL);
> ++ }
Is it intentional that newly addeded if is evaluated in any case or is
this patch missing curly brackets for the body of "if (D->error =
GD_E_OK && !match)"?
Cheers
> +
> + if (D->error == GD_E_FORMAT) {
> + /* call the callback for this error */
> diff --git a/debian/patches/series b/debian/patches/series
> index 24c0911..cc09615 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -1 +1,2 @@
> #python3.patch
> +CVE-2021-20204.patch
--
Sebastian Ramacher
Reply to: