[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988278: marked as done ([pre-approval] unblock: libgetdata/0.10.0-10)

Your message dated Tue, 11 May 2021 20:08:19 +0000
with message-id <E1lgYfz-0003sp-UK@respighi.debian.org>
and subject line unblock libgetdata
has caused the Debian Bug report #988278,
regarding [pre-approval] unblock: libgetdata/0.10.0-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988278
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear release team,

this is the pre-approval request for libgetdata/0.10.0-10

It fixes CVE-2021-20204 (#988239). It is not a release critical bug,
but security issue. Diff is attached.

Thanks

unblock libgetdata/0.10.0-10

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCX2GcRHGdsYWRrQGRl
Ymlhbi5vcmcACgkQ0+Fzg8+n/wYG0BAAlD+ubdz+Y5mTIlSqqb5mbSatB7ok0Gbs
gI9loXe46+9VupBk4hEG75EBhM5JDk4y2Zy5ZSy3ErT29/cxUhcU9U7tGht//HDg
sHCFQASoUkwxJFtUTSWFsNELA1S7ZICAAkLYzk+mLIP/tOOXqeInHscYZ+XRjPdC
Erlc+8RbTF9RTHIKXB6LEOne8IgqXgLGEWYNwIk70qUrIQ5gZlS0qiQ2hr7LhMJQ
ZmNwbGUlpAIVw3AelYb301VyS6Mfl3jSUTbunTIXrRtGI7S6RNnRA+nYHsnS/ozj
MqDMot9O9NRQS+2YyF808Mdz+wleR5TqXGuOG8vqUdCXcyRZCSCSCKVbJLAGSEPz
TmZnTUDAiFLxD0O519c2qPhV2I4HaahveDS3jmt8Wk6jbFjX/j+MCFFhrPRJgko6
CsRFm4K9jA7qWydNrZqHVC5EKCdXANmzlM8PZtckCR6srDzJj3z0MvKFybdVfYvP
/OEC4t42oTBwxaaArXXYMaNqPJIwdeCQdgTIht5SXS+yk/JdCF27ZOHuvVUTI7p8
hSYxx1pPvvet+1wwpV+Xw3uG92xuEe55nrd1lMLdhRpFyPT2LMupr043rRB6zTMr
goOL9ZlO9aKHHUAU1C1as50gD5vtBEENuVol7HCDtxQGTX79nFg8aW3oLG7ZeeTl
wPH0S5YFf+c=
=PdQH
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index 2c30a9c..514058c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libgetdata (0.10.0-10) unstable; urgency=medium
+
+  * Team upload.
+  * [4ee5ad0] Fix CVE-2021-20204. (Closes: #988239)
+
+ -- Anton Gladky <gladk@debian.org>  Sun, 09 May 2021 14:27:38 +0200
+
 libgetdata (0.10.0-9) unstable; urgency=medium
 
   * Fix FTBFFS on binary-all build (missing file). Closes: #966522
diff --git a/debian/patches/CVE-2021-20204.patch b/debian/patches/CVE-2021-20204.patch
new file mode 100644
index 0000000..08bb876
--- /dev/null
+++ b/debian/patches/CVE-2021-20204.patch
@@ -0,0 +1,18 @@
+Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL
+  Fix for CVE-2021-20204
+Author: Anton Gladky <gladk@debian.org>
+Bug-Debian: https://bugs.debian.org/988239 
+Last-Update: 2021-05-09
+
+--- libgetdata-0.10.0.orig/src/parse.c
++++ libgetdata-0.10.0/src/parse.c
+@@ -2504,6 +2504,9 @@ char *_GD_ParseFragment(FILE *restrict f
+     if (D->error == GD_E_OK && !match)
+       first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, strlen(in_cols[0]),
+           NULL, me, 0, 1, &outstring, tok_pos);
++      if (first_raw == NULL) {
++        _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL);
++      }
+ 
+     if (D->error == GD_E_FORMAT) {
+       /* call the callback for this error */
diff --git a/debian/patches/series b/debian/patches/series
index 24c0911..cc09615 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 #python3.patch
+CVE-2021-20204.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: