--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear release team,
this is the pre-approval request for libgetdata/0.10.0-10
It fixes CVE-2021-20204 (#988239). It is not a release critical bug,
but security issue. Diff is attached.
Thanks
unblock libgetdata/0.10.0-10
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCX2GcRHGdsYWRrQGRl
Ymlhbi5vcmcACgkQ0+Fzg8+n/wYG0BAAlD+ubdz+Y5mTIlSqqb5mbSatB7ok0Gbs
gI9loXe46+9VupBk4hEG75EBhM5JDk4y2Zy5ZSy3ErT29/cxUhcU9U7tGht//HDg
sHCFQASoUkwxJFtUTSWFsNELA1S7ZICAAkLYzk+mLIP/tOOXqeInHscYZ+XRjPdC
Erlc+8RbTF9RTHIKXB6LEOne8IgqXgLGEWYNwIk70qUrIQ5gZlS0qiQ2hr7LhMJQ
ZmNwbGUlpAIVw3AelYb301VyS6Mfl3jSUTbunTIXrRtGI7S6RNnRA+nYHsnS/ozj
MqDMot9O9NRQS+2YyF808Mdz+wleR5TqXGuOG8vqUdCXcyRZCSCSCKVbJLAGSEPz
TmZnTUDAiFLxD0O519c2qPhV2I4HaahveDS3jmt8Wk6jbFjX/j+MCFFhrPRJgko6
CsRFm4K9jA7qWydNrZqHVC5EKCdXANmzlM8PZtckCR6srDzJj3z0MvKFybdVfYvP
/OEC4t42oTBwxaaArXXYMaNqPJIwdeCQdgTIht5SXS+yk/JdCF27ZOHuvVUTI7p8
hSYxx1pPvvet+1wwpV+Xw3uG92xuEe55nrd1lMLdhRpFyPT2LMupr043rRB6zTMr
goOL9ZlO9aKHHUAU1C1as50gD5vtBEENuVol7HCDtxQGTX79nFg8aW3oLG7ZeeTl
wPH0S5YFf+c=
=PdQH
-----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog
index 2c30a9c..514058c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libgetdata (0.10.0-10) unstable; urgency=medium
+
+ * Team upload.
+ * [4ee5ad0] Fix CVE-2021-20204. (Closes: #988239)
+
+ -- Anton Gladky <gladk@debian.org> Sun, 09 May 2021 14:27:38 +0200
+
libgetdata (0.10.0-9) unstable; urgency=medium
* Fix FTBFFS on binary-all build (missing file). Closes: #966522
diff --git a/debian/patches/CVE-2021-20204.patch b/debian/patches/CVE-2021-20204.patch
new file mode 100644
index 0000000..08bb876
--- /dev/null
+++ b/debian/patches/CVE-2021-20204.patch
@@ -0,0 +1,18 @@
+Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL
+ Fix for CVE-2021-20204
+Author: Anton Gladky <gladk@debian.org>
+Bug-Debian: https://bugs.debian.org/988239
+Last-Update: 2021-05-09
+
+--- libgetdata-0.10.0.orig/src/parse.c
++++ libgetdata-0.10.0/src/parse.c
+@@ -2504,6 +2504,9 @@ char *_GD_ParseFragment(FILE *restrict f
+ if (D->error == GD_E_OK && !match)
+ first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, strlen(in_cols[0]),
+ NULL, me, 0, 1, &outstring, tok_pos);
++ if (first_raw == NULL) {
++ _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL);
++ }
+
+ if (D->error == GD_E_FORMAT) {
+ /* call the callback for this error */
diff --git a/debian/patches/series b/debian/patches/series
index 24c0911..cc09615 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
#python3.patch
+CVE-2021-20204.patch
--- End Message ---