[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988482: buster-pu: package libgetdata/0.10.0-5+deb10u1

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear release team,

I have prepared an upload libgetdata_0.10.0-5+deb10u1 which fixes
CVE-2021-20204.

Security team has marked this CVE as no-dsa and recommended to use
a point release to fix this CVE.

Diff is attached.

Regards

Anton

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCdntMRHGdsYWRrQGRl
Ymlhbi5vcmcACgkQ0+Fzg8+n/wY9fA/9GhbpQE/14peaNZt693zH+Rytwe6nazqa
ZbWljwhAXFDgNKNtlphAmoBVmhGBAnS4r2lpi8sBnTgTJByZL4QQYWv5YGX4sle0
79uYmpRHpykDR+9EufEYdAykx68voieai5COkp86RmsiSyUrdIUKIxj7osNQ4BdZ
euTSejNiMGxYxjMesI2UYFtYrEsEqe5z1HuKo4fJSjfvjB8xchLhAWgeWp7Xj0nC
W3zbnutXKracEyxo+pi0kbRzyLoc8I/N4yzX0b85Q7LoP3Iib/7N2+FrskW6LFQ2
bxF9SpbvZcnIdgirPqoAVtnbUK+kb5Ux6f9GJwDZLyAeT3gwxfKZEyODQKz/+rYq
qAtlDiSZ2nLgORw35oEqdJZCOoOdByigQ+T5pbtdzfvWUyQokTO6l+u5vo31kkse
5PE7YHtbsarvWamvAMLUTUPvH23bLG6tNgPkFSLQQBqz75y9OMl7+fsslXUoMlpv
+ELQRFTywOXHmfOlpHGDjGqgWdhWn03PEcMAsDcTGSxUOHTlsXFkHidkLTQR2A0G
nUVSee5MBougDzTP8qZ6dcRelLYolf7hD3MkNfiOMzfD8YLFpSKkaGRFGN3Aur5A
QPOQ3SdDgX/b3OQSHX1121wTuiLWAf/avoQvM79V4TSDdLCjKwZ2JbB30YTE3ULl
h8bmLlsgihM=
=XSBh
-----END PGP SIGNATURE-----

diff -Nru libgetdata-0.10.0/debian/changelog libgetdata-0.10.0/debian/changelog
--- libgetdata-0.10.0/debian/changelog	2018-07-08 16:05:59.000000000 +0200
+++ libgetdata-0.10.0/debian/changelog	2021-05-13 23:20:53.000000000 +0200
@@ -1,3 +1,10 @@
+libgetdata (0.10.0-5+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2021-20204.
+
+ -- Anton Gladky <gladk@debian.org>  Thu, 13 May 2021 23:20:53 +0200
+
 libgetdata (0.10.0-5) unstable; urgency=medium
 
   * Rebuild for python3.7 support
diff -Nru libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch
--- libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch	1970-01-01 01:00:00.000000000 +0100
+++ libgetdata-0.10.0/debian/patches/CVE-2021-20204.patch	2021-05-13 23:20:53.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL
+  Fix for CVE-2021-20204
+Author: Anton Gladky <gladk@debian.org>
+Bug-Debian: https://bugs.debian.org/988239
+Last-Update: 2021-05-09
+
+Index: libgetdata/src/parse.c
+===================================================================
+--- libgetdata.orig/src/parse.c
++++ libgetdata/src/parse.c
+@@ -2501,9 +2501,12 @@ char *_GD_ParseFragment(FILE *restrict f
+       match = _GD_ParseDirective(D, p, in_cols, n_cols, me, &ref_name,
+           &outstring, tok_pos);
+ 
+-    if (D->error == GD_E_OK && !match)
++    if (D->error == GD_E_OK && !match) {
+       first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, strlen(in_cols[0]),
+           NULL, me, 0, 1, &outstring, tok_pos);
++      if (first_raw == NULL)
++        _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL);
++    }
+ 
+     if (D->error == GD_E_FORMAT) {
+       /* call the callback for this error */
diff -Nru libgetdata-0.10.0/debian/patches/series libgetdata-0.10.0/debian/patches/series
--- libgetdata-0.10.0/debian/patches/series	2018-07-08 16:05:59.000000000 +0200
+++ libgetdata-0.10.0/debian/patches/series	2021-05-13 23:20:13.000000000 +0200
@@ -1 +1,2 @@
 #python3.patch
+CVE-2021-20204.patch
Reply to: