Bug#991093: marked as done (unblock: mruby/2.1.2-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 14 Jul 2021 13:15:11 +0000
with message-id <E1m3ejH-00032s-Iw@respighi.debian.org>
and subject line unblock mruby
has caused the Debian Bug report #991093,
regarding unblock: mruby/2.1.2-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991093: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991093
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: mruby/2.1.2-3
• From: Nobuhiro Iwamatsu <iwamatsu@debian.org>
• Date: Wed, 14 Jul 2021 08:52:17 +0900
• Message-id: <[🔎] 162622033714.382858.11499779301608380083.reportbug@xps13>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mruby

[ Reason ]
This fixes the use-after-free issue. (CVE-2020-36401)

[ Impact ]
It will be attacked by exploiting the use-after-free vulnerability.

[ Tests ]
No automated tests for this issue, but no regression releated
to backported patches were reported to upstream.

[ Risks ]
This package is a leaf package. No other package depends on this.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock mruby/2.1.2-3

Best regards,
  Nobuhiro

diff -Nru mruby-2.1.2/debian/changelog mruby-2.1.2/debian/changelog
--- mruby-2.1.2/debian/changelog	2020-12-27 14:14:43.000000000 +0900
+++ mruby-2.1.2/debian/changelog	2021-07-12 16:23:01.000000000 +0900
@@ -1,3 +1,11 @@
+mruby (2.1.2-3) unstable; urgency=medium
+
+  * Fix CVE-2020-36401.
+    Fixed the use-after-free problem. Add d/patches/Fix-CVE-2020-36401.patch.
+    This patch is included 9cdf439db5 and 97319697c8 from upstream.
+
+ -- Nobuhiro Iwamatsu <iwamatsu@debian.org>  Mon, 12 Jul 2021 16:23:01 +0900
+
 mruby (2.1.2-2) unstable; urgency=medium
 
   * Add d/upstream/metadata.
diff -Nru mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch
--- mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch	1970-01-01 09:00:00.000000000 +0900
+++ mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch	2021-07-12 16:23:01.000000000 +0900
@@ -0,0 +1,71 @@
+Description: Fix the use-after-free problem
+Author: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
+Origin: upstream, https://github.com/mruby/mruby/commit/9cdf439db52b66447b4e37c61179d54fad6c8f33
+  https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990540
+Last-Update: 2021-07-12
+
+From 9cdf439db52b66447b4e37c61179d54fad6c8f33 Mon Sep 17 00:00:00 2001
+From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
+Date: Tue, 23 Jun 2020 13:19:10 +0900
+Subject: [PATCH] Free the original pointer if `realloc` failed.
+
+The POSIX `realloc` keep the original pointer untouched, so it can
+easily leads to memory leakage. `mrb_realloc()` should handle those
+bookkeeping, while `mrb_realloc_simple()` keeps the original `realloc`
+behavior.
+---
+ src/gc.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/src/gc.c b/src/gc.c
+index 03c561d35..6c83911d5 100644
+--- a/src/gc.c
++++ b/src/gc.c
+@@ -225,14 +225,9 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len)
+   p2 = mrb_realloc_simple(mrb, p, len);
+   if (len == 0) return p2;
+   if (p2 == NULL) {
+-    if (mrb->gc.out_of_memory) {
+-      mrb_raise_nomemory(mrb);
+-      /* mrb_panic(mrb); */
+-    }
+-    else {
+-      mrb->gc.out_of_memory = TRUE;
+-      mrb_raise_nomemory(mrb);
+-    }
++    mrb_free(mrb, p);
++    mrb->gc.out_of_memory = TRUE;
++    mrb_raise_nomemory(mrb);
+   }
+   else {
+     mrb->gc.out_of_memory = FALSE;
+-- 
+2.32.0
+
+From 97319697c8f9f6ff27b32589947e1918e3015503 Mon Sep 17 00:00:00 2001
+From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
+Date: Thu, 2 Jul 2020 10:41:03 +0900
+Subject: [PATCH] Cancel 9cdf439
+
+Should not free the pointer in `realloc` since it can cause
+use-after-free problem.
+---
+ src/gc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/gc.c b/src/gc.c
+index 6c83911d5..e1892080f 100644
+--- a/src/gc.c
++++ b/src/gc.c
+@@ -225,7 +225,6 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len)
+   p2 = mrb_realloc_simple(mrb, p, len);
+   if (len == 0) return p2;
+   if (p2 == NULL) {
+-    mrb_free(mrb, p);
+     mrb->gc.out_of_memory = TRUE;
+     mrb_raise_nomemory(mrb);
+   }
+-- 
+2.32.0
+
diff -Nru mruby-2.1.2/debian/patches/series mruby-2.1.2/debian/patches/series
--- mruby-2.1.2/debian/patches/series	2020-12-27 14:14:43.000000000 +0900
+++ mruby-2.1.2/debian/patches/series	2021-07-12 16:23:01.000000000 +0900
@@ -1,3 +1,4 @@
 Change-optimize-O2-on-build-system-of-Debian.patch
 add_fpic_amd64.patch
 Skip-mruby-tty-test-in-io.patch
+Fix-CVE-2020-36401.patch

--- End Message ---

--- Begin Message ---

• To: 991093-done@bugs.debian.org
• Subject: unblock mruby
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Wed, 14 Jul 2021 13:15:11 +0000
• Message-id: <E1m3ejH-00032s-Iw@respighi.debian.org>

Unblocked.

--- End Message ---