Bug#1000408: buster-pu: package libmodbus/3.1.4-2+deb10u1

[Thorsten Alteholz <debian@alteholz.de>]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu


The attached debdiff for libmodbus fixes CVE-2019-14462 and CVE-2019-14463 
in Buster.

These CVEs are marked as no-dsa by the security team.

For both CVEs a unit test was added and the unit-tests of the package 
showed no errors

  Thorsten

diff -Nru libmodbus-3.1.4/debian/changelog libmodbus-3.1.4/debian/changelog
--- libmodbus-3.1.4/debian/changelog	2018-12-19 04:14:47.000000000 +0100
+++ libmodbus-3.1.4/debian/changelog	2021-11-20 22:03:02.000000000 +0100
@@ -1,3 +1,13 @@
+libmodbus (3.1.4-2+deb10u1) buster; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-14462 + CVE-2019-14463
+    out of bound reads for MODBUS_FC_WRITE_MULTIPLE_REGISTERS and
+    MODBUS_FC_WRITE_MULTIPLE_COILS 
+  * add unit test for CVEs above
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sat, 20 Nov 2021 22:03:02 +0100
+
 libmodbus (3.1.4-2) unstable; urgency=medium
 
   * Fix float endianness issue on big endian arch (Closes: #916345)
diff -Nru libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-1.patch libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-1.patch
--- libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-1.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-1.patch	2021-11-20 22:03:02.000000000 +0100
@@ -0,0 +1,37 @@
+commit 5ccdf5ef79d742640355d1132fa9e2abc7fbaefc
+Author: Stéphane Raimbault <stephane.raimbault@gmail.com>
+Date:   Fri Jul 26 16:00:06 2019 +0200
+
+    Fix VD-1301 and VD-1302 vulnerabilities
+    
+    This patch was contributed by Maor Vermucht and Or Peles from
+    VDOO Connected Trust.
+
+Index: libmodbus-3.1.4/src/modbus.c
+===================================================================
+--- libmodbus-3.1.4.orig/src/modbus.c	2021-11-20 23:48:42.253943045 +0100
++++ libmodbus-3.1.4/src/modbus.c	2021-11-20 23:48:42.249943044 +0100
+@@ -831,9 +831,10 @@
+         break;
+     case MODBUS_FC_WRITE_MULTIPLE_COILS: {
+         int nb = (req[offset + 3] << 8) + req[offset + 4];
++        int nb_bits = req[offset + 5];
+         int mapping_address = address - mb_mapping->start_bits;
+ 
+-        if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb) {
++        if (nb < 1 || MODBUS_MAX_WRITE_BITS < nb || nb_bits * 8 < nb) {
+             /* May be the indication has been truncated on reading because of
+              * invalid address (eg. nb is 0 but the request contains values to
+              * write) so it's necessary to flush. */
+@@ -862,9 +863,10 @@
+         break;
+     case MODBUS_FC_WRITE_MULTIPLE_REGISTERS: {
+         int nb = (req[offset + 3] << 8) + req[offset + 4];
++        int nb_bytes = req[offset + 5];
+         int mapping_address = address - mb_mapping->start_registers;
+ 
+-        if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb) {
++        if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb || nb_bytes * 8 < nb) {
+             rsp_length = response_exception(
+                 ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp, TRUE,
+                 "Illegal number of values %d in write_registers (max %d)\n",
diff -Nru libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-2.patch libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-2.patch
--- libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-2.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-2.patch	2021-11-20 22:03:02.000000000 +0100
@@ -0,0 +1,25 @@
+commit 6f915d4215c06be3c719761423d9b5e8aa3cb820
+Author: Stéphane Raimbault <stephane.raimbault@gmail.com>
+Date:   Wed Jul 31 22:49:53 2019 +0200
+
+    Fix my so stupid fix for VD-1301 vulnerability
+    
+    I can't believe I committed that copy/paste mistake.
+    Sorry Maor Vermucht and Or Peles, excepted naming your original
+    patch was OK.
+    
+    Thank you Karl Palsson for your review.
+
+Index: libmodbus-3.1.4/src/modbus.c
+===================================================================
+--- libmodbus-3.1.4.orig/src/modbus.c	2021-11-20 23:48:46.985943366 +0100
++++ libmodbus-3.1.4/src/modbus.c	2021-11-20 23:48:46.985943366 +0100
+@@ -866,7 +866,7 @@
+         int nb_bytes = req[offset + 5];
+         int mapping_address = address - mb_mapping->start_registers;
+ 
+-        if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb || nb_bytes * 8 < nb) {
++        if (nb < 1 || MODBUS_MAX_WRITE_REGISTERS < nb || nb_bytes != nb * 2) {
+             rsp_length = response_exception(
+                 ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_VALUE, rsp, TRUE,
+                 "Illegal number of values %d in write_registers (max %d)\n",
diff -Nru libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-unit-test.patch libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-unit-test.patch
--- libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-unit-test.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmodbus-3.1.4/debian/patches/CVE-2019-14462-14463-unit-test.patch	2021-11-20 22:03:02.000000000 +0100
@@ -0,0 +1,50 @@
+commit ca3fcb1c98755e8f44c33a910af4db3c799ee63e
+Author: Stéphane Raimbault <stephane.raimbault@gmail.com>
+Date:   Fri Jul 26 16:01:30 2019 +0200
+
+    Add unit tests for VD-1301 and VD-1302 vulnerabilities
+
+Index: libmodbus-3.1.4/tests/unit-test-client.c
+===================================================================
+--- libmodbus-3.1.4.orig/tests/unit-test-client.c	2021-11-21 00:02:25.506171374 +0100
++++ libmodbus-3.1.4/tests/unit-test-client.c	2021-11-21 00:02:25.502171373 +0100
+@@ -797,7 +797,6 @@
+             goto close;
+     }
+ 
+-    /* Modbus write and read multiple registers */
+     rc = send_crafted_request(ctx, MODBUS_FC_WRITE_AND_READ_REGISTERS,
+                               rw_raw_req, RW_RAW_REQ_LEN,
+                               MODBUS_MAX_WR_READ_REGISTERS + 1, 0,
+@@ -805,8 +804,6 @@
+     if (rc == -1)
+         goto close;
+ 
+-    /* Modbus write multiple registers with large number of values but a set a
+-       small number of bytes in requests (not nb * 2 as usual). */
+     rc = send_crafted_request(ctx, MODBUS_FC_WRITE_MULTIPLE_REGISTERS,
+                               write_raw_req, WRITE_RAW_REQ_LEN,
+                               MODBUS_MAX_WRITE_REGISTERS + 1, 6,
+@@ -820,6 +817,22 @@
+                               backend_length, backend_offset);
+     if (rc == -1)
+         goto close;
++
++    /* Modbus write multiple registers with large number of values but a set a
++       small number of bytes in requests (not nb * 2 as usual). */
++    rc = send_crafted_request(ctx, MODBUS_FC_WRITE_MULTIPLE_REGISTERS,
++                              write_raw_req, WRITE_RAW_REQ_LEN,
++                              MODBUS_MAX_WRITE_REGISTERS, 6,
++                              backend_length, backend_offset);
++    if (rc == -1)
++        goto close;
++
++    rc = send_crafted_request(ctx, MODBUS_FC_WRITE_MULTIPLE_COILS,
++                              write_raw_req, WRITE_RAW_REQ_LEN,
++                              MODBUS_MAX_WRITE_BITS, 6,
++                              backend_length, backend_offset);
++    if (rc == -1)
++        goto close;
+ 
+     /* Test invalid function code */
+     modbus_send_raw_request(ctx, invalid_fc_raw_req, INVALID_FC_REQ_LEN * sizeof(uint8_t));
diff -Nru libmodbus-3.1.4/debian/patches/series libmodbus-3.1.4/debian/patches/series
--- libmodbus-3.1.4/debian/patches/series	2018-12-19 03:29:41.000000000 +0100
+++ libmodbus-3.1.4/debian/patches/series	2021-11-20 22:03:02.000000000 +0100
@@ -1,2 +1,6 @@
 Fix-typo.patch
 Fix-float-endianness-issue-on-big-endian-arch.patch
+
+CVE-2019-14462-14463-1.patch
+CVE-2019-14462-14463-2.patch
+CVE-2019-14462-14463-unit-test.patch