Bug#1013418: bullseye-pu: package dbus-broker/26-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1013418: bullseye-pu: package dbus-broker/26-1+deb11u1
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 23 Jun 2022 11:33:46 +0100
Message-id: <[🔎] 90f7ad6d8e91f031b1e029ae4f1f2b369736033e.camel@debian.org>
Reply-to: Luca Boccassi <bluca@debian.org>, 1013418@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: pkg-utopia-maintainers@lists.alioth.debian.org

Dear release team,

A low-severity CVE has been published for dbus-broker, and it affects
bullseye. In accordance with the Security Team, it does not warrant a
DSA, so we would like to fix it via p-u instead. The fix is a clean
backport, and the diff is minimal. Debdiff attached.

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343

-- 
Kind regards,
Luca Boccassi

diff -Nru dbus-broker-26/debian/changelog dbus-broker-26/debian/changelog
--- dbus-broker-26/debian/changelog	2021-01-22 00:00:39.000000000 +0000
+++ dbus-broker-26/debian/changelog	2022-06-22 22:27:17.000000000 +0100
@@ -1,3 +1,10 @@
+dbus-broker (26-1+deb11u1) bullseye; urgency=medium
+
+  * Backport strnspn-fix-buffer-overflow.patch to fix CVE-2022-31212
+    (Closes: #1013343)
+
+ -- Luca Boccassi <bluca@debian.org>  Wed, 22 Jun 2022 22:27:17 +0100
+
 dbus-broker (26-1) unstable; urgency=low
 
   * Update upstream source from tag 'upstream/26'
diff -Nru dbus-broker-26/debian/gbp.conf dbus-broker-26/debian/gbp.conf
--- dbus-broker-26/debian/gbp.conf	2020-12-13 22:03:47.000000000 +0000
+++ dbus-broker-26/debian/gbp.conf	2022-06-22 22:27:17.000000000 +0100
@@ -1,6 +1,6 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/sid
+debian-branch = debian/bullseye
 upstream-branch = upstream
 
 [pristine-tar]
diff -Nru dbus-broker-26/debian/patches/series dbus-broker-26/debian/patches/series
--- dbus-broker-26/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ dbus-broker-26/debian/patches/series	2022-06-22 22:27:17.000000000 +0100
@@ -0,0 +1 @@
+strnspn-fix-buffer-overflow.patch
diff -Nru dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch
--- dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch	2022-06-22 22:27:17.000000000 +0100
@@ -0,0 +1,53 @@
+Author: David Rheinsberg <david.rheinsberg@gmail.com>
+Origin: backport, https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343
+Description: strnspn: fix buffer overflow
+ Fix the strnspn and strncspn functions to use a properly sized buffer.
+ It used to be 1 byte too short. Checking for `0xff` in a string will
+ thus write `0xff` once byte beyond the stack space of the local buffer.
+ .
+ Note that the public API does not allow to pass `0xff` to those
+ functions. Therefore, this is a read-only buffer overrun, possibly
+ causing bogus reports from the parser, but still well-defined.
+--- a/subprojects/c-shquote/src/c-shquote.c
++++ b/subprojects/c-shquote/src/c-shquote.c
+@@ -85,7 +85,7 @@
+ size_t c_shquote_strnspn(const char *string,
+                         size_t n_string,
+                         const char *accept) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         for ( ; *accept; ++accept)
+                 buffer[(unsigned char)*accept] = true;
+@@ -100,7 +100,7 @@
+ size_t c_shquote_strncspn(const char *string,
+                           size_t n_string,
+                           const char *reject) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         if (strlen(reject) == 1) {
+                 const char *p;
+--- a/subprojects/c-shquote/src/test-private.c
++++ b/subprojects/c-shquote/src/test-private.c
+@@ -148,6 +148,9 @@
+ 
+         len = c_shquote_strnspn("ab", 2, "bc");
+         c_assert(len == 0);
++
++        len = c_shquote_strnspn("ab", 2, "\xff");
++        c_assert(len == 0);
+ }
+ 
+ static void test_strncspn(void) {
+@@ -167,6 +170,9 @@
+ 
+         len = c_shquote_strncspn("ab", 2, "cd");
+         c_assert(len == 2);
++
++        len = c_shquote_strncspn("ab", 2, "\xff");
++        c_assert(len == 2);
+ }
+ 
+ static void test_discard_comment(void) {
diff -Nru dbus-broker-26/debian/salsa-ci.yml dbus-broker-26/debian/salsa-ci.yml
--- dbus-broker-26/debian/salsa-ci.yml	2020-12-13 22:03:47.000000000 +0000
+++ dbus-broker-26/debian/salsa-ci.yml	2022-06-22 22:27:17.000000000 +0100
@@ -2,3 +2,6 @@
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bullseye'

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#1013418: bullseye-pu: package dbus-broker/26-1+deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1013418: bullseye-pu: package dbus-broker/26-1+deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1013349: marked as done (release.debian.org: Please hint golang-github-openshift-imagebuilder and golang-github-containers-buildah into testing)
Next by Date: Bug#1013438: nmu: dovecot-antispam_2.0+20171229-1
Previous by thread: Bug#1011505: marked as done (transition: gpgme1.0)
Next by thread: Bug#1013418: bullseye-pu: package dbus-broker/26-1+deb11u1
Index(es):
- Date
- Thread