Your message dated Sat, 09 Jul 2022 11:47:43 +0100 with message-id <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk> and subject line Closing requests for updates included in 11.4 has caused the Debian Bug report #1013418, regarding bullseye-pu: package dbus-broker/26-1+deb11u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1013418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013418 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package dbus-broker/26-1+deb11u1
- From: Luca Boccassi <bluca@debian.org>
- Date: Thu, 23 Jun 2022 11:33:46 +0100
- Message-id: <90f7ad6d8e91f031b1e029ae4f1f2b369736033e.camel@debian.org>
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-CC: pkg-utopia-maintainers@lists.alioth.debian.org Dear release team, A low-severity CVE has been published for dbus-broker, and it affects bullseye. In accordance with the Security Team, it does not warrant a DSA, so we would like to fix it via p-u instead. The fix is a clean backport, and the diff is minimal. Debdiff attached. Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343 -- Kind regards, Luca Boccassidiff -Nru dbus-broker-26/debian/changelog dbus-broker-26/debian/changelog --- dbus-broker-26/debian/changelog 2021-01-22 00:00:39.000000000 +0000 +++ dbus-broker-26/debian/changelog 2022-06-22 22:27:17.000000000 +0100 @@ -1,3 +1,10 @@ +dbus-broker (26-1+deb11u1) bullseye; urgency=medium + + * Backport strnspn-fix-buffer-overflow.patch to fix CVE-2022-31212 + (Closes: #1013343) + + -- Luca Boccassi <bluca@debian.org> Wed, 22 Jun 2022 22:27:17 +0100 + dbus-broker (26-1) unstable; urgency=low * Update upstream source from tag 'upstream/26' diff -Nru dbus-broker-26/debian/gbp.conf dbus-broker-26/debian/gbp.conf --- dbus-broker-26/debian/gbp.conf 2020-12-13 22:03:47.000000000 +0000 +++ dbus-broker-26/debian/gbp.conf 2022-06-22 22:27:17.000000000 +0100 @@ -1,6 +1,6 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/sid +debian-branch = debian/bullseye upstream-branch = upstream [pristine-tar] diff -Nru dbus-broker-26/debian/patches/series dbus-broker-26/debian/patches/series --- dbus-broker-26/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ dbus-broker-26/debian/patches/series 2022-06-22 22:27:17.000000000 +0100 @@ -0,0 +1 @@ +strnspn-fix-buffer-overflow.patch diff -Nru dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch --- dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch 2022-06-22 22:27:17.000000000 +0100 @@ -0,0 +1,53 @@ +Author: David Rheinsberg <david.rheinsberg@gmail.com> +Origin: backport, https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343 +Description: strnspn: fix buffer overflow + Fix the strnspn and strncspn functions to use a properly sized buffer. + It used to be 1 byte too short. Checking for `0xff` in a string will + thus write `0xff` once byte beyond the stack space of the local buffer. + . + Note that the public API does not allow to pass `0xff` to those + functions. Therefore, this is a read-only buffer overrun, possibly + causing bogus reports from the parser, but still well-defined. +--- a/subprojects/c-shquote/src/c-shquote.c ++++ b/subprojects/c-shquote/src/c-shquote.c +@@ -85,7 +85,7 @@ + size_t c_shquote_strnspn(const char *string, + size_t n_string, + const char *accept) { +- bool buffer[UCHAR_MAX] = {}; ++ bool buffer[UCHAR_MAX + 1] = {}; + + for ( ; *accept; ++accept) + buffer[(unsigned char)*accept] = true; +@@ -100,7 +100,7 @@ + size_t c_shquote_strncspn(const char *string, + size_t n_string, + const char *reject) { +- bool buffer[UCHAR_MAX] = {}; ++ bool buffer[UCHAR_MAX + 1] = {}; + + if (strlen(reject) == 1) { + const char *p; +--- a/subprojects/c-shquote/src/test-private.c ++++ b/subprojects/c-shquote/src/test-private.c +@@ -148,6 +148,9 @@ + + len = c_shquote_strnspn("ab", 2, "bc"); + c_assert(len == 0); ++ ++ len = c_shquote_strnspn("ab", 2, "\xff"); ++ c_assert(len == 0); + } + + static void test_strncspn(void) { +@@ -167,6 +170,9 @@ + + len = c_shquote_strncspn("ab", 2, "cd"); + c_assert(len == 2); ++ ++ len = c_shquote_strncspn("ab", 2, "\xff"); ++ c_assert(len == 2); + } + + static void test_discard_comment(void) { diff -Nru dbus-broker-26/debian/salsa-ci.yml dbus-broker-26/debian/salsa-ci.yml --- dbus-broker-26/debian/salsa-ci.yml 2020-12-13 22:03:47.000000000 +0000 +++ dbus-broker-26/debian/salsa-ci.yml 2022-06-22 22:27:17.000000000 +0100 @@ -2,3 +2,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bullseye'Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 1000355-done@bugs.debian.org, 1003261-done@bugs.debian.org, 1003713-done@bugs.debian.org, 1004459-done@bugs.debian.org, 1004580-done@bugs.debian.org, 1005129-done@bugs.debian.org, 1005135-done@bugs.debian.org, 1005231-done@bugs.debian.org, 1005237-done@bugs.debian.org, 1005252-done@bugs.debian.org, 1005256-done@bugs.debian.org, 1006316-done@bugs.debian.org, 1006504-done@bugs.debian.org, 1007714-done@bugs.debian.org, 1007762-done@bugs.debian.org, 1008045-done@bugs.debian.org, 1008153-done@bugs.debian.org, 1008161-done@bugs.debian.org, 1008162-done@bugs.debian.org, 1008166-done@bugs.debian.org, 1008168-done@bugs.debian.org, 1008268-done@bugs.debian.org, 1008577-done@bugs.debian.org, 1009077-done@bugs.debian.org, 1009250-done@bugs.debian.org, 1009345-done@bugs.debian.org, 1009363-done@bugs.debian.org, 1009726-done@bugs.debian.org, 1010037-done@bugs.debian.org, 1010050-done@bugs.debian.org, 1010058-done@bugs.debian.org, 1010194-done@bugs.debian.org, 1010211-done@bugs.debian.org, 1010304-done@bugs.debian.org, 1010383-done@bugs.debian.org, 1010439-done@bugs.debian.org, 1010613-done@bugs.debian.org, 1010857-done@bugs.debian.org, 1010924-done@bugs.debian.org, 1010963-done@bugs.debian.org, 1011022-done@bugs.debian.org, 1011198-done@bugs.debian.org, 1011271-done@bugs.debian.org, 1011287-done@bugs.debian.org, 1011331-done@bugs.debian.org, 1011359-done@bugs.debian.org, 1011365-done@bugs.debian.org, 1011426-done@bugs.debian.org, 1011746-done@bugs.debian.org, 1011939-done@bugs.debian.org, 1011942-done@bugs.debian.org, 1012033-done@bugs.debian.org, 1012047-done@bugs.debian.org, 1012140-done@bugs.debian.org, 1012322-done@bugs.debian.org, 1012323-done@bugs.debian.org, 1012331-done@bugs.debian.org, 1012553-done@bugs.debian.org, 1012585-done@bugs.debian.org, 1012723-done@bugs.debian.org, 1013237-done@bugs.debian.org, 1013306-done@bugs.debian.org, 1013418-done@bugs.debian.org, 1013755-done@bugs.debian.org, 1013879-done@bugs.debian.org, 1013880-done@bugs.debian.org, 1013944-done@bugs.debian.org, 1014014-done@bugs.debian.org, 1014054-done@bugs.debian.org, 1014079-done@bugs.debian.org, 1014199-done@bugs.debian.org, 1014206-done@bugs.debian.org, 1014221-done@bugs.debian.org
- Subject: Closing requests for updates included in 11.4
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 Jul 2022 11:47:43 +0100
- Message-id: <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 11.4 (re-sending with fixed bug numbers) Hi, The updates discussed in these bugs were included in today's bullseye point release. Regards, Adam
--- End Message ---