[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1013418: marked as done (bullseye-pu: package dbus-broker/26-1+deb11u1)

Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1013418,
regarding bullseye-pu: package dbus-broker/26-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1013418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013418
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: pkg-utopia-maintainers@lists.alioth.debian.org

Dear release team,

A low-severity CVE has been published for dbus-broker, and it affects
bullseye. In accordance with the Security Team, it does not warrant a
DSA, so we would like to fix it via p-u instead. The fix is a clean
backport, and the diff is minimal. Debdiff attached.

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343

-- 
Kind regards,
Luca Boccassi

diff -Nru dbus-broker-26/debian/changelog dbus-broker-26/debian/changelog
--- dbus-broker-26/debian/changelog	2021-01-22 00:00:39.000000000 +0000
+++ dbus-broker-26/debian/changelog	2022-06-22 22:27:17.000000000 +0100
@@ -1,3 +1,10 @@
+dbus-broker (26-1+deb11u1) bullseye; urgency=medium
+
+  * Backport strnspn-fix-buffer-overflow.patch to fix CVE-2022-31212
+    (Closes: #1013343)
+
+ -- Luca Boccassi <bluca@debian.org>  Wed, 22 Jun 2022 22:27:17 +0100
+
 dbus-broker (26-1) unstable; urgency=low
 
   * Update upstream source from tag 'upstream/26'
diff -Nru dbus-broker-26/debian/gbp.conf dbus-broker-26/debian/gbp.conf
--- dbus-broker-26/debian/gbp.conf	2020-12-13 22:03:47.000000000 +0000
+++ dbus-broker-26/debian/gbp.conf	2022-06-22 22:27:17.000000000 +0100
@@ -1,6 +1,6 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/sid
+debian-branch = debian/bullseye
 upstream-branch = upstream
 
 [pristine-tar]
diff -Nru dbus-broker-26/debian/patches/series dbus-broker-26/debian/patches/series
--- dbus-broker-26/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ dbus-broker-26/debian/patches/series	2022-06-22 22:27:17.000000000 +0100
@@ -0,0 +1 @@
+strnspn-fix-buffer-overflow.patch
diff -Nru dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch
--- dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch	2022-06-22 22:27:17.000000000 +0100
@@ -0,0 +1,53 @@
+Author: David Rheinsberg <david.rheinsberg@gmail.com>
+Origin: backport, https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343
+Description: strnspn: fix buffer overflow
+ Fix the strnspn and strncspn functions to use a properly sized buffer.
+ It used to be 1 byte too short. Checking for `0xff` in a string will
+ thus write `0xff` once byte beyond the stack space of the local buffer.
+ .
+ Note that the public API does not allow to pass `0xff` to those
+ functions. Therefore, this is a read-only buffer overrun, possibly
+ causing bogus reports from the parser, but still well-defined.
+--- a/subprojects/c-shquote/src/c-shquote.c
++++ b/subprojects/c-shquote/src/c-shquote.c
+@@ -85,7 +85,7 @@
+ size_t c_shquote_strnspn(const char *string,
+                         size_t n_string,
+                         const char *accept) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         for ( ; *accept; ++accept)
+                 buffer[(unsigned char)*accept] = true;
+@@ -100,7 +100,7 @@
+ size_t c_shquote_strncspn(const char *string,
+                           size_t n_string,
+                           const char *reject) {
+-        bool buffer[UCHAR_MAX] = {};
++        bool buffer[UCHAR_MAX + 1] = {};
+ 
+         if (strlen(reject) == 1) {
+                 const char *p;
+--- a/subprojects/c-shquote/src/test-private.c
++++ b/subprojects/c-shquote/src/test-private.c
+@@ -148,6 +148,9 @@
+ 
+         len = c_shquote_strnspn("ab", 2, "bc");
+         c_assert(len == 0);
++
++        len = c_shquote_strnspn("ab", 2, "\xff");
++        c_assert(len == 0);
+ }
+ 
+ static void test_strncspn(void) {
+@@ -167,6 +170,9 @@
+ 
+         len = c_shquote_strncspn("ab", 2, "cd");
+         c_assert(len == 2);
++
++        len = c_shquote_strncspn("ab", 2, "\xff");
++        c_assert(len == 2);
+ }
+ 
+ static void test_discard_comment(void) {
diff -Nru dbus-broker-26/debian/salsa-ci.yml dbus-broker-26/debian/salsa-ci.yml
--- dbus-broker-26/debian/salsa-ci.yml	2020-12-13 22:03:47.000000000 +0000
+++ dbus-broker-26/debian/salsa-ci.yml	2022-06-22 22:27:17.000000000 +0100
@@ -2,3 +2,6 @@
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+  RELEASE: 'bullseye'

Attachment: signature.asc
Description: This is a digitally signed message part


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.4

(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam

--- End Message ---
Reply to: