Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Release-Team,
[ Reason ]
I'm currently preparing a security update for clickhouse for LTS.
As the versions are quite similar, I've also prepared an update for bullseye,
even if the issues are marked "minor".
The CVE's are:
CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
(Details on them are in #1008216)
I've checked with the security team and they indicated that this
might be something for stable-proposed-updates.
The changes are on this branch:
https://salsa.debian.org/debian/ClickHouse/-/commits/debian/bullseye
[ Impact ]
The assement in #1008216 is:
By triggering the vulnerabilities, an attacker can crash the ClickHouse server,
leak memory contents or even cause remote code execution.
[ Tests ]
The package has an extensive test suite. I've also locally briefly
tested the package.
[ Risks ]
The change is cherry-picked from upstream fix. Upstream has moved
along source files and restructued things, but the affected code
is the same. The upstream fix mentioned below also contains other
fixes, introduced in later -- no in Debian -- versions.
Upstream fix: https://github.com/ClickHouse/ClickHouse/pull/27136
Patch used: https://salsa.debian.org/debian/ClickHouse/-/blob/debian/bullseye/debian/patches/CVE-2021-4238x-and-4330x.patch
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[ ] the issue is verified as fixed in unstable
The NMU fixing this is currently in DELAYED. ETA Nov 5 ~13:00)
[ Changes ]
See patch.
(The remaining change is to salsa-ci configuration, to be able to utilize
the CI for testbuilds.)
[ Other info ]
Cheers,
--
tobi
diff -Nru clickhouse-18.16.1+ds/debian/changelog clickhouse-18.16.1+ds/debian/changelog
--- clickhouse-18.16.1+ds/debian/changelog 2020-12-03 20:45:03.000000000 +0100
+++ clickhouse-18.16.1+ds/debian/changelog 2022-10-31 17:33:32.000000000 +0100
@@ -1,3 +1,12 @@
+clickhouse (18.16.1+ds-7.2+deb11u1) bullseye-security; urgency=medium
+
+ * Non-maintainer upload by the Security Team.
+ * Add Salsa CI config for bullseye.
+ * Fix CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
+ (Closes: #1008216)
+
+ -- Tobias Frost <tobi@debian.org> Mon, 31 Oct 2022 17:33:32 +0100
+
clickhouse (18.16.1+ds-7.2) unstable; urgency=medium
[Balint Reczey]
diff -Nru clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch
--- clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 1970-01-01 01:00:00.000000000 +0100
+++ clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 2022-10-31 17:25:21.000000000 +0100
@@ -0,0 +1,134 @@
+Description: Fix for CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
+ Cherry pick relevant parts from upstream PR, adapted to version in Debian.
+Origin: https://github.com/ClickHouse/ClickHouse/pull/27136
+Bug-Debian: https://bugs.debian.org/1008216
+Forwarded: no
+Applied-Upstream: yes, https://github.com/ClickHouse/ClickHouse/pull/27136
+Last-Update: 2022-10-30 <YYYY-MM-DD, last update of the meta-information, optional>
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/dbms/src/IO/LZ4_decompress_faster.cpp
++++ b/dbms/src/IO/LZ4_decompress_faster.cpp
+@@ -342,13 +342,16 @@
+
+
+ template <size_t copy_amount, bool use_shuffle>
+-void NO_INLINE decompressImpl(
++bool NO_INLINE decompressImpl(
+ const char * const source,
+ char * const dest,
++ size_t source_size,
+ size_t dest_size)
+ {
+ const UInt8 * ip = (UInt8 *)source;
+ UInt8 * op = (UInt8 *)dest;
++ const UInt8 * const input_end = ip + source_size;
++ UInt8 * const output_begin = op;
+ UInt8 * const output_end = op + dest_size;
+
+ while (1)
+@@ -387,13 +390,19 @@
+ /// output: xyzHello, w
+ /// ^-op (we will overwrite excessive bytes on next iteration)
+
+- wildCopy<copy_amount>(op, ip, copy_end); /// Here we can write up to copy_amount - 1 bytes after buffer.
++ {
++ auto * target = std::min(copy_end, output_end);
++ wildCopy<copy_amount>(op, ip, target); /// Here we can write up to copy_amount - 1 bytes after buffer.
++
++ if (target == output_end)
++ return true;
++ }
+
+ ip += length;
+ op = copy_end;
+
+- if (copy_end >= output_end)
+- return;
++ if (unlikely(ip > input_end))
++ return false;
+
+ /// Get match offset.
+
+@@ -401,6 +410,9 @@
+ ip += 2;
+ const UInt8 * match = op - offset;
+
++ if (unlikely(match < output_begin))
++ return false;
++
+ /// Get match length.
+
+ length = token & 0x0F;
+@@ -441,7 +453,10 @@
+
+ copy<copy_amount>(op, match); /// copy_amount + copy_amount - 1 - 4 * 2 bytes after buffer.
+ if (length > copy_amount * 2)
+- wildCopy<copy_amount>(op + copy_amount, match + copy_amount, copy_end);
++ {
++ auto * target = std::min(copy_end, output_end);
++ wildCopy<copy_amount>(op + copy_amount, match + copy_amount, target);
++ }
+
+ op = copy_end;
+ }
+@@ -450,7 +465,7 @@
+ }
+
+
+-void decompress(
++bool decompress(
+ const char * const source,
+ char * const dest,
+ size_t source_size,
+@@ -458,7 +473,7 @@
+ PerformanceStatistics & statistics [[maybe_unused]])
+ {
+ if (source_size == 0 || dest_size == 0)
+- return;
++ return true;
+
+ /// Don't run timer if the block is too small.
+ if (dest_size >= 32768)
+@@ -468,23 +483,26 @@
+ /// Run the selected method and measure time.
+
+ Stopwatch watch;
++ bool success = true;
+
+ if (best_variant == 0)
+- decompressImpl<16, true>(source, dest, dest_size);
++ success = decompressImpl<16, true>(source, dest, source_size, dest_size);
+ if (best_variant == 1)
+- decompressImpl<16, false>(source, dest, dest_size);
++ success = decompressImpl<16, false>(source, dest, source_size, dest_size);
+ if (best_variant == 2)
+- decompressImpl<8, true>(source, dest, dest_size);
++ success = decompressImpl<8, true>(source, dest, source_size, dest_size);
+
+ watch.stop();
+
+ /// Update performance statistics.
+
+ statistics.data[best_variant].update(watch.elapsedSeconds(), dest_size);
++
++ return success;
+ }
+ else
+ {
+- decompressImpl<8, false>(source, dest, dest_size);
++ return decompressImpl<8, false>(source, dest, source_size, dest_size);
+ }
+ }
+
+--- a/dbms/src/IO/LZ4_decompress_faster.h
++++ b/dbms/src/IO/LZ4_decompress_faster.h
+@@ -128,7 +128,7 @@
+
+ /** This method dispatch to one of different implementations depending on performance statistics.
+ */
+-void decompress(
++bool decompress(
+ const char * const source,
+ char * const dest,
+ size_t source_size,
diff -Nru clickhouse-18.16.1+ds/debian/patches/series clickhouse-18.16.1+ds/debian/patches/series
--- clickhouse-18.16.1+ds/debian/patches/series 2020-12-03 20:45:03.000000000 +0100
+++ clickhouse-18.16.1+ds/debian/patches/series 2022-10-31 17:25:45.000000000 +0100
@@ -19,3 +19,4 @@
python3.patch
gcc10-ftbfs.patch
dont-redefine-numeric-limits-for-int128.patch
+CVE-2021-4238x-and-4330x.patch
diff -Nru clickhouse-18.16.1+ds/debian/salsa-ci.yml clickhouse-18.16.1+ds/debian/salsa-ci.yml
--- clickhouse-18.16.1+ds/debian/salsa-ci.yml 1970-01-01 01:00:00.000000000 +0100
+++ clickhouse-18.16.1+ds/debian/salsa-ci.yml 2022-10-31 17:03:18.000000000 +0100
@@ -0,0 +1,11 @@
+include:
+
+- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'bullseye'
+ SALSA_CI_COMPONENTS: 'main contrib non-free'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
+ # Package does not support i386
+ SALSA_CI_DISABLE_BUILD_PACKAGE_I386: "1"
Attachment:
signature.asc
Description: PGP signature