Bug#1034654: unblock: src:libsignal-protocol-c/2.3.3-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1034654: unblock: src:libsignal-protocol-c/2.3.3-3
From: Martin <debacle@debian.org>
Date: Thu, 20 Apr 2023 22:11:38 +0000
Message-id: <[🔎] 87edoekxut.fsf@fama.lan>
Reply-to: Martin <debacle@debian.org>, 1034654@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: team@security.debian.org

Dear release team, dear security team,

I added a patch to libsignal-protocol-c and uploaded to unstable.
It fixes https://security-tracker.debian.org/tracker/CVE-2022-48468
in an embedded code copy. Please let it go into bookworm. Thanks!

Cheers

diff -Nru libsignal-protocol-c-2.3.3/debian/changelog libsignal-protocol-c-2.3.3/debian/changelog
--- libsignal-protocol-c-2.3.3/debian/changelog	2023-01-13 00:49:29.000000000 +0000
+++ libsignal-protocol-c-2.3.3/debian/changelog	2023-04-20 21:52:41.000000000 +0000
@@ -1,3 +1,10 @@
+libsignal-protocol-c (2.3.3-3) unstable; urgency=medium
+
+  * Add patch to fix unsigned integer overflow in protobuf code
+    CVE: https://security-tracker.debian.org/tracker/CVE-2022-48468
+
+ -- Martin <debacle@debian.org>  Thu, 20 Apr 2023 21:52:41 +0000
+
 libsignal-protocol-c (2.3.3-2) unstable; urgency=medium
 
   * Bump debhelper compat
diff -Nru libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch
--- libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch	1970-01-01 00:00:00.000000000 +0000
+++ libsignal-protocol-c-2.3.3/debian/patches/fix-unsigned-integer-overflow.patch	2023-04-20 21:49:54.000000000 +0000
@@ -0,0 +1,30 @@
+Description: Fix unsigned integer overflow
+ and fix regression caused by that fix
+ related CVE:
+ https://security-tracker.debian.org/tracker/CVE-2022-48468
+Author: 10054172 <hui.zhang@thalesgroup.com>, Todd C. Miller <Todd.Miller@sudo.ws>
+Origin: other
+Bug: https://github.com/protobuf-c/protobuf-c/issues/499
+Last-Update: 2023-04-20
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/protobuf-c/protobuf-c.c
++++ b/src/protobuf-c/protobuf-c.c
+@@ -2456,10 +2456,13 @@
+ 			return FALSE;
+ 
+ 		def_mess = scanned_member->field->default_value;
+-		subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+-						 allocator,
+-						 len - pref_len,
+-						 data + pref_len);
++		if (len >= pref_len)
++			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
++							 allocator,
++							 len - pref_len,
++							 data + pref_len);
++		else
++			subm = NULL;
+ 
+ 		if (maybe_clear &&
+ 		    *pmessage != NULL &&
diff -Nru libsignal-protocol-c-2.3.3/debian/patches/series libsignal-protocol-c-2.3.3/debian/patches/series
--- libsignal-protocol-c-2.3.3/debian/patches/series	2023-01-13 00:49:29.000000000 +0000
+++ libsignal-protocol-c-2.3.3/debian/patches/series	2023-04-20 21:45:25.000000000 +0000
@@ -1 +1,2 @@
 full-library-version-soname.patch
+fix-unsigned-integer-overflow.patch

Reply to:

Follow-Ups:
- Bug#1034654: marked as done (unblock: src:libsignal-protocol-c/2.3.3-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1034653: unblock: x264/2:0.164.3095+gitbaee400-3
Next by Date: Re: 11.7 planning + bookworm planning
Previous by thread: Bug#1034653: marked as done (unblock: x264/2:0.164.3095+gitbaee400-3)
Next by thread: Bug#1034654: marked as done (unblock: src:libsignal-protocol-c/2.3.3-3)
Index(es):
- Date
- Thread