Bug#1036000: unblock: sniproxy/0.6.0-2.1

[Peter Pentchev <roam@ringlet.net>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sniproxy@packages.debian.org, sniproxy@packages.debian.org, roam@debian.org
Control: affects -1 + src:sniproxy

Please unblock package sniproxy

Version 0.6.0-2.1 fixes the #1033752 RC bug (grave, security)
about a buffer overflow that may lead to arbitrary code
execution. I am in the process of adopting the package
(see #1035759), and I'm in communication with Thorsten
Alteholz, who did the NMU to fix the bug.

[ Reason ]
Security issue, arbitrary code execution due to a buffer overflow.
See #1033752 for details.

[ Impact ]
Systems where sniproxy is used are currently vulnerable to
remote code execution.

[ Tests ]
The next upstream version of sniproxy, 0.6.1, that was
released with a single change - to fix this bug - and that
I will soon upload to experimental, contains a test case that
makes sure sniproxy does not die on such a malformed request:
https://github.com/dlundquist/sniproxy/commit/f8d9a433fe22ab2fa15c00179048ab02ae23d583#diff-e1a0a6ea76cf301ec1fc8564ca08c0a20ae7fdc14f27355ab77a217e09efd833
(the bad_dns_request_test change)
The patch includes this change, although the tests are not
run during the Debian package build or afterwards; however,
a manual `make check` in the package build directory will
show the test passing.

I intend to try to run those tests both during the build and
as autopkgtests.

[ Risks ]
The fix is straightforward (for someone familiar with network
programming in C) and targeted. IMHO the risks are minimal,
if any at all. 

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock sniproxy/0.6.0-2.1

diff -Nru sniproxy-0.6.0/debian/changelog sniproxy-0.6.0/debian/changelog
--- sniproxy-0.6.0/debian/changelog	2020-07-23 23:27:57.000000000 +0300
+++ sniproxy-0.6.0/debian/changelog	2023-04-29 20:03:02.000000000 +0300
@@ -1,3 +1,11 @@
+sniproxy (0.6.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-25076 (Closes: #1033752)
+    fix buffer overflow while handling wildcard backend hosts
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sat, 29 Apr 2023 19:03:02 +0200
+
 sniproxy (0.6.0-2) unstable; urgency=medium
 
   * Fix "ftbfs with GCC-10" by applying patch
diff -Nru sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch
--- sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch	1970-01-01 02:00:00.000000000 +0200
+++ sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch	2023-04-29 20:03:02.000000000 +0300
@@ -0,0 +1,71 @@
+commit f8d9a433fe22ab2fa15c00179048ab02ae23d583
+Author: Dustin Lundquist <dustin@null-ptr.net>
+Date:   Thu Mar 16 20:42:20 2023 -0700
+
+    address: fix buffer overflow
+    
+    Update tests to work on Debian 11.
+
+Index: sniproxy-0.6.0/src/address.c
+===================================================================
+--- sniproxy-0.6.0.orig/src/address.c	2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/src/address.c	2023-04-29 19:26:00.397699547 +0200
+@@ -143,6 +143,8 @@
+     if (hostname_or_ip[0] == '[' &&
+             (port = strchr(hostname_or_ip, ']')) != NULL) {
+         len = (size_t)(port - hostname_or_ip - 1);
++        if (len >= INET6_ADDRSTRLEN)
++            return NULL;
+ 
+         /* inet_pton() will not parse the IP correctly unless it is in a
+          * separate string.
+Index: sniproxy-0.6.0/tests/Makefile.am
+===================================================================
+--- sniproxy-0.6.0.orig/tests/Makefile.am	2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/tests/Makefile.am	2023-04-29 19:26:25.017710380 +0200
+@@ -1,5 +1,7 @@
+ AM_CPPFLAGS = -I$(top_srcdir)/src -g $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS) $(LIBUDNS_CFLAGS)
+ 
++.NOTPARALLEL:
++
+ TESTS = address_test \
+         buffer_test \
+         cfg_tokenizer_test \
+Index: sniproxy-0.6.0/tests/bad_dns_request_test
+===================================================================
+--- sniproxy-0.6.0.orig/tests/bad_dns_request_test	2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/tests/bad_dns_request_test	2023-04-29 19:26:00.397699547 +0200
+@@ -36,6 +36,11 @@
+         client => \&http_client,
+     },
+     {
++        # Exceed hostname buffer size
++        request => "GET / HTTP/1.1\r\nHost: [" . 'long.' x 60 . "example.com]\r\n\r\n",
++        client => \&http_client,
++    },
++    {
+         # Test client aborting connection before DNS response received
+         request => "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
+         client => \&http_client_abort,
+Index: sniproxy-0.6.0/tests/slow_client_test
+===================================================================
+--- sniproxy-0.6.0.orig/tests/slow_client_test	2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/tests/slow_client_test	2023-04-29 19:26:00.397699547 +0200
+@@ -31,11 +31,16 @@
+     my $socket = IO::Socket::INET->new(PeerAddr => '127.0.0.1',
+             PeerPort => $port,
+             Proto => "tcp",
+-            Type => SOCK_STREAM)
++            Type => SOCK_STREAM,
++            Timeout => 5)
+         or die "couldn't connect $!";
+ 
+     $socket->send($request);
+     foreach (split("\r\n", $request)) {
++        unless ($socket->connected()) {
++            print "Disconnected\n";
++            exit(0);
++        }
+         $socket->send("$_\r\n");
+         sleep(1);
+     }
diff -Nru sniproxy-0.6.0/debian/patches/series sniproxy-0.6.0/debian/patches/series
--- sniproxy-0.6.0/debian/patches/series	2020-07-23 23:27:57.000000000 +0300
+++ sniproxy-0.6.0/debian/patches/series	2023-04-29 20:03:02.000000000 +0300
@@ -1 +1,3 @@
 01_fix_gcc-10-build.patch
+
+CVE-2023-25076.patch

Attachment: signature.asc
Description: PGP signature