Bug#1036000: marked as done (unblock: sniproxy/0.6.0-2.1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 14 May 2023 15:46:34 +0000
with message-id <E1pyDve-00173U-10@respighi.debian.org>
and subject line unblock sniproxy
has caused the Debian Bug report #1036000,
regarding unblock: sniproxy/0.6.0-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036000
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: sniproxy/0.6.0-2.1
• From: Peter Pentchev <roam@ringlet.net>
• Date: Fri, 12 May 2023 16:31:54 +0300
• Message-id: <[🔎] 168389806384.1478710.18173267097346247385.reportbug@straylight.m.ringlet.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: sniproxy@packages.debian.org, sniproxy@packages.debian.org, roam@debian.org
Control: affects -1 + src:sniproxy

Please unblock package sniproxy

Version 0.6.0-2.1 fixes the #1033752 RC bug (grave, security)
about a buffer overflow that may lead to arbitrary code
execution. I am in the process of adopting the package
(see #1035759), and I'm in communication with Thorsten
Alteholz, who did the NMU to fix the bug.

[ Reason ]
Security issue, arbitrary code execution due to a buffer overflow.
See #1033752 for details.

[ Impact ]
Systems where sniproxy is used are currently vulnerable to
remote code execution.

[ Tests ]
The next upstream version of sniproxy, 0.6.1, that was
released with a single change - to fix this bug - and that
I will soon upload to experimental, contains a test case that
makes sure sniproxy does not die on such a malformed request:
https://github.com/dlundquist/sniproxy/commit/f8d9a433fe22ab2fa15c00179048ab02ae23d583#diff-e1a0a6ea76cf301ec1fc8564ca08c0a20ae7fdc14f27355ab77a217e09efd833
(the bad_dns_request_test change)
The patch includes this change, although the tests are not
run during the Debian package build or afterwards; however,
a manual `make check` in the package build directory will
show the test passing.

I intend to try to run those tests both during the build and
as autopkgtests.

[ Risks ]
The fix is straightforward (for someone familiar with network
programming in C) and targeted. IMHO the risks are minimal,
if any at all. 

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock sniproxy/0.6.0-2.1

diff -Nru sniproxy-0.6.0/debian/changelog sniproxy-0.6.0/debian/changelog
--- sniproxy-0.6.0/debian/changelog	2020-07-23 23:27:57.000000000 +0300
+++ sniproxy-0.6.0/debian/changelog	2023-04-29 20:03:02.000000000 +0300
@@ -1,3 +1,11 @@
+sniproxy (0.6.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-25076 (Closes: #1033752)
+    fix buffer overflow while handling wildcard backend hosts
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sat, 29 Apr 2023 19:03:02 +0200
+
 sniproxy (0.6.0-2) unstable; urgency=medium
 
   * Fix "ftbfs with GCC-10" by applying patch
diff -Nru sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch
--- sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch	1970-01-01 02:00:00.000000000 +0200
+++ sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch	2023-04-29 20:03:02.000000000 +0300
@@ -0,0 +1,71 @@
+commit f8d9a433fe22ab2fa15c00179048ab02ae23d583
+Author: Dustin Lundquist <dustin@null-ptr.net>
+Date:   Thu Mar 16 20:42:20 2023 -0700
+
+    address: fix buffer overflow
+    
+    Update tests to work on Debian 11.
+
+Index: sniproxy-0.6.0/src/address.c
+===================================================================
+--- sniproxy-0.6.0.orig/src/address.c	2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/src/address.c	2023-04-29 19:26:00.397699547 +0200
+@@ -143,6 +143,8 @@
+     if (hostname_or_ip[0] == '[' &&
+             (port = strchr(hostname_or_ip, ']')) != NULL) {
+         len = (size_t)(port - hostname_or_ip - 1);
++        if (len >= INET6_ADDRSTRLEN)
++            return NULL;
+ 
+         /* inet_pton() will not parse the IP correctly unless it is in a
+          * separate string.
+Index: sniproxy-0.6.0/tests/Makefile.am
+===================================================================
+--- sniproxy-0.6.0.orig/tests/Makefile.am	2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/tests/Makefile.am	2023-04-29 19:26:25.017710380 +0200
+@@ -1,5 +1,7 @@
+ AM_CPPFLAGS = -I$(top_srcdir)/src -g $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS) $(LIBUDNS_CFLAGS)
+ 
++.NOTPARALLEL:
++
+ TESTS = address_test \
+         buffer_test \
+         cfg_tokenizer_test \
+Index: sniproxy-0.6.0/tests/bad_dns_request_test
+===================================================================
+--- sniproxy-0.6.0.orig/tests/bad_dns_request_test	2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/tests/bad_dns_request_test	2023-04-29 19:26:00.397699547 +0200
+@@ -36,6 +36,11 @@
+         client => \&http_client,
+     },
+     {
++        # Exceed hostname buffer size
++        request => "GET / HTTP/1.1\r\nHost: [" . 'long.' x 60 . "example.com]\r\n\r\n",
++        client => \&http_client,
++    },
++    {
+         # Test client aborting connection before DNS response received
+         request => "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
+         client => \&http_client_abort,
+Index: sniproxy-0.6.0/tests/slow_client_test
+===================================================================
+--- sniproxy-0.6.0.orig/tests/slow_client_test	2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/tests/slow_client_test	2023-04-29 19:26:00.397699547 +0200
+@@ -31,11 +31,16 @@
+     my $socket = IO::Socket::INET->new(PeerAddr => '127.0.0.1',
+             PeerPort => $port,
+             Proto => "tcp",
+-            Type => SOCK_STREAM)
++            Type => SOCK_STREAM,
++            Timeout => 5)
+         or die "couldn't connect $!";
+ 
+     $socket->send($request);
+     foreach (split("\r\n", $request)) {
++        unless ($socket->connected()) {
++            print "Disconnected\n";
++            exit(0);
++        }
+         $socket->send("$_\r\n");
+         sleep(1);
+     }
diff -Nru sniproxy-0.6.0/debian/patches/series sniproxy-0.6.0/debian/patches/series
--- sniproxy-0.6.0/debian/patches/series	2020-07-23 23:27:57.000000000 +0300
+++ sniproxy-0.6.0/debian/patches/series	2023-04-29 20:03:02.000000000 +0300
@@ -1 +1,3 @@
 01_fix_gcc-10-build.patch
+
+CVE-2023-25076.patch

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 1036000-done@bugs.debian.org
• Subject: unblock sniproxy
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Sun, 14 May 2023 15:46:34 +0000
• Message-id: <E1pyDve-00173U-10@respighi.debian.org>

Unblocked.

--- End Message ---