Bug#1054421: bookworm-pu: package weborf/0.19
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: weborf@packages.debian.org, tiposchi@tiscali.it
Control: affects -1 + src:weborf
I have found a denial of service in all versions of weborf.
It is tracked in #1054417 and solved in 1.0 upstream. https://github.com/ltworf/weborf/pull/88
The issue is fixed in unstable but remains in stable and oldstable.
[ Reason ]
The bug has been there undetected for years. The fix is minimal.
[ Impact ]
The denial of service and extremely unlikely but theoretically possible
remote execution issue will remain.
The issue exists only if the process has CGI enabled (not the default).
[ Tests ]
There are no automated tests covering the issue.
[ Risks ]
The patch is just 3 lines.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
A patch to remove a memory allocation and copy, where I forgot a +1 in the copy.
The resulting code just reuses the same buffer instead of copying, which was not
needed to begin with.
[ Other info ]
Tracked in CVE-2023-46586
diff -Nru weborf-0.19/debian/changelog weborf-0.19/debian/changelog
--- weborf-0.19/debian/changelog 2022-10-15 12:57:06.000000000 +0200
+++ weborf-0.19/debian/changelog 2023-10-23 18:38:21.000000000 +0200
@@ -1,3 +1,9 @@
+weborf (0.19-3) bookworm; urgency=medium
+
+ * Backport patch from upstream to fix denial of service (Closes: 1054417)
+
+ -- Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it> Mon, 23 Oct 2023 18:38:21 +0200
+
weborf (0.19-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru weborf-0.19/debian/patches/cgi_buffer_fix.patch weborf-0.19/debian/patches/cgi_buffer_fix.patch
--- weborf-0.19/debian/patches/cgi_buffer_fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ weborf-0.19/debian/patches/cgi_buffer_fix.patch 2023-10-23 18:38:15.000000000 +0200
@@ -0,0 +1,25 @@
+Description: Fix incorrect memory operation
+ The original code failed to take into account the space needed for the
+ null terminator.
+ .
+ The patch just avoids the copy altogether, because it was not needed.
+Author: Salvo "LtWorf" Tomaselli <tiposchi@tiscali.it>
+Origin: upstream
+Bug: <upstream-bugtracker-url>
+Bug-Debian: https://bugs.debian.org/1054417
+Forwarded: not-needed
+Applied-Upstream: 1.0
+Last-Update: 2023-10-23
+
+--- weborf-0.19.orig/cgi.c
++++ weborf-0.19/cgi.c
+@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con
+ environ = NULL; //Clear env vars
+
+ if (strlen(executor) == 0) {
+- executor = malloc(connection_prop->strfile_len + 1);
+- strncpy(executor, connection_prop->strfile, connection_prop->strfile_len);
++ executor = connection_prop->strfile;
+ }
+
+ cgi_set_http_env_vars(connection_prop->http_param);
diff -Nru weborf-0.19/debian/patches/series weborf-0.19/debian/patches/series
--- weborf-0.19/debian/patches/series 2022-03-15 09:08:11.000000000 +0100
+++ weborf-0.19/debian/patches/series 2023-10-23 18:29:47.000000000 +0200
@@ -0,0 +1 @@
+cgi_buffer_fix.patch
Reply to: