Bug#1054455: bullseye-pu: package weborf/0.17-3

To: 1054455@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>
Cc: Sebastian Ramacher <sramacher@debian.org>
Subject: Bug#1054455: bullseye-pu: package weborf/0.17-3
From: Salvo Tomaselli <tiposchi@tiscali.it>
Date: Sat, 04 Nov 2023 22:34:49 +0100
Message-id: <[🔎] 3303163.aeNJFYEL58@galatea>
Reply-to: Salvo Tomaselli <tiposchi@tiscali.it>, 1054455@bugs.debian.org
In-reply-to: <[🔎] ZUZgG3JrzJyFTOEv@eldamar.lan>
References: <169809618790.145770.7600347241350281846.reportbug@galatea> <2845528.mvXUDI8C0e@galatea> <[🔎] ZUZgG3JrzJyFTOEv@eldamar.lan> <169809618790.145770.7600347241350281846.reportbug@galatea>

Argh!

Here's a new deb diff file.

I guess I will open a bug for dch to have a --oldstable flag :D

Best

-- 
Salvo Tomaselli

"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
                -- Galileo Galilei

https://ltworf.codeberg.page/

diff -Nru weborf-0.17/debian/changelog weborf-0.17/debian/changelog
--- weborf-0.17/debian/changelog	2020-12-31 15:13:19.000000000 +0100
+++ weborf-0.17/debian/changelog	2023-10-24 09:54:15.000000000 +0200
@@ -1,3 +1,9 @@
+weborf (0.17-3+deb11u1) bullseye; urgency=medium
+
+  * Backport patch from upstream to fix denial of service (Closes: 1054417)
+
+ -- Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>  Tue, 24 Oct 2023 09:54:15 +0200
+
 weborf (0.17-3) unstable; urgency=medium
 
   * Disable most of the test suite (flaky on debian builders)
diff -Nru weborf-0.17/debian/patches/cgi_buffer_fix.patch weborf-0.17/debian/patches/cgi_buffer_fix.patch
--- weborf-0.17/debian/patches/cgi_buffer_fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ weborf-0.17/debian/patches/cgi_buffer_fix.patch	2023-10-24 09:54:15.000000000 +0200
@@ -0,0 +1,25 @@
+Description: Fix incorrect memory operation
+ The original code failed to take into account the space needed for the
+ null terminator.
+ .
+ The patch just avoids the copy altogether, because it was not needed.
+Author: Salvo "LtWorf" Tomaselli <tiposchi@tiscali.it>
+Origin: upstream
+Bug: <upstream-bugtracker-url>
+Bug-Debian: https://bugs.debian.org/1054417
+Forwarded: not-needed
+Applied-Upstream: 1.0
+Last-Update: 2023-10-23
+
+--- weborf-0.19.orig/cgi.c
++++ weborf-0.19/cgi.c
+@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con
+     environ = NULL; //Clear env vars
+ 
+     if (strlen(executor) == 0) {
+-        executor = malloc(connection_prop->strfile_len + 1);
+-        strncpy(executor, connection_prop->strfile, connection_prop->strfile_len);
++        executor = connection_prop->strfile;
+     }
+ 
+     cgi_set_http_env_vars(connection_prop->http_param);
diff -Nru weborf-0.17/debian/patches/series weborf-0.17/debian/patches/series
--- weborf-0.17/debian/patches/series	2020-12-31 15:13:19.000000000 +0100
+++ weborf-0.17/debian/patches/series	2023-10-24 09:54:15.000000000 +0200
@@ -1,2 +1,3 @@
 0001-sleep_in_http
 002-disable_tests
+cgi_buffer_fix.patch

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Bug#1054455: bullseye-pu: package weborf/0.17-3
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1053800: transition: libgit2
Next by Date: Bug#1054401: bookworm-pu: package nagios-plugins-contrib/42.20230308+deb12u1
Previous by thread: Bug#1054455: bullseye-pu: package weborf/0.17-3
Next by thread: Bug#1055349: bullseye-pu: package python-websockets/8.1-1+deb11u1
Index(es):
- Date
- Thread