Bug#1054421: marked as done (bookworm-pu: package weborf/0.19)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054421,
regarding bookworm-pu: package weborf/0.19
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1054421: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054421
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package weborf/0.19
• From: "Salvo \"LtWorf\" Tomaselli" <tiposchi@tiscali.it>
• Date: Mon, 23 Oct 2023 19:07:44 +0200
• Message-id: <169808086443.132463.2800034848915277082.reportbug@galatea>

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: weborf@packages.debian.org, tiposchi@tiscali.it
Control: affects -1 + src:weborf

I have found a denial of service in all versions of weborf.

It is tracked in #1054417 and solved in 1.0 upstream. https://github.com/ltworf/weborf/pull/88

The issue is fixed in unstable but remains in stable and oldstable.

[ Reason ]
The bug has been there undetected for years. The fix is minimal.

[ Impact ]
The denial of service and extremely unlikely but theoretically possible
remote execution issue will remain.

The issue exists only if the process has CGI enabled (not the default).

[ Tests ]

There are no automated tests covering the issue.

[ Risks ]

The patch is just 3 lines.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]

A patch to remove a memory allocation and copy, where I forgot a +1 in the copy.

The resulting code just reuses the same buffer instead of copying, which was not
needed to begin with.

[ Other info ]

Tracked in CVE-2023-46586

diff -Nru weborf-0.19/debian/changelog weborf-0.19/debian/changelog
--- weborf-0.19/debian/changelog	2022-10-15 12:57:06.000000000 +0200
+++ weborf-0.19/debian/changelog	2023-10-23 18:38:21.000000000 +0200
@@ -1,3 +1,9 @@
+weborf (0.19-3) bookworm; urgency=medium
+
+  * Backport patch from upstream to fix denial of service (Closes: 1054417)
+
+ -- Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it>  Mon, 23 Oct 2023 18:38:21 +0200
+
 weborf (0.19-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru weborf-0.19/debian/patches/cgi_buffer_fix.patch weborf-0.19/debian/patches/cgi_buffer_fix.patch
--- weborf-0.19/debian/patches/cgi_buffer_fix.patch	1970-01-01 01:00:00.000000000 +0100
+++ weborf-0.19/debian/patches/cgi_buffer_fix.patch	2023-10-23 18:38:15.000000000 +0200
@@ -0,0 +1,25 @@
+Description: Fix incorrect memory operation
+ The original code failed to take into account the space needed for the
+ null terminator.
+ .
+ The patch just avoids the copy altogether, because it was not needed.
+Author: Salvo "LtWorf" Tomaselli <tiposchi@tiscali.it>
+Origin: upstream
+Bug: <upstream-bugtracker-url>
+Bug-Debian: https://bugs.debian.org/1054417
+Forwarded: not-needed
+Applied-Upstream: 1.0
+Last-Update: 2023-10-23
+
+--- weborf-0.19.orig/cgi.c
++++ weborf-0.19/cgi.c
+@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con
+     environ = NULL; //Clear env vars
+ 
+     if (strlen(executor) == 0) {
+-        executor = malloc(connection_prop->strfile_len + 1);
+-        strncpy(executor, connection_prop->strfile, connection_prop->strfile_len);
++        executor = connection_prop->strfile;
+     }
+ 
+     cgi_set_http_env_vars(connection_prop->http_param);
diff -Nru weborf-0.19/debian/patches/series weborf-0.19/debian/patches/series
--- weborf-0.19/debian/patches/series	2022-03-15 09:08:11.000000000 +0100
+++ weborf-0.19/debian/patches/series	2023-10-23 18:29:47.000000000 +0200
@@ -0,0 +1 @@
+cgi_buffer_fix.patch

--- End Message ---

--- Begin Message ---

• To: 1040860-done@bugs.debian.org, 1050384-done@bugs.debian.org, 1050868-done@bugs.debian.org, 1052227-done@bugs.debian.org, 1052229-done@bugs.debian.org, 1053141-done@bugs.debian.org, 1053461-done@bugs.debian.org, 1053532-done@bugs.debian.org, 1053681-done@bugs.debian.org, 1053895-done@bugs.debian.org, 1053908-done@bugs.debian.org, 1053918-done@bugs.debian.org, 1054096-done@bugs.debian.org, 1054100-done@bugs.debian.org, 1054119-done@bugs.debian.org, 1054122-done@bugs.debian.org, 1054286-done@bugs.debian.org, 1054287-done@bugs.debian.org, 1054340-done@bugs.debian.org, 1054363-done@bugs.debian.org, 1054401-done@bugs.debian.org, 1054421-done@bugs.debian.org, 1054442-done@bugs.debian.org, 1054470-done@bugs.debian.org, 1054589-done@bugs.debian.org, 1055009-done@bugs.debian.org, 1055031-done@bugs.debian.org, 1055086-done@bugs.debian.org, 1055155-done@bugs.debian.org, 1055226-done@bugs.debian.org, 1055229-done@bugs.debian.org, 1055241-done@bugs.debian.org, 1055350-done@bugs.debian.org, 1055419-done@bugs.debian.org, 1055539-done@bugs.debian.org, 1055588-done@bugs.debian.org, 1055611-done@bugs.debian.org, 1055859-done@bugs.debian.org, 1055894-done@bugs.debian.org, 1055944-done@bugs.debian.org, 1055965-done@bugs.debian.org, 1055986-done@bugs.debian.org, 1056006-done@bugs.debian.org, 1056136-done@bugs.debian.org, 1056158-done@bugs.debian.org, 1056164-done@bugs.debian.org, 1056169-done@bugs.debian.org, 1056194-done@bugs.debian.org, 1056228-done@bugs.debian.org, 1056252-done@bugs.debian.org, 1056307-done@bugs.debian.org, 1056318-done@bugs.debian.org, 1056330-done@bugs.debian.org, 1056521-done@bugs.debian.org, 1056696-done@bugs.debian.org, 1056716-done@bugs.debian.org, 1056721-done@bugs.debian.org, 1056732-done@bugs.debian.org, 1056737-done@bugs.debian.org, 1056741-done@bugs.debian.org, 1056744-done@bugs.debian.org, 1056917-done@bugs.debian.org, 1056934-done@bugs.debian.org, 1056958-done@bugs.debian.org, 1056987-done@bugs.debian.org, 1057038-done@bugs.debian.org, 1057069-done@bugs.debian.org, 1057070-done@bugs.debian.org, 1057071-done@bugs.debian.org, 1057099-done@bugs.debian.org, 1057103-done@bugs.debian.org, 1057116-done@bugs.debian.org, 1057125-done@bugs.debian.org, 1057128-done@bugs.debian.org, 1057129-done@bugs.debian.org, 1057156-done@bugs.debian.org, 1057157-done@bugs.debian.org, 1057159-done@bugs.debian.org, 1057236-done@bugs.debian.org, 1057239-done@bugs.debian.org, 1057274-done@bugs.debian.org, 1057300-done@bugs.debian.org, 1057310-done@bugs.debian.org, 1057311-done@bugs.debian.org, 1057325-done@bugs.debian.org, 1057327-done@bugs.debian.org
• Subject: Closing requests for updates included in 12.3 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 09 Dec 2023 10:20:37 +0000
• Message-id: <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam

--- End Message ---