Your message dated Sat, 09 Dec 2023 10:20:37 +0000 with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk> and subject line Closing requests for updates included in 12.3 point release has caused the Debian Bug report #1054421, regarding bookworm-pu: package weborf/0.19 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1054421: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054421 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package weborf/0.19
- From: "Salvo \"LtWorf\" Tomaselli" <tiposchi@tiscali.it>
- Date: Mon, 23 Oct 2023 19:07:44 +0200
- Message-id: <169808086443.132463.2800034848915277082.reportbug@galatea>
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: weborf@packages.debian.org, tiposchi@tiscali.it Control: affects -1 + src:weborf I have found a denial of service in all versions of weborf. It is tracked in #1054417 and solved in 1.0 upstream. https://github.com/ltworf/weborf/pull/88 The issue is fixed in unstable but remains in stable and oldstable. [ Reason ] The bug has been there undetected for years. The fix is minimal. [ Impact ] The denial of service and extremely unlikely but theoretically possible remote execution issue will remain. The issue exists only if the process has CGI enabled (not the default). [ Tests ] There are no automated tests covering the issue. [ Risks ] The patch is just 3 lines. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] A patch to remove a memory allocation and copy, where I forgot a +1 in the copy. The resulting code just reuses the same buffer instead of copying, which was not needed to begin with. [ Other info ] Tracked in CVE-2023-46586diff -Nru weborf-0.19/debian/changelog weborf-0.19/debian/changelog --- weborf-0.19/debian/changelog 2022-10-15 12:57:06.000000000 +0200 +++ weborf-0.19/debian/changelog 2023-10-23 18:38:21.000000000 +0200 @@ -1,3 +1,9 @@ +weborf (0.19-3) bookworm; urgency=medium + + * Backport patch from upstream to fix denial of service (Closes: 1054417) + + -- Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it> Mon, 23 Oct 2023 18:38:21 +0200 + weborf (0.19-2.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru weborf-0.19/debian/patches/cgi_buffer_fix.patch weborf-0.19/debian/patches/cgi_buffer_fix.patch --- weborf-0.19/debian/patches/cgi_buffer_fix.patch 1970-01-01 01:00:00.000000000 +0100 +++ weborf-0.19/debian/patches/cgi_buffer_fix.patch 2023-10-23 18:38:15.000000000 +0200 @@ -0,0 +1,25 @@ +Description: Fix incorrect memory operation + The original code failed to take into account the space needed for the + null terminator. + . + The patch just avoids the copy altogether, because it was not needed. +Author: Salvo "LtWorf" Tomaselli <tiposchi@tiscali.it> +Origin: upstream +Bug: <upstream-bugtracker-url> +Bug-Debian: https://bugs.debian.org/1054417 +Forwarded: not-needed +Applied-Upstream: 1.0 +Last-Update: 2023-10-23 + +--- weborf-0.19.orig/cgi.c ++++ weborf-0.19/cgi.c +@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con + environ = NULL; //Clear env vars + + if (strlen(executor) == 0) { +- executor = malloc(connection_prop->strfile_len + 1); +- strncpy(executor, connection_prop->strfile, connection_prop->strfile_len); ++ executor = connection_prop->strfile; + } + + cgi_set_http_env_vars(connection_prop->http_param); diff -Nru weborf-0.19/debian/patches/series weborf-0.19/debian/patches/series --- weborf-0.19/debian/patches/series 2022-03-15 09:08:11.000000000 +0100 +++ weborf-0.19/debian/patches/series 2023-10-23 18:29:47.000000000 +0200 @@ -0,0 +1 @@ +cgi_buffer_fix.patch
--- End Message ---
--- Begin Message ---
- To: 1040860-done@bugs.debian.org, 1050384-done@bugs.debian.org, 1050868-done@bugs.debian.org, 1052227-done@bugs.debian.org, 1052229-done@bugs.debian.org, 1053141-done@bugs.debian.org, 1053461-done@bugs.debian.org, 1053532-done@bugs.debian.org, 1053681-done@bugs.debian.org, 1053895-done@bugs.debian.org, 1053908-done@bugs.debian.org, 1053918-done@bugs.debian.org, 1054096-done@bugs.debian.org, 1054100-done@bugs.debian.org, 1054119-done@bugs.debian.org, 1054122-done@bugs.debian.org, 1054286-done@bugs.debian.org, 1054287-done@bugs.debian.org, 1054340-done@bugs.debian.org, 1054363-done@bugs.debian.org, 1054401-done@bugs.debian.org, 1054421-done@bugs.debian.org, 1054442-done@bugs.debian.org, 1054470-done@bugs.debian.org, 1054589-done@bugs.debian.org, 1055009-done@bugs.debian.org, 1055031-done@bugs.debian.org, 1055086-done@bugs.debian.org, 1055155-done@bugs.debian.org, 1055226-done@bugs.debian.org, 1055229-done@bugs.debian.org, 1055241-done@bugs.debian.org, 1055350-done@bugs.debian.org, 1055419-done@bugs.debian.org, 1055539-done@bugs.debian.org, 1055588-done@bugs.debian.org, 1055611-done@bugs.debian.org, 1055859-done@bugs.debian.org, 1055894-done@bugs.debian.org, 1055944-done@bugs.debian.org, 1055965-done@bugs.debian.org, 1055986-done@bugs.debian.org, 1056006-done@bugs.debian.org, 1056136-done@bugs.debian.org, 1056158-done@bugs.debian.org, 1056164-done@bugs.debian.org, 1056169-done@bugs.debian.org, 1056194-done@bugs.debian.org, 1056228-done@bugs.debian.org, 1056252-done@bugs.debian.org, 1056307-done@bugs.debian.org, 1056318-done@bugs.debian.org, 1056330-done@bugs.debian.org, 1056521-done@bugs.debian.org, 1056696-done@bugs.debian.org, 1056716-done@bugs.debian.org, 1056721-done@bugs.debian.org, 1056732-done@bugs.debian.org, 1056737-done@bugs.debian.org, 1056741-done@bugs.debian.org, 1056744-done@bugs.debian.org, 1056917-done@bugs.debian.org, 1056934-done@bugs.debian.org, 1056958-done@bugs.debian.org, 1056987-done@bugs.debian.org, 1057038-done@bugs.debian.org, 1057069-done@bugs.debian.org, 1057070-done@bugs.debian.org, 1057071-done@bugs.debian.org, 1057099-done@bugs.debian.org, 1057103-done@bugs.debian.org, 1057116-done@bugs.debian.org, 1057125-done@bugs.debian.org, 1057128-done@bugs.debian.org, 1057129-done@bugs.debian.org, 1057156-done@bugs.debian.org, 1057157-done@bugs.debian.org, 1057159-done@bugs.debian.org, 1057236-done@bugs.debian.org, 1057239-done@bugs.debian.org, 1057274-done@bugs.debian.org, 1057300-done@bugs.debian.org, 1057310-done@bugs.debian.org, 1057311-done@bugs.debian.org, 1057325-done@bugs.debian.org, 1057327-done@bugs.debian.org
- Subject: Closing requests for updates included in 12.3 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 Dec 2023 10:20:37 +0000
- Message-id: <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 12.3 Hi, Each of the updates discussed in these requests was included in this morning's 12.3 bookworm point release. Regards, Adam
--- End Message ---