Bug#1066965: bookworm-pu: package newlib/3.3.0-2
Package: release.debian.org
The <URL: https://tracker.debian.org/pkg/newlib > package got an open
security problem with malloc and friends in stable and oldstable, see
<URL: https://bugs.debian.org/984446 > for the CVE issue. The package
is orphaned.
I would like to fix the bug at least in stable, and propose the
following upload. The change is already in the git repo on salsa in the
debian/bookworm branch. The problem is already fixed in unstable and
testing with a new version of the upstream code. The fix to stable is
only the minimal patch to solve the issue.
I propose to use the version number 3.3.0-2, but am open to better
proposals. The version in testing is 4.4.0.20231231-2.
Complete proposed patch is below:
diff --git a/debian/changelog b/debian/changelog
index b3e3ef851..1c8ddc5cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+newlib (3.3.0-2) bookworm; urgency=medium
+
+ * QA upload.
+ * Orphan package to reflect status in Unstable.
+ * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow
+ check in malloc and friends.
+
+ -- Petter Reinholdtsen <pere@debian.org> Sat, 16 Mar 2024 08:53:41 +0100
+
newlib (3.3.0-1.3) unstable; urgency=medium
* Non-maintainer upload.
diff --git a/debian/control b/debian/control
index ff12d0bc5..4daa4e559 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,7 @@
Source: newlib
Section: devel
Priority: optional
-Maintainer: Agustin Henze <tin@debian.org>
+Maintainer: Debian QA Group <packages@qa.debian.org>
Build-Depends:
debhelper (>= 9),
texinfo,
diff --git a/debian/gbp.conf b/debian/gbp.conf
index f4a0824a9..04f21b160 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,7 @@
[DEFAULT]
pristine-tar = True
merge = True
+debian-branch = debian/bookworm
[import-orig]
postimport = gbp dch --debian-branch=$GBP_BRANCH --new-version=$GBP_DEBIAN_VERSION
diff --git a/debian/patches/mallocr-CVE-2021-3420.patch b/debian/patches/mallocr-CVE-2021-3420.patch
new file mode 100644
index 000000000..cd93fa41e
--- /dev/null
+++ b/debian/patches/mallocr-CVE-2021-3420.patch
@@ -0,0 +1,50 @@
+From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001
+From: Corinna Vinschen <vinschen@redhat.com>
+Date: Tue, 17 Nov 2020 10:50:57 +0100
+Subject: malloc/nano-malloc: correctly check for out-of-bounds allocation reqs
+Origin: https://keithp.com/cgit/picolibc.git/patch/newlib/libc/stdlib/mallocr.c?id=aa106b29a6a8a1b0df9e334704292cbc32f2d44e
+Forwarded: not-needed
+
+The overflow check in mEMALIGn erroneously checks for INT_MAX,
+albeit the input parameter is size_t. Fix this to check for
+__SIZE_MAX__ instead. Also, it misses to check the req against
+adding the alignment before calling mALLOc.
+
+While at it, add out-of-bounds checks to pvALLOc, nano_memalign,
+nano_valloc, and Cygwin's (unused) dlpvalloc.
+
+Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
+---
+ newlib/libc/stdlib/mallocr.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+(limited to 'newlib/libc/stdlib/mallocr.c')
+
+diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c
+index 9ad720ada..13d014cc8 100644
+--- a/newlib/libc/stdlib/mallocr.c
++++ b/newlib/libc/stdlib/mallocr.c
+@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes;
+ nb = request2size(bytes);
+
+ /* Check for overflow. */
+- if (nb > INT_MAX || nb < bytes)
++ if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes)
+ {
+ RERRNO = ENOMEM;
+ return 0;
+@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes;
+ #endif
+ {
+ size_t pagesize = malloc_getpagesize;
++ if (bytes > __SIZE_MAX__ - pagesize)
++ {
++ RERRNO = ENOMEM;
++ return 0;
++ }
+ return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1));
+ }
+
+--
+cgit v1.2.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 3de9ae1fa..4b7d26190 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
reproducible-builds-locale.patch
fix-include-paths-nano-specs.patch
+mallocr-CVE-2021-3420.patch
Reply to: