--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package libeconf/0.5.1+dfsg1-1+deb12u1
- From: Andreas Henriksson <andreas@fatal.se>
- Date: Mon, 10 Feb 2025 20:38:37 +0000
- Message-id: <173921959941.3339322.7996742974636617793.reportbug@xps>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libeconf@packages.debian.org
Control: affects -1 + src:libeconf
[ Reason ]
I'd like to upload an updated libeconf package to bookworm
that addresses the two open CVEs (both fixed by cherry-picking
a single upstream commit as a patch).
[ Impact ]
The patch fixes two buffer overflows in the code
(and an initialization error) as published in bookworm.
[ Tests ]
The upstream test-suite has been run and passed as part
of building the package in a bookworm chroot.
[ Risks ]
The risks are very low since there are no reverse dependencies
of libeconf in bookworm and will only effect people who have
custom built software against the libeconf package.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
(ignoring debian/gbp.conf branch changes)
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable/bookworm
[x] the issue is verified as fixed in unstable
(newer upstream release already includes the same commit)
[ Changes ]
Upstream commit https://github.com/openSUSE/libeconf/commit/8d086dfc69d4299e55e4844e3573b3a4cf420f19
is cherry-picked into debian/patches (via `gbp pq import/export`).
[Other info]
git branch at: https://salsa.debian.org/debian/libeconf/-/tree/debian/bookworm?ref_type=heads
debdiff attached.
Regards,
Andreas Henriksson
diff -Nru libeconf-0.5.1+dfsg1/debian/changelog libeconf-0.5.1+dfsg1/debian/changelog
--- libeconf-0.5.1+dfsg1/debian/changelog 2023-02-18 20:15:37.000000000 +0100
+++ libeconf-0.5.1+dfsg1/debian/changelog 2025-02-10 21:04:57.000000000 +0100
@@ -1,3 +1,11 @@
+libeconf (0.5.1+dfsg1-1+deb12u1) bookworm; urgency=medium
+
+ * Cherry-pick upstream buffer overflow fix (Closes: #1037333)
+ - CVE-2023-32181
+ - CVE-2023-22652
+
+ -- Andreas Henriksson <andreas@fatal.se> Mon, 10 Feb 2025 21:04:57 +0100
+
libeconf (0.5.1+dfsg1-1) unstable; urgency=medium
* New upstream release.
diff -Nru libeconf-0.5.1+dfsg1/debian/gbp.conf libeconf-0.5.1+dfsg1/debian/gbp.conf
--- libeconf-0.5.1+dfsg1/debian/gbp.conf 2022-07-18 23:45:01.000000000 +0200
+++ libeconf-0.5.1+dfsg1/debian/gbp.conf 2025-02-10 21:00:36.000000000 +0100
@@ -1,5 +1,5 @@
[DEFAULT]
-debian-branch = debian/master
+debian-branch = debian/bookworm
upstream-branch = upstream/latest
pristine-tar = True
sign-tags = True
diff -Nru libeconf-0.5.1+dfsg1/debian/patches/0001-Aarch64-gcc13-183.patch libeconf-0.5.1+dfsg1/debian/patches/0001-Aarch64-gcc13-183.patch
--- libeconf-0.5.1+dfsg1/debian/patches/0001-Aarch64-gcc13-183.patch 1970-01-01 01:00:00.000000000 +0100
+++ libeconf-0.5.1+dfsg1/debian/patches/0001-Aarch64-gcc13-183.patch 2025-02-10 21:01:49.000000000 +0100
@@ -0,0 +1,98 @@
+From: Stefan Schubert <stefan@gefluegelhof-schubert.de>
+Date: Fri, 24 Mar 2023 15:14:07 +0100
+Subject: Aarch64 gcc13 (#183)
+
+* fixed initializatio error
+
+* fixed buffer overflow
+
+* fixed buffer overflow
+
+(cherry picked from commit 8d086dfc69d4299e55e4844e3573b3a4cf420f19)
+---
+ lib/getfilecontents.c | 7 +++----
+ lib/helpers.c | 1 +
+ lib/libeconf.c | 2 ++
+ lib/libeconf_ext.c | 1 +
+ 4 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/getfilecontents.c b/lib/getfilecontents.c
+index 94e1db9..f9b1afc 100644
+--- a/lib/getfilecontents.c
++++ b/lib/getfilecontents.c
+@@ -180,7 +180,7 @@ store (econf_file *ef, const char *group, const char *key,
+
+ ef->file_entry[ef->length-1].line_number = line_number;
+
+- ef->file_entry[ef->length-1].quotes |= quotes;
++ ef->file_entry[ef->length-1].quotes = quotes;
+
+ if (group)
+ ef->file_entry[ef->length-1].group = strdup(group);
+@@ -265,11 +265,12 @@ read_file(econf_file *ef, const char *file,
+ }
+ ef->delimiter = *delim;
+
+- while (fgets(buf, sizeof(buf), kf)) {
++ while (fgets(buf, BUFSIZ-1, kf)) {
+ char *p, *name, *data = NULL;
+ bool quote_seen = false, delim_seen = false;
+ char *org_buf __attribute__ ((__cleanup__(free_buffer))) = strdup(buf);
+
++ buf[BUFSIZ-1] = '\0';
+ line++;
+ last_scanned_line_nr = line;
+
+@@ -410,8 +411,6 @@ read_file(econf_file *ef, const char *file,
+ if (!found_delim &&
+ /* Entry has already been found */
+ ef->length > 0 &&
+- /* Value of previous entry is not Null. So delimiter has been found in the previous line */
+- ef->file_entry[ef->length-1].value != NULL &&
+ /* The Entry must be the next line. Otherwise it is a new one */
+ ef->file_entry[ef->length-1].line_number+1 == line)
+ {
+diff --git a/lib/helpers.c b/lib/helpers.c
+index d721727..3e1541a 100644
+--- a/lib/helpers.c
++++ b/lib/helpers.c
+@@ -47,6 +47,7 @@ void initialize(econf_file *key_file, size_t num) {
+ key_file->file_entry[num].value = strdup(KEY_FILE_NULL_VALUE);
+ key_file->file_entry[num].comment_before_key = NULL;
+ key_file->file_entry[num].comment_after_value = NULL;
++ key_file->file_entry[num].quotes = false;
+ }
+
+ // Remove whitespace from beginning and end, append string terminator
+diff --git a/lib/libeconf.c b/lib/libeconf.c
+index d2026ea..0bed98f 100644
+--- a/lib/libeconf.c
++++ b/lib/libeconf.c
+@@ -509,6 +509,7 @@ econf_err econf_writeFile(econf_file *key_file, const char *save_to_dir,
+ char *value_string = buf;
+
+ strncpy(buf,key_file->file_entry[i].comment_before_key,BUFSIZ-1);
++ buf[BUFSIZ-1] = '\0';
+ while ((line = strsep(&value_string, "\n")) != NULL) {
+ fprintf(kf, "%c%s\n",
+ key_file->comment,
+@@ -533,6 +534,7 @@ econf_err econf_writeFile(econf_file *key_file, const char *save_to_dir,
+ char *value_string = buf;
+
+ strncpy(buf,key_file->file_entry[i].comment_after_value,BUFSIZ-1);
++ buf[BUFSIZ-1] = '\0';
+ while ((line = strsep(&value_string, "\n")) != NULL) {
+ fprintf(kf, " %c%s\n",
+ key_file->comment,
+diff --git a/lib/libeconf_ext.c b/lib/libeconf_ext.c
+index fe3cdf4..137b869 100644
+--- a/lib/libeconf_ext.c
++++ b/lib/libeconf_ext.c
+@@ -82,6 +82,7 @@ econf_getExtValue(econf_file *kf, const char *group,
+
+ if (value_string!=NULL) {
+ strncpy(buf,value_string,BUFSIZ-1);
++ buf[BUFSIZ-1] = '\0';
+ free(value_string);
+ value_string = trim(buf);
+
diff -Nru libeconf-0.5.1+dfsg1/debian/patches/series libeconf-0.5.1+dfsg1/debian/patches/series
--- libeconf-0.5.1+dfsg1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libeconf-0.5.1+dfsg1/debian/patches/series 2025-02-10 21:01:49.000000000 +0100
@@ -0,0 +1 @@
+0001-Aarch64-gcc13-183.patch
--- End Message ---