Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi release team, The ros-ros-comm version in stretch is affected affected by CVE-2019-13566 which was flagged no-dsa by the security team. I propose the attached patch to fix the issue. Would you be fine with me uploading it? This is the same as #945896, just for stretch. I adopted the values as reportbug doesn't seem to support stretch-pu. Hope I did it right. Cheers Jochen -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index 28db48e..b4bfdc6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +ros-ros-comm (1.12.6-2+deb9u1) stretch; urgency=high + + * Add https://github.com/ros/ros_comm/pull/1771 (Fix CVE-2019-13566) + + -- Jochen Sprickerhof <jspri...@debian.org> Sun, 24 Nov 2019 17:03:50 +0100 + ros-ros-comm (1.12.6-2) unstable; urgency=medium * rebuild due to changes in ros-genpy diff --git a/debian/patches/0007-fixing-string-check.patch b/debian/patches/0007-fixing-string-check.patch new file mode 100644 index 0000000..53dbe12 --- /dev/null +++ b/debian/patches/0007-fixing-string-check.patch @@ -0,0 +1,65 @@ +From: Daniel Wang <daniel.w...@canonical.com> +Date: Mon, 22 Jul 2019 15:47:21 -0700 +Subject: fixing string check + +Signed-off-by: Daniel Wang <daniel.w...@canonical.com> +--- + clients/roscpp/src/libros/transport/transport_tcp.cpp | 8 ++++---- + clients/roscpp/src/libros/transport/transport_udp.cpp | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/clients/roscpp/src/libros/transport/transport_tcp.cpp b/clients/roscpp/src/libros/transport/transport_tcp.cpp +index f061fc2..6a537a2 100644 +--- a/clients/roscpp/src/libros/transport/transport_tcp.cpp ++++ b/clients/roscpp/src/libros/transport/transport_tcp.cpp +@@ -266,7 +266,7 @@ bool TransportTCP::connect(const std::string& host, int port) + + bool found = false; + struct addrinfo* it = addr; +- char namebuf[128]; ++ char namebuf[128] = {}; + for (; it; it = it->ai_next) + { + if (!s_use_ipv6_ && it->ai_family == AF_INET) +@@ -278,7 +278,7 @@ bool TransportTCP::connect(const std::string& host, int port) + address->sin_family = it->ai_family; + address->sin_port = htons(port); + +- strcpy(namebuf, inet_ntoa(address->sin_addr)); ++ strncpy(namebuf, inet_ntoa(address->sin_addr), sizeof(namebuf)-1); + found = true; + break; + } +@@ -723,14 +723,14 @@ std::string TransportTCP::getClientURI() + sockaddr_in *sin = (sockaddr_in *)&sas; + sockaddr_in6 *sin6 = (sockaddr_in6 *)&sas; + +- char namebuf[128]; ++ char namebuf[128] = {}; + int port; + + switch (sas.ss_family) + { + case AF_INET: + port = ntohs(sin->sin_port); +- strcpy(namebuf, inet_ntoa(sin->sin_addr)); ++ strncpy(namebuf, inet_ntoa(sin->sin_addr), sizeof(namebuf)-1); + break; + case AF_INET6: + port = ntohs(sin6->sin6_port); +diff --git a/clients/roscpp/src/libros/transport/transport_udp.cpp b/clients/roscpp/src/libros/transport/transport_udp.cpp +index 848893b..d472a73 100644 +--- a/clients/roscpp/src/libros/transport/transport_udp.cpp ++++ b/clients/roscpp/src/libros/transport/transport_udp.cpp +@@ -706,9 +706,9 @@ std::string TransportUDP::getClientURI() + + sockaddr_in *sin = (sockaddr_in *)&sas; + +- char namebuf[128]; ++ char namebuf[128] = {}; + int port = ntohs(sin->sin_port); +- strcpy(namebuf, inet_ntoa(sin->sin_addr)); ++ strncpy(namebuf, inet_ntoa(sin->sin_addr), sizeof(namebuf)-1); + + std::string ip = namebuf; + std::stringstream uri; diff --git a/debian/patches/series b/debian/patches/series index bb74494..6695bde 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ 0004-Fix-executable-not-elf-or-script.patch 0005-Add-defaults-to-roswtf.patch 0007-move-heaers-to-include-xmlrpcpp.patch +0007-fixing-string-check.patch