Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Ulfius package contains the bug that is rewferred by CVE-2021-40540 [ Impact ] Application segfault when a malformed http request is received [ Risks ] the patch is trivial, the risk is low [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] add 'memset(con_info, 0, sizeof(struct connection_info_struct));' after con_info is malloced to initialize the structure and avoid testing an undefined value.
diff -Nru ulfius-2.5.2/debian/changelog ulfius-2.5.2/debian/changelog --- ulfius-2.5.2/debian/changelog 2019-01-12 12:41:47.000000000 -0500 +++ ulfius-2.5.2/debian/changelog 2021-09-20 08:15:27.000000000 -0400 @@ -1,3 +1,9 @@ +ulfius (2.5.2-4+deb10u1) buster; urgency=medium + + * d/patches: Fix CVE-2021-40540 + + -- Nicolas Mora <nico...@babelouest.org> Mon, 20 Sep 2021 08:15:27 -0400 + ulfius (2.5.2-4) unstable; urgency=medium * debian/rules: remove override_dh_auto_test since now it's executed diff -Nru ulfius-2.5.2/debian/patches/CVE-2021-40540.patch ulfius-2.5.2/debian/patches/CVE-2021-40540.patch --- ulfius-2.5.2/debian/patches/CVE-2021-40540.patch 1969-12-31 19:00:00.000000000 -0500 +++ ulfius-2.5.2/debian/patches/CVE-2021-40540.patch 2021-09-20 08:15:27.000000000 -0400 @@ -0,0 +1,13 @@ +Description: Fix CVE-2021-40540 +Author: Nicolas Mora <babelou...@debian.org> +Forwarded: not-needed +--- a/src/ulfius.c ++++ b/src/ulfius.c +@@ -190,6 +190,7 @@ + UNUSED(cls); + + if (con_info != NULL) { ++ memset(con_info, 0, sizeof(struct connection_info_struct)); + con_info->callback_first_iteration = 1; + con_info->u_instance = NULL; + u_map_init(&con_info->map_url_initial); diff -Nru ulfius-2.5.2/debian/patches/series ulfius-2.5.2/debian/patches/series --- ulfius-2.5.2/debian/patches/series 2019-01-12 12:41:47.000000000 -0500 +++ ulfius-2.5.2/debian/patches/series 2021-09-20 08:15:27.000000000 -0400 @@ -1,3 +1,4 @@ examples.patch test.patch cmake.patch +CVE-2021-40540.patch