Bug#994887: buster-pu: package ulfius/2.5.2-4

Wed, 22 Sep 2021 08:39:15 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
Ulfius package contains the bug that is rewferred by CVE-2021-40540

[ Impact ]
Application segfault when a malformed http request is received

[ Risks ]
the patch is trivial, the risk is low

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
add 'memset(con_info, 0, sizeof(struct connection_info_struct));' after
con_info is malloced to initialize the structure and avoid testing an undefined
value.

diff -Nru ulfius-2.5.2/debian/changelog ulfius-2.5.2/debian/changelog
--- ulfius-2.5.2/debian/changelog       2019-01-12 12:41:47.000000000 -0500
+++ ulfius-2.5.2/debian/changelog       2021-09-20 08:15:27.000000000 -0400
@@ -1,3 +1,9 @@
+ulfius (2.5.2-4+deb10u1) buster; urgency=medium
+
+  * d/patches: Fix CVE-2021-40540
+
+ -- Nicolas Mora <nico...@babelouest.org>  Mon, 20 Sep 2021 08:15:27 -0400
+
 ulfius (2.5.2-4) unstable; urgency=medium
 
   * debian/rules: remove override_dh_auto_test since now it's executed
diff -Nru ulfius-2.5.2/debian/patches/CVE-2021-40540.patch 
ulfius-2.5.2/debian/patches/CVE-2021-40540.patch
--- ulfius-2.5.2/debian/patches/CVE-2021-40540.patch    1969-12-31 
19:00:00.000000000 -0500
+++ ulfius-2.5.2/debian/patches/CVE-2021-40540.patch    2021-09-20 
08:15:27.000000000 -0400
@@ -0,0 +1,13 @@
+Description: Fix CVE-2021-40540
+Author: Nicolas Mora <babelou...@debian.org>
+Forwarded: not-needed
+--- a/src/ulfius.c
++++ b/src/ulfius.c
+@@ -190,6 +190,7 @@
+   UNUSED(cls);
+   
+   if (con_info != NULL) {
++    memset(con_info, 0, sizeof(struct connection_info_struct));
+     con_info->callback_first_iteration = 1;
+     con_info->u_instance = NULL;
+     u_map_init(&con_info->map_url_initial);
diff -Nru ulfius-2.5.2/debian/patches/series ulfius-2.5.2/debian/patches/series
--- ulfius-2.5.2/debian/patches/series  2019-01-12 12:41:47.000000000 -0500
+++ ulfius-2.5.2/debian/patches/series  2021-09-20 08:15:27.000000000 -0400
@@ -1,3 +1,4 @@
 examples.patch
 test.patch
 cmake.patch
+CVE-2021-40540.patch

Reply via email to