Hi, attached is the debdiff for dulwich fixing CVE-2015-0838. Since this is might first LTS upload it'd be happy about somebody having a second look.
The fix is a straight cherry pick from Wheezy. Cheers, -- Guido
diff --git a/debian/changelog b/debian/changelog index 87cc441..af8f8e9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +dulwich (0.6.1-1+deb6u1) squeeze-lts; urgency=high + + * CVE-2015-0838: Fix buffer overflow in C version of apply_delta() + + -- Guido Günther <a...@sigxcpu.org> Tue, 26 May 2015 21:46:59 +0200 + dulwich (0.6.1-1) unstable; urgency=low * New upstream release. diff --git a/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch b/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch new file mode 100644 index 0000000..beee163 --- /dev/null +++ b/debian/patches/CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch @@ -0,0 +1,59 @@ +From: =?utf-8?q?Jelmer_Vernoo=C4=B3?= <jel...@google.com> +Date: Fri, 22 May 2015 15:01:47 +0200 +Subject: CVE-2015-0838: Fix buffer overflow in C version of apply_delta() + +Cheery-picked from upstream commmit +1c7e06f6ae53cf4a755fe734db7114be67daf35b. +--- + dulwich/_pack.c | 8 ++++++-- + dulwich/tests/test_pack.py | 8 ++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/dulwich/_pack.c b/dulwich/_pack.c +index ee79b40..c6ab327 100644 +--- a/dulwich/_pack.c ++++ b/dulwich/_pack.c +@@ -146,10 +146,14 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args) + break; + memcpy(out+outindex, src_buf+cp_off, cp_size); + outindex += cp_size; ++ dest_size -= cp_size; + } else if (cmd != 0) { ++ if (cmd > dest_size) ++ break; + memcpy(out+outindex, delta+index, cmd); + outindex += cmd; +- index += cmd; ++ index += cmd; ++ dest_size -= cmd; + } else { + PyErr_SetString(PyExc_ValueError, "Invalid opcode 0"); + Py_DECREF(ret); +@@ -167,7 +171,7 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args) + return NULL; + } + +- if (dest_size != outindex) { ++ if (dest_size != 0) { + PyErr_SetString(PyExc_ValueError, "dest size incorrect"); + Py_DECREF(ret); + return NULL; +diff --git a/dulwich/tests/test_pack.py b/dulwich/tests/test_pack.py +index b6aea48..2bbd674 100644 +--- a/dulwich/tests/test_pack.py ++++ b/dulwich/tests/test_pack.py +@@ -155,6 +155,14 @@ class TestPackDeltas(TestCase): + def test_overflow(self): + self._test_roundtrip(self.test_string_empty, self.test_string_big) + ++ def test_dest_overflow(self): ++ self.assertRaises( ++ ValueError, ++ apply_delta, 'a'*0x10000, '\x80\x80\x04\x80\x80\x04\x80' + 'a'*0x10000) ++ self.assertRaises( ++ ValueError, ++ apply_delta, '', '\x00\x80\x02\xb0\x11\x11') ++ + + class TestPackData(PackTests): + """Tests getting the data from the packfile.""" diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..7a0b9eb --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch