Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <[email protected]>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #846031,
regarding jessie-pu: package tre/0.8.0-4+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
846031: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846031
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Dear Release Managers:
Salvatore told me that this does not warrant a DSA. so I've prepared
this upload for jessie-proposed-updates, to be considered for stable.
It fixes CVE-2016-8859.
Debdiff is attached.
Thanks.
diff -Nru tre-0.8.0/debian/changelog tre-0.8.0/debian/changelog
--- tre-0.8.0/debian/changelog 2014-04-30 00:38:40.000000000 +0200
+++ tre-0.8.0/debian/changelog 2016-11-28 00:31:36.000000000 +0100
@@ -1,3 +1,12 @@
+tre (0.8.0-4+deb8u1) jessie; urgency=medium
+
+ * Add debian/patches/03-cve-2016-8859 to fix CVE-2016-8859.
+ Patch borrowed from wheezy LTS. Closes: #842169.
+ * Add locales-all to Build-Depends, required to run the test suite.
+ * Add debian/clean with files generated/modified during the build.
+
+ -- Santiago Vila <[email protected]> Mon, 28 Nov 2016 00:31:36 +0100
+
tre (0.8.0-4) unstable; urgency=medium
* I'm having a déjà vu.
diff -Nru tre-0.8.0/debian/clean tre-0.8.0/debian/clean
--- tre-0.8.0/debian/clean 1970-01-01 01:00:00.000000000 +0100
+++ tre-0.8.0/debian/clean 2016-11-27 23:00:00.000000000 +0100
@@ -0,0 +1,4 @@
+tests/agrep/basic.in
+tests/agrep/delimiters.in
+tests/agrep/exitstatus.in
+tests/agrep/records.in
diff -Nru tre-0.8.0/debian/control tre-0.8.0/debian/control
--- tre-0.8.0/debian/control 2014-04-29 12:00:00.000000000 +0200
+++ tre-0.8.0/debian/control 2016-11-27 23:00:00.000000000 +0100
@@ -4,7 +4,7 @@
Maintainer: Santiago Vila <[email protected]>
Uploaders: Milan Zamazal <[email protected]>
Standards-Version: 3.9.5
-Build-Depends: gettext (>= 0.18.1.1-8), debhelper (>= 9)
+Build-Depends: gettext (>= 0.18.1.1-8), debhelper (>= 9), locales-all
Package: libtre5
Architecture: any
diff -Nru tre-0.8.0/debian/patches/03-cve-2016-8859
tre-0.8.0/debian/patches/03-cve-2016-8859
--- tre-0.8.0/debian/patches/03-cve-2016-8859 1970-01-01 01:00:00.000000000
+0100
+++ tre-0.8.0/debian/patches/03-cve-2016-8859 2016-11-27 23:03:00.000000000
+0100
@@ -0,0 +1,73 @@
+From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001
+From: Rich Felker <[email protected]>
+Date: Thu, 6 Oct 2016 18:34:58 -0400
+Subject: fix missing integer overflow checks in regexec buffer size
+ computations
+
+most of the possible overflows were already ruled out in practice by
+regcomp having already succeeded performing larger allocations.
+however at least the num_states*num_tags multiplication can clearly
+overflow in practice. for safety, check them all, and use the proper
+type, size_t, rather than int.
+
+also improve comments, use calloc in place of malloc+memset, and
+remove bogus casts.
+---
+ src/regex/regexec.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+Note: patch was modified to apply to tre, parts were taken from
+https://github.com/laurikari/tre/issues/37
+
+--- a/lib/tre-match-parallel.c
++++ b/lib/tre-match-parallel.c
+@@ -59,6 +59,7 @@
+ #ifdef HAVE_MALLOC_H
+ #include <malloc.h>
+ #endif /* HAVE_MALLOC_H */
++#include <stdint.h>
+
+ #include "tre-internal.h"
+ #include "tre-match-utils.h"
+@@ -150,11 +151,24 @@
+
+ /* Allocate memory for temporary data required for matching. This
needs to
+ be done for every matching operation to be thread safe. This allocates
+- everything in a single large block from the stack frame using alloca()
+- or with malloc() if alloca is unavailable. */
++ everything in a single large block with calloc(). */
+ {
+- int tbytes, rbytes, pbytes, xbytes, total_bytes;
++ size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
+ char *tmp_buf;
++
++ /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
++ * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
++ if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
++ return REG_BADPAT;
++
++ /* Likewise check rbytes. */
++ if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
++ return REG_BADPAT;
++
++ /* Likewise check pbytes. */
++ if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
++ return REG_BADPAT;
++
+ /* Compute the length of the block we need. */
+ tbytes = sizeof(*tmp_tags) * num_tags;
+ rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
+@@ -168,11 +182,11 @@
+ #ifdef TRE_USE_ALLOCA
+ buf = alloca(total_bytes);
+ #else /* !TRE_USE_ALLOCA */
+- buf = xmalloc((unsigned)total_bytes);
++ buf = xmalloc(total_bytes);
+ #endif /* !TRE_USE_ALLOCA */
+ if (buf == NULL)
+ return REG_ESPACE;
+- memset(buf, 0, (size_t)total_bytes);
++ memset(buf, 0, total_bytes);
+
+ /* Get the various pointers within tmp_buf (properly aligned). */
+ tmp_tags = (void *)buf;
diff -Nru tre-0.8.0/debian/patches/series tre-0.8.0/debian/patches/series
--- tre-0.8.0/debian/patches/series 2014-04-29 12:00:00.000000000 +0200
+++ tre-0.8.0/debian/patches/series 2016-11-27 23:00:00.000000000 +0100
@@ -1,3 +1,4 @@
01-agrep-is-called-tre-agrep-here
02-added-de-po-translation
+03-cve-2016-8859
99-autoreconf
diff -Nru tre-0.8.0/debian/rules tre-0.8.0/debian/rules
--- tre-0.8.0/debian/rules 2014-04-29 12:00:00.000000000 +0200
+++ tre-0.8.0/debian/rules 2016-11-27 23:00:00.000000000 +0100
@@ -6,8 +6,6 @@
dh_clean
cd po && rm -f *.gmo
-override_dh_auto_test:
-
override_dh_auto_configure:
touch -d "2014-04-29 12:00" `cat debian/modified-files.txt`
dh_auto_configure -- --enable-static
--- End Message ---
--- Begin Message ---
Version: 8.7
Hi,
Each of these bugs refers to an update that was included in today's 8.7
point release.
Regards,
Adam
--- End Message ---
