Bug#890125: marked as done (jessie-pu: package uwsgi/2.0.7-1+deb8u2)

Sat, 17 Mar 2018 09:52:28 -0700 

Your message dated Sat, 17 Mar 2018 17:48:33 +0100
with message-id <[email protected]>
and subject line Re: Bug#890125: jessie-pu: package uwsgi/2.0.7-1+deb8u2
has caused the Debian Bug report #890125,
regarding jessie-pu: package uwsgi/2.0.7-1+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
890125: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890125
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu

Hi

The attached debdiff adresses CVE-2018-6758 / 889753 for uwsgi in
jessie. Cf.
http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html . The
issue does not warrant a DSA.

+uwsgi (2.0.7-1+deb8u2) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+    (Closes: #889753)

Can it be considered for the upcoming jessie point release?

Regards,
Salvatore

diff -Nru uwsgi-2.0.7/debian/changelog uwsgi-2.0.7/debian/changelog
--- uwsgi-2.0.7/debian/changelog        2017-02-19 22:17:18.000000000 +0100
+++ uwsgi-2.0.7/debian/changelog        2018-02-06 21:39:42.000000000 +0100
@@ -1,3 +1,11 @@
+uwsgi (2.0.7-1+deb8u2) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+    (Closes: #889753)
+
+ -- Salvatore Bonaccorso <[email protected]>  Tue, 06 Feb 2018 21:39:42 +0100
+
 uwsgi (2.0.7-1+deb8u1) jessie; urgency=medium
 
   * Add patch cherry-picked upstream to fix compilation with recent
diff -Nru 
uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
 
uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
--- 
uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
  1970-01-01 01:00:00.000000000 +0100
+++ 
uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
  2018-02-06 21:39:42.000000000 +0100
@@ -0,0 +1,46 @@
+From: Unbit <[email protected]>
+Date: Tue, 6 Feb 2018 16:01:47 +0100
+Subject: improve uwsgi_expand_path() to sanitize input, avoiding stack
+ corruption and potential security issue
+Origin: 
https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
+Bug-Debian: https://bugs.debian.org/889753
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6758
+
+---
+ core/utils.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/core/utils.c b/core/utils.c
+index b4c98dfd..fd886932 100644
+--- a/core/utils.c
++++ b/core/utils.c
+@@ -3674,9 +3674,12 @@ void uwsgi_write_pidfile_explicit(char *pidfile_name, 
pid_t pid) {
+ }
+ 
+ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
+-      char src[PATH_MAX + 1];
+-      memcpy(src, dir, dir_len);
+-      src[dir_len] = 0;
++      if (dir_len > PATH_MAX)
++      {
++              uwsgi_log("invalid path size: %d (max %d)\n", dir_len, 
PATH_MAX);
++              return NULL;
++      }
++      char *src = uwsgi_concat2n(dir, dir_len, "", 0);
+       char *dst = ptr;
+       if (!dst)
+               dst = uwsgi_malloc(PATH_MAX + 1);
+@@ -3684,8 +3687,10 @@ char *uwsgi_expand_path(char *dir, int dir_len, char 
*ptr) {
+               uwsgi_error_realpath(src);
+               if (!ptr)
+                       free(dst);
++              free(src);
+               return NULL;
+       }
++      free(src);
+       return dst;
+ }
+ 
+-- 
+2.11.0
+
diff -Nru uwsgi-2.0.7/debian/patches/series uwsgi-2.0.7/debian/patches/series
--- uwsgi-2.0.7/debian/patches/series   2017-02-08 20:11:59.000000000 +0100
+++ uwsgi-2.0.7/debian/patches/series   2018-02-06 21:39:42.000000000 +0100
@@ -1,4 +1,5 @@
 020150415~f6e5db9.patch
+0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
 1001_avoid_setting_RPATH.patch
 1002_fix-reload-process-name.patch
 1003_remove-php-libs.patch

--- End Message ---
--- Begin Message --- 
Hi

On Sun, Feb 11, 2018 at 01:05:04PM +0100, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: [email protected]
> Usertags: pu
> 
> Hi
> 
> The attached debdiff adresses CVE-2018-6758 / 889753 for uwsgi in
> jessie. Cf.
> http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html . The
> issue does not warrant a DSA.
> 
> +uwsgi (2.0.7-1+deb8u2) jessie; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
> +    (Closes: #889753)
> 
> Can it be considered for the upcoming jessie point release?

The fix was included in DSA-4142-1 so this one can be closed.

Regards,
Salvatore

--- End Message ---

Reply via email to