Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
The attached debdiff for freediameter fixes CVE-2020-6098 in Buster. It is marked as no-dsa by the security team. After uploading the patch in 1.2.1-8 to unstable, nobody complained about something broken yet. Thorsten
diff -Nru freediameter-1.2.1/debian/changelog freediameter-1.2.1/debian/changelog --- freediameter-1.2.1/debian/changelog 2018-10-14 10:26:18.000000000 +0200 +++ freediameter-1.2.1/debian/changelog 2020-07-13 20:03:02.000000000 +0200 @@ -1,3 +1,12 @@ +freediameter (1.2.1-7+deb10u1) buster; urgency=medium + + * Team upload + * CVE-2020-6098 (Closes: #985088) + Anybody can send a specially crafted Diameter request, which triggers + a memory corruption and thus results in a denial-of-service. + + -- Thorsten Alteholz <[email protected]> Mon, 13 Jul 2020 19:03:02 +0100 + freediameter (1.2.1-7) unstable; urgency=medium * Build using "old" SCTP API since the new one fails to build in Debian diff -Nru freediameter-1.2.1/debian/patches/CVE-2020-6098.patch freediameter-1.2.1/debian/patches/CVE-2020-6098.patch --- freediameter-1.2.1/debian/patches/CVE-2020-6098.patch 1970-01-01 01:00:00.000000000 +0100 +++ freediameter-1.2.1/debian/patches/CVE-2020-6098.patch 2020-07-13 20:03:02.000000000 +0200 @@ -0,0 +1,32 @@ +Description: Anybody can send a specially cafted Diameter request, which triggers + a memory corruption and thus results in a denial-of-service. +Index: freediameter-1.2.1/libfdproto/messages.c +=================================================================== +--- freediameter-1.2.1.orig/libfdproto/messages.c 2021-03-22 16:47:24.581610685 +0100 ++++ freediameter-1.2.1/libfdproto/messages.c 2021-03-22 16:47:24.573610508 +0100 +@@ -1945,6 +1945,14 @@ + offset += 4; + } + ++ /* Check the length is valid */ ++ if ( avp->avp_public.avp_len < GETAVPHDRSZ(avp->avp_public.avp_flags) ) { ++ TRACE_DEBUG(INFO, "Invalid AVP size %d", ++ avp->avp_public.avp_len); ++ free(avp); ++ return EBADMSG; ++ } ++ + /* Check there is enough remaining data in the buffer */ + if ( (avp->avp_public.avp_len > GETAVPHDRSZ(avp->avp_public.avp_flags)) + && (buflen - offset < avp->avp_public.avp_len - GETAVPHDRSZ(avp->avp_public.avp_flags))) { +@@ -1991,6 +1999,10 @@ + TRACE_DEBUG(INFO, "Truncated message (%zd / %d)", buflen, msglen ); + return EBADMSG; + } ++ if ( msglen < GETMSGHDRSZ() ) { ++ TRACE_DEBUG(INFO, "Invalid message length (%d)", msglen ); ++ return EBADMSG; ++ } + + /* Create a new object */ + CHECK_MALLOC( new = malloc (sizeof(struct msg)) ); diff -Nru freediameter-1.2.1/debian/patches/series freediameter-1.2.1/debian/patches/series --- freediameter-1.2.1/debian/patches/series 2018-10-14 10:26:18.000000000 +0200 +++ freediameter-1.2.1/debian/patches/series 2020-07-13 20:03:02.000000000 +0200 @@ -3,3 +3,5 @@ 0003-Set-default-debian-location-for-freeDiameter-configu.patch 0004-Disable-running-tests-that-require-the-kernel-module.patch 0005-Build-using-old-API-since-the-new-FTBFS-on-sid.patch + +CVE-2020-6098.patch
