Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10

[Anton Gladky]

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear release team,

this is the pre-approval request for libgetdata/0.10.0-10

It fixes CVE-2021-20204 (#988239). It is not a release critical bug,
but security issue. Diff is attached.

Thanks

unblock libgetdata/0.10.0-10

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCX2GcRHGdsYWRrQGRl
Ymlhbi5vcmcACgkQ0+Fzg8+n/wYG0BAAlD+ubdz+Y5mTIlSqqb5mbSatB7ok0Gbs
gI9loXe46+9VupBk4hEG75EBhM5JDk4y2Zy5ZSy3ErT29/cxUhcU9U7tGht//HDg
sHCFQASoUkwxJFtUTSWFsNELA1S7ZICAAkLYzk+mLIP/tOOXqeInHscYZ+XRjPdC
Erlc+8RbTF9RTHIKXB6LEOne8IgqXgLGEWYNwIk70qUrIQ5gZlS0qiQ2hr7LhMJQ
ZmNwbGUlpAIVw3AelYb301VyS6Mfl3jSUTbunTIXrRtGI7S6RNnRA+nYHsnS/ozj
MqDMot9O9NRQS+2YyF808Mdz+wleR5TqXGuOG8vqUdCXcyRZCSCSCKVbJLAGSEPz
TmZnTUDAiFLxD0O519c2qPhV2I4HaahveDS3jmt8Wk6jbFjX/j+MCFFhrPRJgko6
CsRFm4K9jA7qWydNrZqHVC5EKCdXANmzlM8PZtckCR6srDzJj3z0MvKFybdVfYvP
/OEC4t42oTBwxaaArXXYMaNqPJIwdeCQdgTIht5SXS+yk/JdCF27ZOHuvVUTI7p8
hSYxx1pPvvet+1wwpV+Xw3uG92xuEe55nrd1lMLdhRpFyPT2LMupr043rRB6zTMr
goOL9ZlO9aKHHUAU1C1as50gD5vtBEENuVol7HCDtxQGTX79nFg8aW3oLG7ZeeTl
wPH0S5YFf+c=
=PdQH
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index 2c30a9c..514058c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libgetdata (0.10.0-10) unstable; urgency=medium
+
+  * Team upload.
+  * [4ee5ad0] Fix CVE-2021-20204. (Closes: #988239)
+
+ -- Anton Gladky <gl...@debian.org>  Sun, 09 May 2021 14:27:38 +0200
+
 libgetdata (0.10.0-9) unstable; urgency=medium
 
   * Fix FTBFFS on binary-all build (missing file). Closes: #966522
diff --git a/debian/patches/CVE-2021-20204.patch 
b/debian/patches/CVE-2021-20204.patch
new file mode 100644
index 0000000..08bb876
--- /dev/null
+++ b/debian/patches/CVE-2021-20204.patch
@@ -0,0 +1,18 @@
+Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL
+  Fix for CVE-2021-20204
+Author: Anton Gladky <gl...@debian.org>
+Bug-Debian: https://bugs.debian.org/988239 
+Last-Update: 2021-05-09
+
+--- libgetdata-0.10.0.orig/src/parse.c
++++ libgetdata-0.10.0/src/parse.c
+@@ -2504,6 +2504,9 @@ char *_GD_ParseFragment(FILE *restrict f
+     if (D->error == GD_E_OK && !match)
+       first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, 
strlen(in_cols[0]),
+           NULL, me, 0, 1, &outstring, tok_pos);
++      if (first_raw == NULL) {
++        _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL);
++      }
+ 
+     if (D->error == GD_E_FORMAT) {
+       /* call the callback for this error */
diff --git a/debian/patches/series b/debian/patches/series
index 24c0911..cc09615 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 #python3.patch
+CVE-2021-20204.patch