Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id
<5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #934206,
regarding buster-pu: package
golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
934206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934206
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
The debdiff attached brings in an upstream patch to fix
CVE-2019-1020014, hence closes #933801.
This is my first contribution to Debian Stable, please check for
beginners mistake ;)
Also, the devel-announce "Bits from the Stable Release Managers"
mentions:
* Fixes for security issues should be co-ordinated with the
Security Team, unless they have explicitly stated that they
will not issue an DSA for the bug (e.g. via a "no-dsa" marker
in the Security Tracker) [SECURITY-TRACKER]
So, is there anything else I should do here? Like, CC them or something?
Thanks!
Arnaud
-- Related links:
- <https://bugs.debian.org/933801>
- <https://security-tracker.debian.org/tracker/CVE-2019-1020014>
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog
golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog
2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog
2019-08-05 15:04:28.000000000 +0700
@@ -1,3 +1,11 @@
+golang-github-docker-docker-credential-helpers (0.6.1-2+deb10u1) buster;
urgency=medium
+
+ * Add myself to uploaders.
+ * Adjust gbp.conf for buster.
+ * Add upstream patch to fix CVE-2019-1020014 (Closes: #933801).
+
+ -- Arnaud Rebillout <[email protected]> Mon, 05 Aug 2019
15:04:28 +0700
+
golang-github-docker-docker-credential-helpers (0.6.1-2) unstable;
urgency=medium
* Team upload.
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/control
golang-github-docker-docker-credential-helpers-0.6.1/debian/control
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/control
2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/control
2019-08-05 15:04:28.000000000 +0700
@@ -3,7 +3,8 @@
Priority: optional
Maintainer: Debian Go Packaging Team
<[email protected]>
Uploaders: Tim Potter <[email protected]>,
- Jordi Mallach <[email protected]>
+ Jordi Mallach <[email protected]>,
+ Arnaud Rebillout <[email protected]>,
Build-Depends: debhelper (>= 11~),
dh-golang,
golang-any,
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf
golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf
2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf
2019-08-05 15:04:28.000000000 +0700
@@ -1,2 +1,3 @@
[DEFAULT]
+debian-branch = debian/buster
pristine-tar = True
diff -Nru
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
---
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
1970-01-01 08:00:00.000000000 +0800
+++
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
2019-08-05 15:04:28.000000000 +0700
@@ -0,0 +1,85 @@
+From: Justin Cormack <[email protected]>
+Date: Mon, 1 Jul 2019 14:37:24 +0100
+Subject: [PATCH] Fix a double free in the List functions
+
+The code was set up so that it would free the individual items and the data
+in `freeListData`, but there was already a Go `defer` to free the data item,
+resulting in a double free.
+
+Remove the `free` in `freeListData` and leave the original one.
+
+In addition, move the `defer` for freeing the list data before the error
+check, so that the data is also free in the error case. This just removes
+a minor leak.
+
+This vulnerability was discovered by:
+Jasiel Spelman of Trend Micro Zero Day Initiative and Trend Micro Team Nebula
+
+Signed-off-by: Justin Cormack <[email protected]>
+Origin: upstream,
https://github.com/docker/docker-credential-helpers/commit/87c80bf
+---
+ osxkeychain/osxkeychain_darwin.c | 1 -
+ osxkeychain/osxkeychain_darwin.go | 5 ++---
+ secretservice/secretservice_linux.c | 1 -
+ secretservice/secretservice_linux.go | 4 ++--
+ 4 files changed, 4 insertions(+), 7 deletions(-)
+
+--- a/osxkeychain/osxkeychain_darwin.c
++++ b/osxkeychain/osxkeychain_darwin.c
+@@ -223,6 +223,5 @@
+ void freeListData(char *** data, unsigned int length) {
+ for(int i=0; i<length; i++) {
+ free((*data)[i]);
+ }
+- free(*data);
+ }
+--- a/osxkeychain/osxkeychain_darwin.go
++++ b/osxkeychain/osxkeychain_darwin.go
+@@ -109,17 +109,16 @@
+ var acctsC **C.char
+ defer C.free(unsafe.Pointer(acctsC))
+ var listLenC C.uint
+ errMsg := C.keychain_list(credsLabelC, &pathsC, &acctsC, &listLenC)
++ defer C.freeListData(&pathsC, listLenC)
++ defer C.freeListData(&acctsC, listLenC)
+ if errMsg != nil {
+ defer C.free(unsafe.Pointer(errMsg))
+ goMsg := C.GoString(errMsg)
+ return nil, errors.New(goMsg)
+ }
+
+- defer C.freeListData(&pathsC, listLenC)
+- defer C.freeListData(&acctsC, listLenC)
+-
+ var listLen int
+ listLen = int(listLenC)
+ pathTmp := (*[1 << 30]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
+ acctTmp := (*[1 << 30]*C.char)(unsafe.Pointer(acctsC))[:listLen:listLen]
+--- a/secretservice/secretservice_linux.c
++++ b/secretservice/secretservice_linux.c
+@@ -157,6 +157,5 @@
+ int i;
+ for(i=0; i<length; i++) {
+ free((*data)[i]);
+ }
+- free(*data);
+ }
+--- a/secretservice/secretservice_linux.go
++++ b/secretservice/secretservice_linux.go
+@@ -91,14 +91,14 @@
+ var acctsC **C.char
+ defer C.free(unsafe.Pointer(acctsC))
+ var listLenC C.uint
+ err := C.list(credsLabelC, &pathsC, &acctsC, &listLenC)
++ defer C.freeListData(&pathsC, listLenC)
++ defer C.freeListData(&acctsC, listLenC)
+ if err != nil {
+ defer C.g_error_free(err)
+ return nil, errors.New("Error from list function in
secretservice_linux.c likely due to error in secretservice library")
+ }
+- defer C.freeListData(&pathsC, listLenC)
+- defer C.freeListData(&acctsC, listLenC)
+
+ resp := make(map[string]string)
+
+ listLen := int(listLenC)
diff -Nru
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series
2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series
2019-08-05 15:04:28.000000000 +0700
@@ -1 +1,2 @@
fix-free-err.patch
+cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.10
Hi,
Each of the updates referenced in these bugs was included in the 10.10
point release today.
Regards,
Adam
--- End Message ---
