Your message dated Wed, 14 Jul 2021 13:15:11 +0000
with message-id <e1m3ejh-00032s...@respighi.debian.org>
and subject line unblock mruby
has caused the Debian Bug report #991093,
regarding unblock: mruby/2.1.2-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
991093: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991093
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package mruby
[ Reason ]
This fixes the use-after-free issue. (CVE-2020-36401)
[ Impact ]
It will be attacked by exploiting the use-after-free vulnerability.
[ Tests ]
No automated tests for this issue, but no regression releated
to backported patches were reported to upstream.
[ Risks ]
This package is a leaf package. No other package depends on this.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock mruby/2.1.2-3
Best regards,
Nobuhiro
diff -Nru mruby-2.1.2/debian/changelog mruby-2.1.2/debian/changelog
--- mruby-2.1.2/debian/changelog 2020-12-27 14:14:43.000000000 +0900
+++ mruby-2.1.2/debian/changelog 2021-07-12 16:23:01.000000000 +0900
@@ -1,3 +1,11 @@
+mruby (2.1.2-3) unstable; urgency=medium
+
+ * Fix CVE-2020-36401.
+ Fixed the use-after-free problem. Add d/patches/Fix-CVE-2020-36401.patch.
+ This patch is included 9cdf439db5 and 97319697c8 from upstream.
+
+ -- Nobuhiro Iwamatsu <iwama...@debian.org> Mon, 12 Jul 2021 16:23:01 +0900
+
mruby (2.1.2-2) unstable; urgency=medium
* Add d/upstream/metadata.
diff -Nru mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch
mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch
--- mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch 1970-01-01
09:00:00.000000000 +0900
+++ mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch 2021-07-12
16:23:01.000000000 +0900
@@ -0,0 +1,71 @@
+Description: Fix the use-after-free problem
+Author: "Yukihiro \"Matz\" Matsumoto" <m...@ruby.or.jp>
+Origin: upstream,
https://github.com/mruby/mruby/commit/9cdf439db52b66447b4e37c61179d54fad6c8f33
+
https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990540
+Last-Update: 2021-07-12
+
+From 9cdf439db52b66447b4e37c61179d54fad6c8f33 Mon Sep 17 00:00:00 2001
+From: "Yukihiro \"Matz\" Matsumoto" <m...@ruby.or.jp>
+Date: Tue, 23 Jun 2020 13:19:10 +0900
+Subject: [PATCH] Free the original pointer if `realloc` failed.
+
+The POSIX `realloc` keep the original pointer untouched, so it can
+easily leads to memory leakage. `mrb_realloc()` should handle those
+bookkeeping, while `mrb_realloc_simple()` keeps the original `realloc`
+behavior.
+---
+ src/gc.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/src/gc.c b/src/gc.c
+index 03c561d35..6c83911d5 100644
+--- a/src/gc.c
++++ b/src/gc.c
+@@ -225,14 +225,9 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len)
+ p2 = mrb_realloc_simple(mrb, p, len);
+ if (len == 0) return p2;
+ if (p2 == NULL) {
+- if (mrb->gc.out_of_memory) {
+- mrb_raise_nomemory(mrb);
+- /* mrb_panic(mrb); */
+- }
+- else {
+- mrb->gc.out_of_memory = TRUE;
+- mrb_raise_nomemory(mrb);
+- }
++ mrb_free(mrb, p);
++ mrb->gc.out_of_memory = TRUE;
++ mrb_raise_nomemory(mrb);
+ }
+ else {
+ mrb->gc.out_of_memory = FALSE;
+--
+2.32.0
+
+From 97319697c8f9f6ff27b32589947e1918e3015503 Mon Sep 17 00:00:00 2001
+From: "Yukihiro \"Matz\" Matsumoto" <m...@ruby.or.jp>
+Date: Thu, 2 Jul 2020 10:41:03 +0900
+Subject: [PATCH] Cancel 9cdf439
+
+Should not free the pointer in `realloc` since it can cause
+use-after-free problem.
+---
+ src/gc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/gc.c b/src/gc.c
+index 6c83911d5..e1892080f 100644
+--- a/src/gc.c
++++ b/src/gc.c
+@@ -225,7 +225,6 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len)
+ p2 = mrb_realloc_simple(mrb, p, len);
+ if (len == 0) return p2;
+ if (p2 == NULL) {
+- mrb_free(mrb, p);
+ mrb->gc.out_of_memory = TRUE;
+ mrb_raise_nomemory(mrb);
+ }
+--
+2.32.0
+
diff -Nru mruby-2.1.2/debian/patches/series mruby-2.1.2/debian/patches/series
--- mruby-2.1.2/debian/patches/series 2020-12-27 14:14:43.000000000 +0900
+++ mruby-2.1.2/debian/patches/series 2021-07-12 16:23:01.000000000 +0900
@@ -1,3 +1,4 @@
Change-optimize-O2-on-build-system-of-Debian.patch
add_fpic_amd64.patch
Skip-mruby-tty-test-in-io.patch
+Fix-CVE-2020-36401.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---