Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id
<2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1013418,
regarding bullseye-pu: package dbus-broker/26-1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1013418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013418
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-CC: [email protected]
Dear release team,
A low-severity CVE has been published for dbus-broker, and it affects
bullseye. In accordance with the Security Team, it does not warrant a
DSA, so we would like to fix it via p-u instead. The fix is a clean
backport, and the diff is minimal. Debdiff attached.
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343
--
Kind regards,
Luca Boccassi
diff -Nru dbus-broker-26/debian/changelog dbus-broker-26/debian/changelog
--- dbus-broker-26/debian/changelog 2021-01-22 00:00:39.000000000 +0000
+++ dbus-broker-26/debian/changelog 2022-06-22 22:27:17.000000000 +0100
@@ -1,3 +1,10 @@
+dbus-broker (26-1+deb11u1) bullseye; urgency=medium
+
+ * Backport strnspn-fix-buffer-overflow.patch to fix CVE-2022-31212
+ (Closes: #1013343)
+
+ -- Luca Boccassi <[email protected]> Wed, 22 Jun 2022 22:27:17 +0100
+
dbus-broker (26-1) unstable; urgency=low
* Update upstream source from tag 'upstream/26'
diff -Nru dbus-broker-26/debian/gbp.conf dbus-broker-26/debian/gbp.conf
--- dbus-broker-26/debian/gbp.conf 2020-12-13 22:03:47.000000000 +0000
+++ dbus-broker-26/debian/gbp.conf 2022-06-22 22:27:17.000000000 +0100
@@ -1,6 +1,6 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/sid
+debian-branch = debian/bullseye
upstream-branch = upstream
[pristine-tar]
diff -Nru dbus-broker-26/debian/patches/series dbus-broker-26/debian/patches/series
--- dbus-broker-26/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ dbus-broker-26/debian/patches/series 2022-06-22 22:27:17.000000000 +0100
@@ -0,0 +1 @@
+strnspn-fix-buffer-overflow.patch
diff -Nru dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch
--- dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch 2022-06-22 22:27:17.000000000 +0100
@@ -0,0 +1,53 @@
+Author: David Rheinsberg <[email protected]>
+Origin: backport, https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343
+Description: strnspn: fix buffer overflow
+ Fix the strnspn and strncspn functions to use a properly sized buffer.
+ It used to be 1 byte too short. Checking for `0xff` in a string will
+ thus write `0xff` once byte beyond the stack space of the local buffer.
+ .
+ Note that the public API does not allow to pass `0xff` to those
+ functions. Therefore, this is a read-only buffer overrun, possibly
+ causing bogus reports from the parser, but still well-defined.
+--- a/subprojects/c-shquote/src/c-shquote.c
++++ b/subprojects/c-shquote/src/c-shquote.c
+@@ -85,7 +85,7 @@
+ size_t c_shquote_strnspn(const char *string,
+ size_t n_string,
+ const char *accept) {
+- bool buffer[UCHAR_MAX] = {};
++ bool buffer[UCHAR_MAX + 1] = {};
+
+ for ( ; *accept; ++accept)
+ buffer[(unsigned char)*accept] = true;
+@@ -100,7 +100,7 @@
+ size_t c_shquote_strncspn(const char *string,
+ size_t n_string,
+ const char *reject) {
+- bool buffer[UCHAR_MAX] = {};
++ bool buffer[UCHAR_MAX + 1] = {};
+
+ if (strlen(reject) == 1) {
+ const char *p;
+--- a/subprojects/c-shquote/src/test-private.c
++++ b/subprojects/c-shquote/src/test-private.c
+@@ -148,6 +148,9 @@
+
+ len = c_shquote_strnspn("ab", 2, "bc");
+ c_assert(len == 0);
++
++ len = c_shquote_strnspn("ab", 2, "\xff");
++ c_assert(len == 0);
+ }
+
+ static void test_strncspn(void) {
+@@ -167,6 +170,9 @@
+
+ len = c_shquote_strncspn("ab", 2, "cd");
+ c_assert(len == 2);
++
++ len = c_shquote_strncspn("ab", 2, "\xff");
++ c_assert(len == 2);
+ }
+
+ static void test_discard_comment(void) {
diff -Nru dbus-broker-26/debian/salsa-ci.yml dbus-broker-26/debian/salsa-ci.yml
--- dbus-broker-26/debian/salsa-ci.yml 2020-12-13 22:03:47.000000000 +0000
+++ dbus-broker-26/debian/salsa-ci.yml 2022-06-22 22:27:17.000000000 +0100
@@ -2,3 +2,6 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ RELEASE: 'bullseye'
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.4
(re-sending with fixed bug numbers)
Hi,
The updates discussed in these bugs were included in today's bullseye
point release.
Regards,
Adam
--- End Message ---
