Bug#1036000: marked as done (unblock: sniproxy/0.6.0-2.1)

Debian Bug Tracking System Sun, 14 May 2023 08:51:32 -0700

Your message dated Sun, 14 May 2023 15:46:34 +0000
with message-id <[email protected]>
and subject line unblock sniproxy
has caused the Debian Bug report #1036000,
regarding unblock: sniproxy/0.6.0-2.1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1036000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036000
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected], [email protected], 
[email protected]
Control: affects -1 + src:sniproxy

Please unblock package sniproxy

Version 0.6.0-2.1 fixes the #1033752 RC bug (grave, security)
about a buffer overflow that may lead to arbitrary code
execution. I am in the process of adopting the package
(see #1035759), and I'm in communication with Thorsten
Alteholz, who did the NMU to fix the bug.

[ Reason ]
Security issue, arbitrary code execution due to a buffer overflow.
See #1033752 for details.

[ Impact ]
Systems where sniproxy is used are currently vulnerable to
remote code execution.

[ Tests ]
The next upstream version of sniproxy, 0.6.1, that was
released with a single change - to fix this bug - and that
I will soon upload to experimental, contains a test case that
makes sure sniproxy does not die on such a malformed request:
https://github.com/dlundquist/sniproxy/commit/f8d9a433fe22ab2fa15c00179048ab02ae23d583#diff-e1a0a6ea76cf301ec1fc8564ca08c0a20ae7fdc14f27355ab77a217e09efd833
(the bad_dns_request_test change)
The patch includes this change, although the tests are not
run during the Debian package build or afterwards; however,
a manual `make check` in the package build directory will
show the test passing.

I intend to try to run those tests both during the build and
as autopkgtests.

[ Risks ]
The fix is straightforward (for someone familiar with network
programming in C) and targeted. IMHO the risks are minimal,
if any at all. 

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock sniproxy/0.6.0-2.1

diff -Nru sniproxy-0.6.0/debian/changelog sniproxy-0.6.0/debian/changelog
--- sniproxy-0.6.0/debian/changelog     2020-07-23 23:27:57.000000000 +0300
+++ sniproxy-0.6.0/debian/changelog     2023-04-29 20:03:02.000000000 +0300
@@ -1,3 +1,11 @@
+sniproxy (0.6.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2023-25076 (Closes: #1033752)
+    fix buffer overflow while handling wildcard backend hosts
+
+ -- Thorsten Alteholz <[email protected]>  Sat, 29 Apr 2023 19:03:02 +0200
+
 sniproxy (0.6.0-2) unstable; urgency=medium
 
   * Fix "ftbfs with GCC-10" by applying patch
diff -Nru sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch 
sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch
--- sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch  1970-01-01 
02:00:00.000000000 +0200
+++ sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch  2023-04-29 
20:03:02.000000000 +0300
@@ -0,0 +1,71 @@
+commit f8d9a433fe22ab2fa15c00179048ab02ae23d583
+Author: Dustin Lundquist <[email protected]>
+Date:   Thu Mar 16 20:42:20 2023 -0700
+
+    address: fix buffer overflow
+    
+    Update tests to work on Debian 11.
+
+Index: sniproxy-0.6.0/src/address.c
+===================================================================
+--- sniproxy-0.6.0.orig/src/address.c  2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/src/address.c       2023-04-29 19:26:00.397699547 +0200
+@@ -143,6 +143,8 @@
+     if (hostname_or_ip[0] == '[' &&
+             (port = strchr(hostname_or_ip, ']')) != NULL) {
+         len = (size_t)(port - hostname_or_ip - 1);
++        if (len >= INET6_ADDRSTRLEN)
++            return NULL;
+ 
+         /* inet_pton() will not parse the IP correctly unless it is in a
+          * separate string.
+Index: sniproxy-0.6.0/tests/Makefile.am
+===================================================================
+--- sniproxy-0.6.0.orig/tests/Makefile.am      2023-04-29 19:26:00.397699547 
+0200
++++ sniproxy-0.6.0/tests/Makefile.am   2023-04-29 19:26:25.017710380 +0200
+@@ -1,5 +1,7 @@
+ AM_CPPFLAGS = -I$(top_srcdir)/src -g $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS) 
$(LIBUDNS_CFLAGS)
+ 
++.NOTPARALLEL:
++
+ TESTS = address_test \
+         buffer_test \
+         cfg_tokenizer_test \
+Index: sniproxy-0.6.0/tests/bad_dns_request_test
+===================================================================
+--- sniproxy-0.6.0.orig/tests/bad_dns_request_test     2023-04-29 
19:26:00.397699547 +0200
++++ sniproxy-0.6.0/tests/bad_dns_request_test  2023-04-29 19:26:00.397699547 
+0200
+@@ -36,6 +36,11 @@
+         client => \&http_client,
+     },
+     {
++        # Exceed hostname buffer size
++        request => "GET / HTTP/1.1\r\nHost: [" . 'long.' x 60 . 
"example.com]\r\n\r\n",
++        client => \&http_client,
++    },
++    {
+         # Test client aborting connection before DNS response received
+         request => "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
+         client => \&http_client_abort,
+Index: sniproxy-0.6.0/tests/slow_client_test
+===================================================================
+--- sniproxy-0.6.0.orig/tests/slow_client_test 2023-04-29 19:26:00.397699547 
+0200
++++ sniproxy-0.6.0/tests/slow_client_test      2023-04-29 19:26:00.397699547 
+0200
+@@ -31,11 +31,16 @@
+     my $socket = IO::Socket::INET->new(PeerAddr => '127.0.0.1',
+             PeerPort => $port,
+             Proto => "tcp",
+-            Type => SOCK_STREAM)
++            Type => SOCK_STREAM,
++            Timeout => 5)
+         or die "couldn't connect $!";
+ 
+     $socket->send($request);
+     foreach (split("\r\n", $request)) {
++        unless ($socket->connected()) {
++            print "Disconnected\n";
++            exit(0);
++        }
+         $socket->send("$_\r\n");
+         sleep(1);
+     }
diff -Nru sniproxy-0.6.0/debian/patches/series 
sniproxy-0.6.0/debian/patches/series
--- sniproxy-0.6.0/debian/patches/series        2020-07-23 23:27:57.000000000 
+0300
+++ sniproxy-0.6.0/debian/patches/series        2023-04-29 20:03:02.000000000 
+0300
@@ -1 +1,3 @@
 01_fix_gcc-10-build.patch
+
+CVE-2023-25076.patch

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---
Unblocked.
--- End Message ---

Bug#1036000: marked as done (unblock: sniproxy/0.6.0-2.1)

Reply via email to