Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id
<83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1054421,
regarding bookworm-pu: package weborf/0.19
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1054421: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054421
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:weborf
I have found a denial of service in all versions of weborf.
It is tracked in #1054417 and solved in 1.0 upstream.
https://github.com/ltworf/weborf/pull/88
The issue is fixed in unstable but remains in stable and oldstable.
[ Reason ]
The bug has been there undetected for years. The fix is minimal.
[ Impact ]
The denial of service and extremely unlikely but theoretically possible
remote execution issue will remain.
The issue exists only if the process has CGI enabled (not the default).
[ Tests ]
There are no automated tests covering the issue.
[ Risks ]
The patch is just 3 lines.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in (old)stable
[*] the issue is verified as fixed in unstable
[ Changes ]
A patch to remove a memory allocation and copy, where I forgot a +1 in the copy.
The resulting code just reuses the same buffer instead of copying, which was not
needed to begin with.
[ Other info ]
Tracked in CVE-2023-46586
diff -Nru weborf-0.19/debian/changelog weborf-0.19/debian/changelog
--- weborf-0.19/debian/changelog 2022-10-15 12:57:06.000000000 +0200
+++ weborf-0.19/debian/changelog 2023-10-23 18:38:21.000000000 +0200
@@ -1,3 +1,9 @@
+weborf (0.19-3) bookworm; urgency=medium
+
+ * Backport patch from upstream to fix denial of service (Closes: 1054417)
+
+ -- Salvo 'LtWorf' Tomaselli <[email protected]> Mon, 23 Oct 2023 18:38:21
+0200
+
weborf (0.19-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru weborf-0.19/debian/patches/cgi_buffer_fix.patch
weborf-0.19/debian/patches/cgi_buffer_fix.patch
--- weborf-0.19/debian/patches/cgi_buffer_fix.patch 1970-01-01
01:00:00.000000000 +0100
+++ weborf-0.19/debian/patches/cgi_buffer_fix.patch 2023-10-23
18:38:15.000000000 +0200
@@ -0,0 +1,25 @@
+Description: Fix incorrect memory operation
+ The original code failed to take into account the space needed for the
+ null terminator.
+ .
+ The patch just avoids the copy altogether, because it was not needed.
+Author: Salvo "LtWorf" Tomaselli <[email protected]>
+Origin: upstream
+Bug: <upstream-bugtracker-url>
+Bug-Debian: https://bugs.debian.org/1054417
+Forwarded: not-needed
+Applied-Upstream: 1.0
+Last-Update: 2023-10-23
+
+--- weborf-0.19.orig/cgi.c
++++ weborf-0.19/cgi.c
+@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con
+ environ = NULL; //Clear env vars
+
+ if (strlen(executor) == 0) {
+- executor = malloc(connection_prop->strfile_len + 1);
+- strncpy(executor, connection_prop->strfile,
connection_prop->strfile_len);
++ executor = connection_prop->strfile;
+ }
+
+ cgi_set_http_env_vars(connection_prop->http_param);
diff -Nru weborf-0.19/debian/patches/series weborf-0.19/debian/patches/series
--- weborf-0.19/debian/patches/series 2022-03-15 09:08:11.000000000 +0100
+++ weborf-0.19/debian/patches/series 2023-10-23 18:29:47.000000000 +0200
@@ -0,0 +1 @@
+cgi_buffer_fix.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.3
Hi,
Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.
Regards,
Adam
--- End Message ---
