Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Hello, I would like to update zookeeper in Jessie which is currently affected by CVE-2016-5017. The security team does not intend to release a DSA for this issue. Please find attached the debdiff against the current version in Jessie. Regards, Markus
diff -Nru zookeeper-3.4.5+dfsg/debian/changelog zookeeper-3.4.5+dfsg/debian/changelog --- zookeeper-3.4.5+dfsg/debian/changelog 2014-03-16 21:07:30.000000000 +0100 +++ zookeeper-3.4.5+dfsg/debian/changelog 2016-09-18 20:14:02.000000000 +0200 @@ -1,3 +1,15 @@ +zookeeper (3.4.5+dfsg-2+deb8u1) jessie; urgency=high + + * Team upload. + * Fix CVE-2016-5017: + Lyon Yang discovered that the C client shells cli_st and cli_mt of Apache + Zookeeper, a high-performance coordination service for distributed + applications, were affected by a buffer overflow vulnerability associated + with parsing of the input command when using the "cmd:" batch mode syntax. + If the command string exceeds 1024 characters a buffer overflow will occur. + + -- Markus Koschany <[email protected]> Sun, 18 Sep 2016 20:14:02 +0200 + zookeeper (3.4.5+dfsg-2) unstable; urgency=high [ tony mancill ] diff -Nru zookeeper-3.4.5+dfsg/debian/patches/CVE-2016-5017.patch zookeeper-3.4.5+dfsg/debian/patches/CVE-2016-5017.patch --- zookeeper-3.4.5+dfsg/debian/patches/CVE-2016-5017.patch 1970-01-01 01:00:00.000000000 +0100 +++ zookeeper-3.4.5+dfsg/debian/patches/CVE-2016-5017.patch 2016-09-18 20:14:02.000000000 +0200 @@ -0,0 +1,37 @@ +From: Markus Koschany <[email protected]> +Date: Sun, 18 Sep 2016 19:57:53 +0200 +Subject: CVE-2016-5017 + +Lyon Yang discovered that the C client shells cli_st and cli_mt of Apache +Zookeeper, a high-performance coordination service for distributed +applications, were affected by a buffer overflow vulnerability associated with +parsing of the input command when using the "cmd:" batch mode syntax. If the +command string exceeds 1024 characters a buffer overflow will occur. + + +Origin: https://git-wip-us.apache.org/repos/asf?p=zookeeper.git;a=commitdiff;h=27ecf981a15554dc8e64a28630af7a5c9e2bdf4f +--- + src/c/src/cli.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/c/src/cli.c b/src/c/src/cli.c +index c4538a6..959dd99 100644 +--- a/src/c/src/cli.c ++++ b/src/c/src/cli.c +@@ -486,7 +486,15 @@ int main(int argc, char **argv) { + } + if (argc > 2) { + if(strncmp("cmd:",argv[2],4)==0){ +- strcpy(cmd,argv[2]+4); ++ size_t cmdlen = strlen(argv[2]); ++ if (cmdlen > sizeof(cmd)) { ++ fprintf(stderr, ++ "Command length %zu exceeds max length of %zu\n", ++ cmdlen, ++ sizeof(cmd)); ++ return 2; ++ } ++ strncpy(cmd, argv[2]+4, sizeof(cmd)); + batchMode=1; + fprintf(stderr,"Batch mode: %s\n",cmd); + }else{ diff -Nru zookeeper-3.4.5+dfsg/debian/patches/series zookeeper-3.4.5+dfsg/debian/patches/series --- zookeeper-3.4.5+dfsg/debian/patches/series 2014-03-15 18:45:57.000000000 +0100 +++ zookeeper-3.4.5+dfsg/debian/patches/series 2016-09-18 20:14:02.000000000 +0200 @@ -4,3 +4,4 @@ fixes/ZOOKEEPER-705 ftbfs-gcc-4.7.diff fixes/ZOOKEEPER-770 +CVE-2016-5017.patch
