Processed: Re: Bug#899014: stretch-pu: package blktrace/1.1.0-2
Processing control commands: > tags -1 + confirmed Bug #899014 [release.debian.org] stretch-pu: package blktrace/1.1.0-2 Ignoring request to alter tags of bug #899014 to the same tags previously set -- 899014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899014 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#899014: stretch-pu: package blktrace/1.1.0-2
Control: tags -1 + confirmed On Fri, 2018-05-18 at 21:13 +0200, Bas Zoetekouw wrote: > Hi! > > > Please use 1.0.5-1+deb8u1 and as target distribution just 'jessie'. > > Use 1.1.0-2+deb9u1 and targeting 'stretch' instead (not > > stretch-security). > > > > Fixed. New debdiffs follow: > Please go ahead. Regards, Adam
Bug#899014: stretch-pu: package blktrace/1.1.0-2
Hi! > Please use 1.0.5-1+deb8u1 and as target distribution just 'jessie'. > Use 1.1.0-2+deb9u1 and targeting 'stretch' instead (not > stretch-security). > Fixed. New debdiffs follow: Jessie: diff -Nru blktrace-1.0.5/debian/changelog blktrace- 1.0.5/debian/changelog --- blktrace-1.0.5/debian/changelog 2013-05-05 14:43:17.0 +0200 +++ blktrace-1.0.5/debian/changelog 2018-05-18 21:02:54.0 +0200 @@ -1,3 +1,9 @@ +blktrace (1.0.5-1+deb8u1) jessie; urgency=high + + * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695) + + -- Bas Zoetekouw Fri, 18 May 2018 15:47:57 +0200 + blktrace (1.0.5-1) unstable; urgency=low * New upstream release [February 2012]. diff -Nru blktrace-1.0.5/debian/patches/cve-2018-10689.patch blktrace- 1.0.5/debian/patches/cve-2018-10689.patch --- blktrace-1.0.5/debian/patches/cve-2018-10689.patch 1970-01- 01 01:00:00.0 +0100 +++ blktrace-1.0.5/debian/patches/cve-2018-10689.patch 2018-05- 18 16:05:36.0 +0200 @@ -0,0 +1,18 @@ +Last-Update: 2018-05-16 +Forwarded: yes +Author: Jens Axboe +Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid overflow. Patch from https://git.kernel.org/pub/scm/linux/kernel /git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaa c5b7 + +Index: blktrace-1.0.5/btt/devmap.c +=== +--- blktrace-1.0.5.orig/btt/devmap.c blktrace-1.0.5/btt/devmap.c +@@ -23,7 +23,7 @@ + + struct devmap { + struct list_head head; +- char device[32], devno[32]; ++ char device[PATH_MAX], devno[PATH_MAX]; + }; + + LIST_HEAD(all_devmaps); diff -Nru blktrace-1.0.5/debian/patches/series blktrace- 1.0.5/debian/patches/series --- blktrace-1.0.5/debian/patches/series2012-12-23 12:30:03.0 +0100 +++ blktrace-1.0.5/debian/patches/series2018-05-18 15:56:41.0 +0200 @@ -1,2 +1,3 @@ 10_btrace_paths.patch spelling.patch +cve-2018-10689.patch Stretch: diff -Nru blktrace-1.1.0/debian/changelog blktrace- 1.1.0/debian/changelog --- blktrace-1.1.0/debian/changelog 2015-05-17 14:35:07.0 +0200 +++ blktrace-1.1.0/debian/changelog 2018-05-16 16:19:54.0 +0200 @@ -1,3 +1,9 @@ +blktrace (1.1.0-2+deb9u1) stretch; urgency=high + + * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695) + + -- Bas Zoetekouw Wed, 16 May 2018 16:19:54 +0200 + blktrace (1.1.0-2) unstable; urgency=low * Upload to unstable. diff -Nru blktrace-1.1.0/debian/patches/cve-2018-10689.patch blktrace- 1.1.0/debian/patches/cve-2018-10689.patch --- blktrace-1.1.0/debian/patches/cve-2018-10689.patch 1970-01- 01 01:00:00.0 +0100 +++ blktrace-1.1.0/debian/patches/cve-2018-10689.patch 2018-05- 16 16:19:54.0 +0200 @@ -0,0 +1,18 @@ +Last-Update: 2018-05-16 +Forwarded: yes +Author: Jens Axboe +Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid overflow. Patch from https://git.kernel.org/pub/scm/linux/kernel /git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaa c5b7 + +diff --git a/btt/devmap.c b/btt/devmap.c +index 0553a9e..5fc1cb2 100644 +--- a/btt/devmap.c b/btt/devmap.c +@@ -23,7 +23,7 @@ + + struct devmap { + struct list_head head; +- char device[32], devno[32]; ++ char device[PATH_MAX], devno[PATH_MAX]; + }; + + LIST_HEAD(all_devmaps); diff -Nru blktrace-1.1.0/debian/patches/series blktrace- 1.1.0/debian/patches/series --- blktrace-1.1.0/debian/patches/series2015-03-25 08:40:33.0 +0100 +++ blktrace-1.1.0/debian/patches/series2018-05-16 16:19:54.0 +0200 @@ -4,3 +4,4 @@ pdf-date.patch procnum.patch spelling.patch +cve-2018-10689.patch
Bug#899014: stretch-pu: package blktrace/1.1.0-2
Hi Bas, Not a Release Team member, but some suggestions to change: On Fri, May 18, 2018 at 04:15:10PM +0200, Bas Zoetekouw wrote: > +blktrace (1.0.5-2) oldstable-proposed-updates; urgency=high Please use 1.0.5-1+deb8u1 and as target distribution just 'jessie'. Same for Stretch, > +blktrace (1.1.0-3) stretch-security; urgency=high Use 1.1.0-2+deb9u1 and targeting 'stretch' instead (not stretch-security). Regards, Salvatore
Bug#899014: stretch-pu: package blktrace/1.1.0-2
clone 899014 -1 tags 899014 = stretch tags-1 = jessie retitle -1 jessie-pu: blktrace/1.0.5-1 Let's split this for jessie en stretch
Bug#899014: stretch-pu: package blktrace/1.1.0-2
Package: release.debian.org Severity: normal Tags: stretch,jessie User: release.debian@packages.debian.org Usertags: pu I would like to update blktrace in Jessie (1.0.5-1) and Stretch (1.1.0-2) to fix a buffer overflow (CVE-2018-10689, see https://security-tracker.debian.org/tracker/CVE-2018-10689). I've already discussed this with the security team, and they feel this issue doesn't warrant a DSA, be should be fixed via proposed-updates instead. My proposed new packages can be found at https://zoetekouw.net/Zooi/blktrace/ The debdiff are as follows: For jessie: diff -Nru blktrace-1.0.5/debian/changelog blktrace-1.0.5/debian/changelog --- blktrace-1.0.5/debian/changelog 2013-05-05 14:43:17.0 +0200 +++ blktrace-1.0.5/debian/changelog 2018-05-18 15:57:31.0 +0200 @@ -1,3 +1,9 @@ +blktrace (1.0.5-2) oldstable-proposed-updates; urgency=high + + * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695) + + -- Bas Zoetekouw Fri, 18 May 2018 15:47:57 +0200 + blktrace (1.0.5-1) unstable; urgency=low * New upstream release [February 2012]. diff -Nru blktrace-1.0.5/debian/patches/cve-2018-10689.patch blktrace-1.0.5/debian/patches/cve-2018-10689.patch --- blktrace-1.0.5/debian/patches/cve-2018-10689.patch 1970-01-01 01:00:00.0 +0100 +++ blktrace-1.0.5/debian/patches/cve-2018-10689.patch 2018-05-18 16:05:36.0 +0200 @@ -0,0 +1,18 @@ +Last-Update: 2018-05-16 +Forwarded: yes +Author: Jens Axboe +Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid overflow. Patch from https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7 + +Index: blktrace-1.0.5/btt/devmap.c +=== +--- blktrace-1.0.5.orig/btt/devmap.c blktrace-1.0.5/btt/devmap.c +@@ -23,7 +23,7 @@ + + struct devmap { + struct list_head head; +- char device[32], devno[32]; ++ char device[PATH_MAX], devno[PATH_MAX]; + }; + + LIST_HEAD(all_devmaps); diff -Nru blktrace-1.0.5/debian/patches/series blktrace-1.0.5/debian/patches/series --- blktrace-1.0.5/debian/patches/series2012-12-23 12:30:03.0 +0100 +++ blktrace-1.0.5/debian/patches/series2018-05-18 15:56:41.0 +0200 @@ -1,2 +1,3 @@ 10_btrace_paths.patch spelling.patch +cve-2018-10689.patch For Stretch: diff -Nru blktrace-1.1.0/debian/changelog blktrace-1.1.0/debian/changelog --- blktrace-1.1.0/debian/changelog 2015-05-17 14:35:07.0 +0200 +++ blktrace-1.1.0/debian/changelog 2018-05-16 16:19:54.0 +0200 @@ -1,3 +1,9 @@ +blktrace (1.1.0-3) stretch-security; urgency=high + + * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695) + + -- Bas Zoetekouw Wed, 16 May 2018 16:19:54 +0200 + blktrace (1.1.0-2) unstable; urgency=low * Upload to unstable. diff -Nru blktrace-1.1.0/debian/patches/cve-2018-10689.patch blktrace-1.1.0/debian/patches/cve-2018-10689.patch --- blktrace-1.1.0/debian/patches/cve-2018-10689.patch 1970-01-01 01:00:00.0 +0100 +++ blktrace-1.1.0/debian/patches/cve-2018-10689.patch 2018-05-16 16:19:54.0 +0200 @@ -0,0 +1,18 @@ +Last-Update: 2018-05-16 +Forwarded: yes +Author: Jens Axboe +Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid overflow. Patch from https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7 + +diff --git a/btt/devmap.c b/btt/devmap.c +index 0553a9e..5fc1cb2 100644 +--- a/btt/devmap.c b/btt/devmap.c +@@ -23,7 +23,7 @@ + + struct devmap { + struct list_head head; +- char device[32], devno[32]; ++ char device[PATH_MAX], devno[PATH_MAX]; + }; + + LIST_HEAD(all_devmaps); diff -Nru blktrace-1.1.0/debian/patches/series blktrace-1.1.0/debian/patches/series --- blktrace-1.1.0/debian/patches/series2015-03-25 08:40:33.0 +0100 +++ blktrace-1.1.0/debian/patches/series2018-05-16 16:19:54.0 +0200 @@ -4,3 +4,4 @@ pdf-date.patch procnum.patch spelling.patch +cve-2018-10689.patch -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (620, 'stable'), (500, 'stable-updates'), (20, 'unstable'), (10, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)