subject:"Bug#860058\: unblock\: libnl3\/3.2.27\-2"

Bug#860058: unblock: libnl3/3.2.27-2

2017-04-11 Thread Cyril Brulebois

Niels Thykier  (2017-04-11):
> Heiko Stuebner:
> > Please unblock package libnl3
> > 
> > In CVE-2017-0553 a possible (but moderate) security issue was found
> > which resulted in bug #859948 against the Debian libnl3 package.
> > 
> > The 3.2.27-2 fixes this (and only this) issue.
> > 
> 
> Ack from here, CC'ing KiBi for a d-i ack (and keeping the debdiff for
> his sake).

No objections, thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#860058: unblock: libnl3/3.2.27-2

2017-04-10 Thread Niels Thykier

Control: tags -1 confirmed

Heiko Stuebner:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package libnl3
> 
> In CVE-2017-0553 a possible (but moderate) security issue was found
> which resulted in bug #859948 against the Debian libnl3 package.
> 
> The 3.2.27-2 fixes this (and only this) issue.
> 

Ack from here, CC'ing KiBi for a d-i ack (and keeping the debdiff for
his sake).

~Niels

> debdiff:
> diff -Nru libnl3-3.2.27/debian/changelog libnl3-3.2.27/debian/changelog
> --- libnl3-3.2.27/debian/changelog  2016-01-24 23:54:53.0 +0100
> +++ libnl3-3.2.27/debian/changelog  2017-04-10 11:48:23.0 +0200
> @@ -1,3 +1,9 @@
> +libnl3 (3.2.27-2) unstable; urgency=low
> +
> +  * Add upstream fix for CVE-2017-0553 (Closes: #859948)
> +
> + -- Heiko Stuebner   Mon, 10 Apr 2017 11:48:23 +0200
> +
>  libnl3 (3.2.27-1) unstable; urgency=low
> 
>* New upstream release
> diff -Nru libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
> libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
> --- libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
> 1970-01-01 01:00:00.0 +0100
> +++ libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
> 2017-04-10 10:55:21.0 +0200
> @@ -0,0 +1,38 @@
> +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
> +From: Thomas Haller 
> +Date: Mon, 6 Feb 2017 22:23:52 +0100
> +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
> +
> +In general, libnl functions are not robust against calling with
> +invalid arguments. Thus, never call libnl functions with invalid
> +arguments. In case of nlmsg_reserve() this means never provide
> +a @len argument that causes overflow.
> +
> +Still, add an additional safeguard to avoid exploiting such bugs.
> +
> +Assume that @pad is a trusted, small integer.
> +Assume that n->nm_size is a valid number of allocated bytes (and thus
> +much smaller then SIZE_T_MAX).
> +Assume, that @len may be set to an untrusted value. Then the patch
> +avoids an integer overflow resulting in reserving too few bytes.
> +---
> + lib/msg.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/lib/msg.c b/lib/msg.c
> +index 9af3f3a..3e27d4e 100644
> +--- a/lib/msg.c
>  b/lib/msg.c
> +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int 
> pad)
> +   size_t nlmsg_len = n->nm_nlh->nlmsg_len;
> +   size_t tlen;
> +
> ++  if (len > n->nm_size)
> ++  return NULL;
> ++
> +   tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
> +
> +   if ((tlen + nlmsg_len) > n->nm_size)
> +--
> +2.9.3
> +
> diff -Nru libnl3-3.2.27/debian/patches/series
> libnl3-3.2.27/debian/patches/series
> --- libnl3-3.2.27/debian/patches/series 2016-01-24 00:36:27.0 +0100
> +++ libnl3-3.2.27/debian/patches/series 2017-04-10 10:57:45.0 +0200
> @@ -3,3 +3,4 @@
>  debian/no-symvers.diff -p1
>  debian/__nl_cache_ops_lookup-unstatic.diff -p1
>  debian/_nl_socket_generate_local_port_no_release.diff -p1
> +debian/nlmsg_reserve-overflow.patch -p1
> 
> 
> unblock libnl3/3.2.27-2
> 
> [...]

Bug#860058: unblock: libnl3/3.2.27-2

2017-04-10 Thread Heiko Stuebner

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libnl3

In CVE-2017-0553 a possible (but moderate) security issue was found
which resulted in bug #859948 against the Debian libnl3 package.

The 3.2.27-2 fixes this (and only this) issue.

debdiff:
diff -Nru libnl3-3.2.27/debian/changelog libnl3-3.2.27/debian/changelog
--- libnl3-3.2.27/debian/changelog  2016-01-24 23:54:53.0 +0100
+++ libnl3-3.2.27/debian/changelog  2017-04-10 11:48:23.0 +0200
@@ -1,3 +1,9 @@
+libnl3 (3.2.27-2) unstable; urgency=low
+
+  * Add upstream fix for CVE-2017-0553 (Closes: #859948)
+
+ -- Heiko Stuebner   Mon, 10 Apr 2017 11:48:23 +0200
+
 libnl3 (3.2.27-1) unstable; urgency=low

   * New upstream release
diff -Nru libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
--- libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
1970-01-01 01:00:00.0 +0100
+++ libnl3-3.2.27/debian/patches/debian/nlmsg_reserve-overflow.patch
2017-04-10 10:55:21.0 +0200
@@ -0,0 +1,38 @@
+From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001
+From: Thomas Haller 
+Date: Mon, 6 Feb 2017 22:23:52 +0100
+Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve()
+
+In general, libnl functions are not robust against calling with
+invalid arguments. Thus, never call libnl functions with invalid
+arguments. In case of nlmsg_reserve() this means never provide
+a @len argument that causes overflow.
+
+Still, add an additional safeguard to avoid exploiting such bugs.
+
+Assume that @pad is a trusted, small integer.
+Assume that n->nm_size is a valid number of allocated bytes (and thus
+much smaller then SIZE_T_MAX).
+Assume, that @len may be set to an untrusted value. Then the patch
+avoids an integer overflow resulting in reserving too few bytes.
+---
+ lib/msg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/msg.c b/lib/msg.c
+index 9af3f3a..3e27d4e 100644
+--- a/lib/msg.c
 b/lib/msg.c
+@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
+   size_t nlmsg_len = n->nm_nlh->nlmsg_len;
+   size_t tlen;
+
++  if (len > n->nm_size)
++  return NULL;
++
+   tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len;
+
+   if ((tlen + nlmsg_len) > n->nm_size)
+--
+2.9.3
+
diff -Nru libnl3-3.2.27/debian/patches/series
libnl3-3.2.27/debian/patches/series
--- libnl3-3.2.27/debian/patches/series 2016-01-24 00:36:27.0 +0100
+++ libnl3-3.2.27/debian/patches/series 2017-04-10 10:57:45.0 +0200
@@ -3,3 +3,4 @@
 debian/no-symvers.diff -p1
 debian/__nl_cache_ops_lookup-unstatic.diff -p1
 debian/_nl_socket_generate_local_port_no_release.diff -p1
+debian/nlmsg_reserve-overflow.patch -p1


unblock libnl3/3.2.27-2

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Bug#860058: unblock: libnl3/3.2.27-2

Bug#860058: unblock: libnl3/3.2.27-2

Bug#860058: unblock: libnl3/3.2.27-2

3 matches

Site Navigation

Mail list logo

Footer information