Bug#866332: stretch-pu: package c-ares/1.12.0-1

2017-07-02 Thread Cyril Brulebois 
Control: tag -1 pending

Cyril Brulebois  (2017-07-01):
> Gregor Jasny  (2017-06-28):
> > recently a buffer overlow in c-ares has been fixed and the Security
> > Team asked me to prepare an upload to stretch (see #865360).
> 
> This looks good to me, feel free to upload.

Flagged for acceptance, thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#866332: stretch-pu: package c-ares/1.12.0-1

2017-06-30 Thread Cyril Brulebois 
Control: tag -1 confirmed

Hi,

Gregor Jasny  (2017-06-28):
> recently a buffer overlow in c-ares has been fixed and the Security
> Team asked me to prepare an upload to stretch (see #865360).

This looks good to me, feel free to upload.

Thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#866332: stretch-pu: package c-ares/1.12.0-1

2017-06-28 Thread Gregor Jasny 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

recently a buffer overlow in c-ares has been fixed and the Security Team
asked me to prepare an upload to stretch (see #865360).

Attached you'll find the debdiff.

Thanks,
Gregor

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru c-ares-1.12.0/debian/changelog c-ares-1.12.0/debian/changelog
--- c-ares-1.12.0/debian/changelog  2016-09-29 18:19:09.0 +0200
+++ c-ares-1.12.0/debian/changelog  2017-06-26 22:00:03.0 +0200
@@ -1,3 +1,9 @@
+c-ares (1.12.0-1+deb9u1) stretch; urgency=medium
+
+  * Add patch for CVE-2017-1000381 (Closes: #865360)
+
+ -- Gregor Jasny   Mon, 26 Jun 2017 22:00:03 +0200
+
 c-ares (1.12.0-1) unstable; urgency=high
 
   [ Daniel Stenberg ]
diff -Nru c-ares-1.12.0/debian/gbp.conf c-ares-1.12.0/debian/gbp.conf
--- c-ares-1.12.0/debian/gbp.conf   2016-02-12 22:09:13.0 +0100
+++ c-ares-1.12.0/debian/gbp.conf   2017-06-26 22:00:03.0 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = master
+debian-branch = stretch
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = True
diff -Nru c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff 
c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff
--- c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff  1970-01-01 
01:00:00.0 +0100
+++ c-ares-1.12.0/debian/patches/CVE-2017-1000381.diff  2017-06-26 
22:00:03.0 +0200
@@ -0,0 +1,30 @@
+Origin: upstream, e1f43d4d7e89ef8db479d6efd0389c6b6ee1d116
+From: David Drysdale 
+Date: Mon, 22 May 2017 10:54:10 +0100
+Subject: [PATCH 5/5] ares_parse_naptr_reply: check sufficient data
+Bug-Debian: http://bugs.debian.org/865360
+
+Check that there is enough data for the required elements
+of an NAPTR record (2 int16, 3 bytes for string lengths)
+before processing a record.
+
+--- a/ares_parse_naptr_reply.c
 b/ares_parse_naptr_reply.c
+@@ -110,6 +110,12 @@
+   status = ARES_EBADRESP;
+   break;
+ }
++  /* RR must contain at least 7 bytes = 2 x int16 + 3 x name */
++  if (rr_len < 7)
++{
++  status = ARES_EBADRESP;
++  break;
++}
+ 
+   /* Check if we are really looking at a NAPTR record */
+   if (rr_class == C_IN && rr_type == T_NAPTR)
+@@ -185,4 +191,3 @@
+ 
+   return ARES_SUCCESS;
+ }
+-
diff -Nru c-ares-1.12.0/debian/patches/series 
c-ares-1.12.0/debian/patches/series
--- c-ares-1.12.0/debian/patches/series 2016-02-12 22:09:13.0 +0100
+++ c-ares-1.12.0/debian/patches/series 2017-06-26 22:00:03.0 +0200
@@ -1 +1,2 @@
 disable-cflags-rewrite.diff
+CVE-2017-1000381.diff