Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello,
the attached debdiff fix the
CVE-2018-19198,
CVE-2018-19199 and
CVE-2018-19200.
The maintainer email address and the Vcs-* location are
also changed.
CU
Jörg
- -- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (300, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.18.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAlvuqgUACgkQCfifPIyh
0l2zqhAAq0bStaT+o8QELmNS2OZBFLGrv/Li3g5DHnEee5juZLQ9VgLIh5eXb96f
ycgBpuItaCfLbMM5WnKGXnmEnB37gMlReYR8nMIF2eVLTeS124SUa6Qeyp/nh3bg
5waNanD9KbxuJDLKzNgeERdf1QKD78VPTnaIPvMQzb6k5ole6PqzxzgqLaOicR/X
omYT26BvG9sDnLGtVPuyYqEeiZm575qTpjqUPJzHJd9styiRQiICwiWBfB7D02U0
OoorOWwm/rvDafhrlyxitpvj15pEg97gcyXkKdBhO+PYM5zIDGemDAGh1T/qlkyl
FQTiZVgHj23udtS+UnpWeJgFpm9E+9/s6gcXdg+b3P/K/zNHFL6wfnlHNYzfp3mz
2OCHi7UKlkFxkkdn8uA50V2VpULUramKWupe2KGYPS7XXDn+Qh+6vbnNncqacAfp
8noPhUo2woT7Gd4HHUOf0size7BLLeDGL+HrbCQzmSKoIjhxBjQ7IjbXsw4Alstv
WZJQWEov+n8ISSJvFuuYkbghbopzsmbDNJvIIUOhKmdbC1yBuGDpY2OaAxahohRy
eG2fIg1ku0txTYgCyYk+5JeO3QQu6hvNGjzdanuVuCKJr+eVHQOKQ5gzx9XP/ffM
82myXAlVHITOUQTMR70NQQ4B4NEvPAMTaQYAWUiVEG03G2rovQ4=
=HbnA
-END PGP SIGNATURE-
diff -Nru uriparser-0.8.4/debian/changelog uriparser-0.8.4/debian/changelog
--- uriparser-0.8.4/debian/changelog2015-11-04 07:02:13.0 +0100
+++ uriparser-0.8.4/debian/changelog2018-11-16 09:43:24.0 +0100
@@ -1,3 +1,15 @@
+uriparser (0.8.4-1+deb9u1) stable; urgency=medium
+
+ * Fix multiple CVEs (Closes: #913817):
+- New debian/patches/CVE-2018-19198.patch to fix CVE-2018-19198.
+- New debian/patches/CVE-2018-19199.patch to fix CVE-2018-19199.
+- New debian/patches/CVE-2018-19200.patch to fix CVE-2018-19200.
+ * debian/control:
+- Change to my new email address.
+- Switch Vcs-* to new location.
+
+ -- Jörg Frings-Fürst Fri, 16 Nov 2018 09:43:24 +0100
+
uriparser (0.8.4-1) unstable; urgency=medium
* New upstream release.
diff -Nru uriparser-0.8.4/debian/control uriparser-0.8.4/debian/control
--- uriparser-0.8.4/debian/control 2015-11-02 07:02:50.0 +0100
+++ uriparser-0.8.4/debian/control 2018-11-16 09:37:15.0 +0100
@@ -1,7 +1,7 @@
Source: uriparser
Section: libs
Priority: optional
-Maintainer: Jörg Frings-Fürst
+Maintainer: Jörg Frings-Fürst
Build-Depends:
debhelper (>= 9),
dh-autoreconf,
@@ -14,8 +14,8 @@
libqt5sql5-sqlite
Standards-Version: 3.9.6
Homepage: http://uriparser.sourceforge.net
-Vcs-Git: git://anonscm.debian.org/collab-maint/uriparser.git
-Vcs-Browser: http://anonscm.debian.org/cgit/collab-maint/uriparser.git
+Vcs-Git: git://jff.email/opt/git/uriparser.git
+Vcs-Browser: https://jff.email/cgit/uriparser.git
Package: liburiparser1
Architecture: any
diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19198.patch
uriparser-0.8.4/debian/patches/CVE-2018-19198.patch
--- uriparser-0.8.4/debian/patches/CVE-2018-19198.patch 1970-01-01
01:00:00.0 +0100
+++ uriparser-0.8.4/debian/patches/CVE-2018-19198.patch 2018-11-16
09:19:24.0 +0100
@@ -0,0 +1,73 @@
+From 864f5d4c127def386dd5cc926ad96934b297f04e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Sun, 23 Sep 2018 20:07:25 +0200
+Subject: [PATCH] UriQuery.c: Fix out-of-bounds-write in ComposeQuery and ...Ex
+
+Reported by Google Autofuzz team
+---
+ src/UriQuery.c | 1 +
+ test/test.cpp | 32
+ 2 files changed, 33 insertions(+)
+
+Index: stretch/src/UriQuery.c
+===
+--- stretch.orig/src/UriQuery.c
stretch/src/UriQuery.c
+@@ -223,6 +223,7 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHA
+
+ /* Copy key */
+ if (firstItem == URI_TRUE) {
++ ampersandLen = 1;
+ firstItem = URI_FALSE;
+ } else {
+ write[0] = _UT('&');
+Index: stretch/test/test.cpp
+===
+--- stretch.orig/test/test.cpp
stretch/test/test.cpp
+@@ -102,6 +102,7 @@ public:
+ TEST_ADD(UriSuite::testQueryList)
+ TEST_ADD(UriSuite::testQueryListPair)
+ TEST_ADD(UriSuite::testQueryDissection_Bug3590761)
++
TEST_ADD(UriSuite::testQueryCompositionMathWrite_GoogleAutofuzz113244572)
+ TEST_ADD(UriSuite::testFreeCrash_Bug20080827)
+ TEST_ADD(UriSuite::testParseInvalid_Bug16)
+