subject:"Bug#913881\: stretch\-pu\: package uriparser\/0.8.4\-1"

Bug#913881: stretch-pu: package uriparser/0.8.4-1

2019-02-04 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Fri, 2018-11-16 at 12:29 +0100, Jörg Frings-Fürst wrote:
> the attached debdiff fix the
> 
> CVE-2018-19198,
> CVE-2018-19199 and
> CVE-2018-19200.

Please go ahead; sorry for the delay.

Regards,

Adam

Bug#913881: stretch-pu: package uriparser/0.8.4-1

2018-11-16 Thread Jörg Frings-Fürst

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello,

the attached debdiff fix the

CVE-2018-19198,
CVE-2018-19199 and
CVE-2018-19200.

The maintainer email address and the Vcs-* location are
also changed.

CU
Jörg

- -- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (300, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAlvuqgUACgkQCfifPIyh
0l2zqhAAq0bStaT+o8QELmNS2OZBFLGrv/Li3g5DHnEee5juZLQ9VgLIh5eXb96f
ycgBpuItaCfLbMM5WnKGXnmEnB37gMlReYR8nMIF2eVLTeS124SUa6Qeyp/nh3bg
5waNanD9KbxuJDLKzNgeERdf1QKD78VPTnaIPvMQzb6k5ole6PqzxzgqLaOicR/X
omYT26BvG9sDnLGtVPuyYqEeiZm575qTpjqUPJzHJd9styiRQiICwiWBfB7D02U0
OoorOWwm/rvDafhrlyxitpvj15pEg97gcyXkKdBhO+PYM5zIDGemDAGh1T/qlkyl
FQTiZVgHj23udtS+UnpWeJgFpm9E+9/s6gcXdg+b3P/K/zNHFL6wfnlHNYzfp3mz
2OCHi7UKlkFxkkdn8uA50V2VpULUramKWupe2KGYPS7XXDn+Qh+6vbnNncqacAfp
8noPhUo2woT7Gd4HHUOf0size7BLLeDGL+HrbCQzmSKoIjhxBjQ7IjbXsw4Alstv
WZJQWEov+n8ISSJvFuuYkbghbopzsmbDNJvIIUOhKmdbC1yBuGDpY2OaAxahohRy
eG2fIg1ku0txTYgCyYk+5JeO3QQu6hvNGjzdanuVuCKJr+eVHQOKQ5gzx9XP/ffM
82myXAlVHITOUQTMR70NQQ4B4NEvPAMTaQYAWUiVEG03G2rovQ4=
=HbnA
-END PGP SIGNATURE-
diff -Nru uriparser-0.8.4/debian/changelog uriparser-0.8.4/debian/changelog
--- uriparser-0.8.4/debian/changelog2015-11-04 07:02:13.0 +0100
+++ uriparser-0.8.4/debian/changelog2018-11-16 09:43:24.0 +0100
@@ -1,3 +1,15 @@
+uriparser (0.8.4-1+deb9u1) stable; urgency=medium
+
+  * Fix multiple CVEs (Closes: #913817):
+- New debian/patches/CVE-2018-19198.patch to fix CVE-2018-19198.
+- New debian/patches/CVE-2018-19199.patch to fix CVE-2018-19199.
+- New debian/patches/CVE-2018-19200.patch to fix CVE-2018-19200.
+  * debian/control:
+- Change to my new email address.
+- Switch Vcs-* to new location.
+
+ -- Jörg Frings-Fürst   Fri, 16 Nov 2018 09:43:24 +0100
+
 uriparser (0.8.4-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru uriparser-0.8.4/debian/control uriparser-0.8.4/debian/control
--- uriparser-0.8.4/debian/control  2015-11-02 07:02:50.0 +0100
+++ uriparser-0.8.4/debian/control  2018-11-16 09:37:15.0 +0100
@@ -1,7 +1,7 @@
 Source: uriparser
 Section: libs
 Priority: optional
-Maintainer: Jörg Frings-Fürst 
+Maintainer: Jörg Frings-Fürst 
 Build-Depends:
  debhelper (>= 9),
  dh-autoreconf,
@@ -14,8 +14,8 @@
  libqt5sql5-sqlite
 Standards-Version: 3.9.6
 Homepage: http://uriparser.sourceforge.net
-Vcs-Git: git://anonscm.debian.org/collab-maint/uriparser.git
-Vcs-Browser: http://anonscm.debian.org/cgit/collab-maint/uriparser.git
+Vcs-Git: git://jff.email/opt/git/uriparser.git
+Vcs-Browser: https://jff.email/cgit/uriparser.git
 
 Package: liburiparser1
 Architecture: any
diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19198.patch 
uriparser-0.8.4/debian/patches/CVE-2018-19198.patch
--- uriparser-0.8.4/debian/patches/CVE-2018-19198.patch 1970-01-01 
01:00:00.0 +0100
+++ uriparser-0.8.4/debian/patches/CVE-2018-19198.patch 2018-11-16 
09:19:24.0 +0100
@@ -0,0 +1,73 @@
+From 864f5d4c127def386dd5cc926ad96934b297f04e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Sun, 23 Sep 2018 20:07:25 +0200
+Subject: [PATCH] UriQuery.c: Fix out-of-bounds-write in ComposeQuery and ...Ex
+
+Reported by Google Autofuzz team
+---
+ src/UriQuery.c |  1 +
+ test/test.cpp  | 32 
+ 2 files changed, 33 insertions(+)
+
+Index: stretch/src/UriQuery.c
+===
+--- stretch.orig/src/UriQuery.c
 stretch/src/UriQuery.c
+@@ -223,6 +223,7 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHA
+ 
+   /* Copy key */
+   if (firstItem == URI_TRUE) {
++  ampersandLen = 1;
+   firstItem = URI_FALSE;
+   } else {
+   write[0] = _UT('&');
+Index: stretch/test/test.cpp
+===
+--- stretch.orig/test/test.cpp
 stretch/test/test.cpp
+@@ -102,6 +102,7 @@ public:
+   TEST_ADD(UriSuite::testQueryList)
+   TEST_ADD(UriSuite::testQueryListPair)
+   TEST_ADD(UriSuite::testQueryDissection_Bug3590761)
++  
TEST_ADD(UriSuite::testQueryCompositionMathWrite_GoogleAutofuzz113244572)
+   TEST_ADD(UriSuite::testFreeCrash_Bug20080827)
+   TEST_ADD(UriSuite::testParseInvalid_Bug16)
+

Bug#913881: stretch-pu: package uriparser/0.8.4-1

Bug#913881: stretch-pu: package uriparser/0.8.4-1

2 matches

Site Navigation

Mail list logo

Footer information