subject:"Bug#979724\: buster\-pu\: package libmaxminddb\/1.3.2\-1\+deb10u1"

Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1

2021-01-19 Thread Salvatore Bonaccorso

Hi Faidon,

On Sun, Jan 17, 2021 at 08:54:29PM +0200, Faidon Liambotis wrote:
> On Sat, Jan 16, 2021 at 06:00:00PM +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sun, 2021-01-10 at 21:39 +0200, Faidon Liambotis wrote:
> > > This is an buster proposed update to fix CVE-2020-28241:
> > > > libmaxminddb before 1.4.3 has a heap-based buffer over-read in
> > > > dump_entry_data_list in maxminddb.c.
> > > 
> > > The security team has marked the CVE as " (Minor issue)", and
> > > filed #973878 against the package.
> > > 
> > 
> > Please go ahead.
> 
> Thanks!
> 
> This is now uploaded and ACCEPTed into proposed-updates->stable-new.
> 
> Best,
> Faidon
> 
> P.S. Not sure if I'm supposed to mark this bug done myself?

It will be closed at the point release time when the package (unless
suprises arise and not to be accepted into it).

Regards,
Salvatore

Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1

2021-01-17 Thread Faidon Liambotis

On Sat, Jan 16, 2021 at 06:00:00PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2021-01-10 at 21:39 +0200, Faidon Liambotis wrote:
> > This is an buster proposed update to fix CVE-2020-28241:
> > > libmaxminddb before 1.4.3 has a heap-based buffer over-read in
> > > dump_entry_data_list in maxminddb.c.
> > 
> > The security team has marked the CVE as " (Minor issue)", and
> > filed #973878 against the package.
> > 
> 
> Please go ahead.

Thanks!

This is now uploaded and ACCEPTed into proposed-updates->stable-new.

Best,
Faidon

P.S. Not sure if I'm supposed to mark this bug done myself?

Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1

2021-01-16 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Sun, 2021-01-10 at 21:39 +0200, Faidon Liambotis wrote:
> This is an buster proposed update to fix CVE-2020-28241:
> > libmaxminddb before 1.4.3 has a heap-based buffer over-read in
> > dump_entry_data_list in maxminddb.c.
> 
> The security team has marked the CVE as " (Minor issue)", and
> filed #973878 against the package.
> 

Please go ahead.

Regards,

Adam

Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1

2021-01-10 Thread Faidon Liambotis

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi there,

This is an buster proposed update to fix CVE-2020-28241:
| libmaxminddb before 1.4.3 has a heap-based buffer over-read in
| dump_entry_data_list in maxminddb.c.

The security team has marked the CVE as " (Minor issue)", and
filed #973878 against the package.

The fix was part of the 1.4.3 upstream version; bullseye has 1.4.3-1,
sid has 1.5.0-1, so it's fixed in both.

You'll find the source debdiff below (and also in salsa).

Thanks!
Faidon


diff -Nru libmaxminddb-1.3.2/debian/changelog 
libmaxminddb-1.3.2/debian/changelog
--- libmaxminddb-1.3.2/debian/changelog 2018-05-26 19:37:59.0 +0300
+++ libmaxminddb-1.3.2/debian/changelog 2021-01-10 21:10:00.0 +0200
@@ -1,3 +1,10 @@
+libmaxminddb (1.3.2-1+deb10u1) buster; urgency=medium
+
+  * Backport upstream fix for CVE-2020-28241, heap-based buffer over-read in
+dump_entry_data_list in maxminddb.c. (Closes: #973878)
+
+ -- Faidon Liambotis   Sun, 10 Jan 2021 21:10:00 +0200
+
 libmaxminddb (1.3.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libmaxminddb-1.3.2/debian/gbp.conf libmaxminddb-1.3.2/debian/gbp.conf
--- libmaxminddb-1.3.2/debian/gbp.conf  2018-05-26 19:28:43.0 +0300
+++ libmaxminddb-1.3.2/debian/gbp.conf  2021-01-10 21:10:00.0 +0200
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-tree=tag
-debian-branch=debian
+debian-branch=debian/buster
 upstream-tag = %(version)s
 no-create-orig = False
 submodules = True
diff -Nru libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 
libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch
--- libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 1970-01-01 
02:00:00.0 +0200
+++ libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 2021-01-10 
21:10:00.0 +0200
@@ -0,0 +1,113 @@
+From: Gregory Oschwald 
+Date: Wed, 5 Aug 2020 14:16:17 -0700
+Subject: [PATCH] Replace most malloc uses with calloc
+
+Closes #236.
+---
+ bin/mmdblookup.c|  2 +-
+ doc/libmaxminddb.md |  2 +-
+ src/maxminddb.c | 16 
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c
+index 030d88c..513ad2d 100644
+--- a/bin/mmdblookup.c
 b/bin/mmdblookup.c
+@@ -263,7 +263,7 @@ LOCAL const char **get_options(
+ }
+ 
+ const char **lookup_path =
+-malloc(sizeof(const char *) * ((argc - optind) + 1));
++calloc((argc - optind) + 1, sizeof(const char *));
+ int i;
+ for (i = 0; i < argc - optind; i++) {
+ lookup_path[i] = argv[i + optind];
+diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md
+index e6de9d5..15433c3 100644
+--- a/doc/libmaxminddb.md
 b/doc/libmaxminddb.md
+@@ -307,7 +307,7 @@ libmaxminddb code.
+ 
+ The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this 
structure
+ are all pointers directly into the database's data section. This can either be
+-a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will
++a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will
+ become invalid after `MMDB_close()` is called.
+ 
+ If you need to refer to this data after that time you should copy the data
+diff --git a/src/maxminddb.c b/src/maxminddb.c
+index 7580e1e..ec547d6 100644
+--- a/src/maxminddb.c
 b/src/maxminddb.c
+@@ -35,7 +35,7 @@
+ do {\
+ char *binary = byte_to_binary(byte);\
+ if (NULL == binary) {   \
+-fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \
++fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \
+ abort();\
+ }   \
+ fprintf(stderr, fmt "\n", binary);  \
+@@ -54,7 +54,7 @@
+ #ifdef MMDB_DEBUG
+ DEBUG_FUNC char *byte_to_binary(uint8_t byte)
+ {
+-char *bits = malloc(sizeof(char) * 9);
++char *bits = calloc(9, sizeof(char));
+ if (NULL == bits) {
+ return bits;
+ }
+@@ -687,7 +687,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s 
*metadata_db,
+   MMDB_INVALID_METADATA_ERROR);
+ 
+ mmdb->metadata.languages.count = 0;
+-mmdb->metadata.languages.names = malloc(array_size * sizeof(char *));
++mmdb->metadata.languages.names = calloc(array_size, sizeof(char *));
+ if (NULL == mmdb->metadata.languages.names) {
+ return MMDB_OUT_OF_MEMORY_ERROR;
+ }
+@@ -705,7 +705,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s 
*metadata_db,
+ if (NULL == mmdb->metadata.languages.names[i]) {
+ return MMDB_OUT_OF_MEMORY_ERROR;
+ }
+-// We assign this as we go so that if we fail a malloc and need to
++// We assign this

Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1

Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1

Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1

Bug#979724: buster-pu: package libmaxminddb/1.3.2-1+deb10u1

4 matches

Site Navigation

Mail list logo

Footer information