Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi there,
This is an buster proposed update to fix CVE-2020-28241:
| libmaxminddb before 1.4.3 has a heap-based buffer over-read in
| dump_entry_data_list in maxminddb.c.
The security team has marked the CVE as " (Minor issue)", and
filed #973878 against the package.
The fix was part of the 1.4.3 upstream version; bullseye has 1.4.3-1,
sid has 1.5.0-1, so it's fixed in both.
You'll find the source debdiff below (and also in salsa).
Thanks!
Faidon
diff -Nru libmaxminddb-1.3.2/debian/changelog
libmaxminddb-1.3.2/debian/changelog
--- libmaxminddb-1.3.2/debian/changelog 2018-05-26 19:37:59.0 +0300
+++ libmaxminddb-1.3.2/debian/changelog 2021-01-10 21:10:00.0 +0200
@@ -1,3 +1,10 @@
+libmaxminddb (1.3.2-1+deb10u1) buster; urgency=medium
+
+ * Backport upstream fix for CVE-2020-28241, heap-based buffer over-read in
+dump_entry_data_list in maxminddb.c. (Closes: #973878)
+
+ -- Faidon Liambotis Sun, 10 Jan 2021 21:10:00 +0200
+
libmaxminddb (1.3.2-1) unstable; urgency=medium
* New upstream release.
diff -Nru libmaxminddb-1.3.2/debian/gbp.conf libmaxminddb-1.3.2/debian/gbp.conf
--- libmaxminddb-1.3.2/debian/gbp.conf 2018-05-26 19:28:43.0 +0300
+++ libmaxminddb-1.3.2/debian/gbp.conf 2021-01-10 21:10:00.0 +0200
@@ -1,6 +1,6 @@
[DEFAULT]
upstream-tree=tag
-debian-branch=debian
+debian-branch=debian/buster
upstream-tag = %(version)s
no-create-orig = False
submodules = True
diff -Nru libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch
libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch
--- libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 1970-01-01
02:00:00.0 +0200
+++ libmaxminddb-1.3.2/debian/patches/0002-CVE-2020-28241.patch 2021-01-10
21:10:00.0 +0200
@@ -0,0 +1,113 @@
+From: Gregory Oschwald
+Date: Wed, 5 Aug 2020 14:16:17 -0700
+Subject: [PATCH] Replace most malloc uses with calloc
+
+Closes #236.
+---
+ bin/mmdblookup.c| 2 +-
+ doc/libmaxminddb.md | 2 +-
+ src/maxminddb.c | 16
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c
+index 030d88c..513ad2d 100644
+--- a/bin/mmdblookup.c
b/bin/mmdblookup.c
+@@ -263,7 +263,7 @@ LOCAL const char **get_options(
+ }
+
+ const char **lookup_path =
+-malloc(sizeof(const char *) * ((argc - optind) + 1));
++calloc((argc - optind) + 1, sizeof(const char *));
+ int i;
+ for (i = 0; i < argc - optind; i++) {
+ lookup_path[i] = argv[i + optind];
+diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md
+index e6de9d5..15433c3 100644
+--- a/doc/libmaxminddb.md
b/doc/libmaxminddb.md
+@@ -307,7 +307,7 @@ libmaxminddb code.
+
+ The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this
structure
+ are all pointers directly into the database's data section. This can either be
+-a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will
++a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will
+ become invalid after `MMDB_close()` is called.
+
+ If you need to refer to this data after that time you should copy the data
+diff --git a/src/maxminddb.c b/src/maxminddb.c
+index 7580e1e..ec547d6 100644
+--- a/src/maxminddb.c
b/src/maxminddb.c
+@@ -35,7 +35,7 @@
+ do {\
+ char *binary = byte_to_binary(byte);\
+ if (NULL == binary) { \
+-fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \
++fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \
+ abort();\
+ } \
+ fprintf(stderr, fmt "\n", binary); \
+@@ -54,7 +54,7 @@
+ #ifdef MMDB_DEBUG
+ DEBUG_FUNC char *byte_to_binary(uint8_t byte)
+ {
+-char *bits = malloc(sizeof(char) * 9);
++char *bits = calloc(9, sizeof(char));
+ if (NULL == bits) {
+ return bits;
+ }
+@@ -687,7 +687,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s
*metadata_db,
+ MMDB_INVALID_METADATA_ERROR);
+
+ mmdb->metadata.languages.count = 0;
+-mmdb->metadata.languages.names = malloc(array_size * sizeof(char *));
++mmdb->metadata.languages.names = calloc(array_size, sizeof(char *));
+ if (NULL == mmdb->metadata.languages.names) {
+ return MMDB_OUT_OF_MEMORY_ERROR;
+ }
+@@ -705,7 +705,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s
*metadata_db,
+ if (NULL == mmdb->metadata.languages.names[i]) {
+ return MMDB_OUT_OF_MEMORY_ERROR;
+ }
+-// We assign this as we go so that if we fail a malloc and need to
++// We assign this