Processed: Re: Bug#1023263: bullseye-pu: package clickhouse/18.16.1+ds-4+deb10u1

2022-11-23 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1023263 [release.debian.org] bullseye-pu: package 
clickhouse/18.16.1+ds-4+deb10u1
Added tag(s) confirmed.

-- 
1023263: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023263
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1023263: bullseye-pu: package clickhouse/18.16.1+ds-4+deb10u1

2022-11-23 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2022-11-01 at 12:24 +0100, Tobias Frost wrote:
> I'm currently preparing a security update for clickhouse for LTS.
> As the versions are quite similar, I've also prepared an update for
> bullseye,
> even if the issues are marked "minor".
> 
> The CVE's are:
> CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
> (Details on them are in #1008216)
> 

Please go ahead.

Regards,

Adam

Bug#1023263: bullseye-pu: package clickhouse/18.16.1+ds-4+deb10u1

2022-11-01 Thread Tobias Frost 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Hi Release-Team,

[ Reason ]

I'm currently preparing a security update for clickhouse for LTS.
As the versions are quite similar, I've also prepared an update for bullseye,
even if the issues are marked "minor".

The CVE's are:
CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
(Details on them are in #1008216)

I've checked with the security team and they indicated that this
might be something for stable-proposed-updates.

The changes are on this branch:
https://salsa.debian.org/debian/ClickHouse/-/commits/debian/bullseye

[ Impact ]

The assement in #1008216 is:
By triggering the vulnerabilities, an attacker can crash the ClickHouse server,
leak memory contents or even cause remote code execution.

[ Tests ]

The package has an extensive test suite. I've also locally briefly
tested the package.

[ Risks ]

The change is cherry-picked from upstream fix. Upstream has moved
along source files and restructued things, but the affected code
is the same. The upstream fix mentioned below also contains other
fixes, introduced in later -- no in Debian -- versions.
Upstream fix: https://github.com/ClickHouse/ClickHouse/pull/27136
Patch used: 
https://salsa.debian.org/debian/ClickHouse/-/blob/debian/bullseye/debian/patches/CVE-2021-4238x-and-4330x.patch

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [ ] the issue is verified as fixed in unstable
  The NMU fixing this is currently in DELAYED. ETA Nov 5 ~13:00)

[ Changes ]

See patch.
(The remaining change is to salsa-ci configuration, to be able to utilize
the CI for testbuilds.)

[ Other info ]


Cheers,
-- 
tobi
diff -Nru clickhouse-18.16.1+ds/debian/changelog 
clickhouse-18.16.1+ds/debian/changelog
--- clickhouse-18.16.1+ds/debian/changelog  2020-12-03 20:45:03.0 
+0100
+++ clickhouse-18.16.1+ds/debian/changelog  2022-10-31 17:33:32.0 
+0100
@@ -1,3 +1,12 @@
+clickhouse (18.16.1+ds-7.2+deb11u1) bullseye-security; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Add Salsa CI config for bullseye.
+  * Fix CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
+(Closes: #1008216)
+
+ -- Tobias Frost   Mon, 31 Oct 2022 17:33:32 +0100
+
 clickhouse (18.16.1+ds-7.2) unstable; urgency=medium
 
   [Balint Reczey]
diff -Nru clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 
clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch
--- clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 
1970-01-01 01:00:00.0 +0100
+++ clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch 
2022-10-31 17:25:21.0 +0100
@@ -0,0 +1,134 @@
+Description: Fix for CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, 
CVE-2021-43305
+ Cherry pick relevant parts from upstream PR, adapted to version in Debian.
+Origin: https://github.com/ClickHouse/ClickHouse/pull/27136
+Bug-Debian: https://bugs.debian.org/1008216
+Forwarded: no
+Applied-Upstream: yes, https://github.com/ClickHouse/ClickHouse/pull/27136
+Last-Update: 2022-10-30 
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/dbms/src/IO/LZ4_decompress_faster.cpp
 b/dbms/src/IO/LZ4_decompress_faster.cpp
+@@ -342,13 +342,16 @@
+ 
+ 
+ template 
+-void NO_INLINE decompressImpl(
++bool NO_INLINE decompressImpl(
+  const char * const source,
+  char * const dest,
++ size_t source_size,
+  size_t dest_size)
+ {
+ const UInt8 * ip = (UInt8 *)source;
+ UInt8 * op = (UInt8 *)dest;
++const UInt8 * const input_end = ip + source_size;
++UInt8 * const output_begin = op;
+ UInt8 * const output_end = op + dest_size;
+ 
+ while (1)
+@@ -387,13 +390,19 @@
+ /// output: xyzHello, w
+ ///  ^-op (we will overwrite excessive bytes on next 
iteration)
+ 
+-wildCopy(op, ip, copy_end);/// Here we can write up 
to copy_amount - 1 bytes after buffer.
++{
++auto * target = std::min(copy_end, output_end);
++wildCopy(op, ip, target);/// Here we can write 
up to copy_amount - 1 bytes after buffer.
++
++if (target == output_end)
++return true;
++}
+ 
+ ip += length;
+ op = copy_end;
+ 
+-if (copy_end >= output_end)
+-return;
++if (unlikely(ip > input_end))
++return false;
+ 
+ /// Get match offset.
+ 
+@@ -401,6 +410,9 @@
+ ip += 2;
+ const UInt8 * match = op - offset;
+ 
++if (unlikely(match < output_begin))
++return false;
++
+ /// Get match length.
+ 
+ length = token & 0x0F;
+@@ -441,7 +453,10 @@
+ 
+ copy(op, match);   /// copy_amount + copy_amount - 1 - 4 
* 2 bytes after buffer.