Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi
The attached debdiff adresses CVE-2018-6758 / 889753 for uwsgi in
stretch. Cf.
http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html . The
issue does not warrant a DSA.
+uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+(Closes: #889753)
Can it be considered for the upcoming stretch point release?
Regards,
Salvatore
diff -Nru uwsgi-2.0.14+20161117/debian/changelog
uwsgi-2.0.14+20161117/debian/changelog
--- uwsgi-2.0.14+20161117/debian/changelog 2016-12-07 17:01:16.0
+0100
+++ uwsgi-2.0.14+20161117/debian/changelog 2018-02-06 22:31:14.0
+0100
@@ -1,3 +1,11 @@
+uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+(Closes: #889753)
+
+ -- Salvatore Bonaccorso Tue, 06 Feb 2018 22:31:14 +0100
+
uwsgi (2.0.14+20161117-3) unstable; urgency=medium
* Add patch 1007 to fix build router_basicauth for GNU/kFreeBSD.
diff -Nru
uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
---
uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
1970-01-01 01:00:00.0 +0100
+++
uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
2018-02-06 22:31:14.0 +0100
@@ -0,0 +1,46 @@
+From: Unbit
+Date: Tue, 6 Feb 2018 16:01:47 +0100
+Subject: improve uwsgi_expand_path() to sanitize input, avoiding stack
+ corruption and potential security issue
+Origin:
https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
+Bug-Debian: https://bugs.debian.org/889753
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6758
+
+---
+ core/utils.c | 11 ---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/core/utils.c b/core/utils.c
+index b4c98dfd..fd886932 100644
+--- a/core/utils.c
b/core/utils.c
+@@ -3674,9 +3674,12 @@ void uwsgi_write_pidfile_explicit(char *pidfile_name,
pid_t pid) {
+ }
+
+ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
+- char src[PATH_MAX + 1];
+- memcpy(src, dir, dir_len);
+- src[dir_len] = 0;
++ if (dir_len > PATH_MAX)
++ {
++ uwsgi_log("invalid path size: %d (max %d)\n", dir_len,
PATH_MAX);
++ return NULL;
++ }
++ char *src = uwsgi_concat2n(dir, dir_len, "", 0);
+ char *dst = ptr;
+ if (!dst)
+ dst = uwsgi_malloc(PATH_MAX + 1);
+@@ -3684,8 +3687,10 @@ char *uwsgi_expand_path(char *dir, int dir_len, char
*ptr) {
+ uwsgi_error_realpath(src);
+ if (!ptr)
+ free(dst);
++ free(src);
+ return NULL;
+ }
++ free(src);
+ return dst;
+ }
+
+--
+2.11.0
+
diff -Nru uwsgi-2.0.14+20161117/debian/patches/series
uwsgi-2.0.14+20161117/debian/patches/series
--- uwsgi-2.0.14+20161117/debian/patches/series 2016-12-07 16:24:30.0
+0100
+++ uwsgi-2.0.14+20161117/debian/patches/series 2018-02-06 22:31:14.0
+0100
@@ -1,4 +1,5 @@
020161123~6b48ac0.patch
+0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
1001_avoid_setting_RPATH.patch
1002_fix-reload-process-name.patch
1003_remove-php-libs.patch