Bug#890105: stretch-pu: package uwsgi/2.0.14+20161117-3+deb9u1

[Adam D. Barratt]

Control: tags -1 + pending

On Fri, 2018-02-23 at 19:13 +0100, Salvatore Bonaccorso wrote:
> Hi Adam,
> 
> On Fri, Feb 23, 2018 at 05:38:15PM +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sun, 2018-02-11 at 11:10 +0100, Salvatore Bonaccorso wrote:
> > > +uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
> > > +
> > > +  * Non-maintainer upload.
> > > +  * Stack-based buffer overflow in uwsgi_expand_path function
> > > (CVE-
> > > 2018-6758)
> > > +(Closes: #889753)
> > > 
> > 
> > Please go ahead.
> 
> Thanks a lot, I have uploaded the package.
> 

Flagged for acceptance into p-u; thanks.

Regards,

Adam

Processed: Re: Bug#890105: stretch-pu: package uwsgi/2.0.14+20161117-3+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #890105 [release.debian.org] stretch-pu: package 
uwsgi/2.0.14+20161117-3+deb9u1
Added tag(s) pending.

-- 
890105: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890105
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#890105: stretch-pu: package uwsgi/2.0.14+20161117-3+deb9u1

[Salvatore Bonaccorso]

Hi Adam,

On Fri, Feb 23, 2018 at 05:38:15PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2018-02-11 at 11:10 +0100, Salvatore Bonaccorso wrote:
> > +uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
> > +
> > +  * Non-maintainer upload.
> > +  * Stack-based buffer overflow in uwsgi_expand_path function (CVE-
> > 2018-6758)
> > +(Closes: #889753)
> > 
> 
> Please go ahead.

Thanks a lot, I have uploaded the package.

Regards,
Salvatore

Processed: Re: Bug#890105: stretch-pu: package uwsgi/2.0.14+20161117-3+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #890105 [release.debian.org] stretch-pu: package 
uwsgi/2.0.14+20161117-3+deb9u1
Added tag(s) confirmed.

-- 
890105: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890105
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#890105: stretch-pu: package uwsgi/2.0.14+20161117-3+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2018-02-11 at 11:10 +0100, Salvatore Bonaccorso wrote:
> +uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Stack-based buffer overflow in uwsgi_expand_path function (CVE-
> 2018-6758)
> +(Closes: #889753)
> 

Please go ahead.

Regards,

Adam

Bug#890105: stretch-pu: package uwsgi/2.0.14+20161117-3+deb9u1

[Salvatore Bonaccorso]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi

The attached debdiff adresses CVE-2018-6758 / 889753 for uwsgi in
stretch. Cf.
http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html . The
issue does not warrant a DSA.

+uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+(Closes: #889753)

Can it be considered for the upcoming stretch point release?

Regards,
Salvatore
diff -Nru uwsgi-2.0.14+20161117/debian/changelog 
uwsgi-2.0.14+20161117/debian/changelog
--- uwsgi-2.0.14+20161117/debian/changelog  2016-12-07 17:01:16.0 
+0100
+++ uwsgi-2.0.14+20161117/debian/changelog  2018-02-06 22:31:14.0 
+0100
@@ -1,3 +1,11 @@
+uwsgi (2.0.14+20161117-3+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+(Closes: #889753)
+
+ -- Salvatore Bonaccorso   Tue, 06 Feb 2018 22:31:14 +0100
+
 uwsgi (2.0.14+20161117-3) unstable; urgency=medium
 
   * Add patch 1007 to fix build router_basicauth for GNU/kFreeBSD.
diff -Nru 
uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
 
uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
--- 
uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
1970-01-01 01:00:00.0 +0100
+++ 
uwsgi-2.0.14+20161117/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
2018-02-06 22:31:14.0 +0100
@@ -0,0 +1,46 @@
+From: Unbit 
+Date: Tue, 6 Feb 2018 16:01:47 +0100
+Subject: improve uwsgi_expand_path() to sanitize input, avoiding stack
+ corruption and potential security issue
+Origin: 
https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
+Bug-Debian: https://bugs.debian.org/889753
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6758
+
+---
+ core/utils.c | 11 ---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/core/utils.c b/core/utils.c
+index b4c98dfd..fd886932 100644
+--- a/core/utils.c
 b/core/utils.c
+@@ -3674,9 +3674,12 @@ void uwsgi_write_pidfile_explicit(char *pidfile_name, 
pid_t pid) {
+ }
+ 
+ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
+-  char src[PATH_MAX + 1];
+-  memcpy(src, dir, dir_len);
+-  src[dir_len] = 0;
++  if (dir_len > PATH_MAX)
++  {
++  uwsgi_log("invalid path size: %d (max %d)\n", dir_len, 
PATH_MAX);
++  return NULL;
++  }
++  char *src = uwsgi_concat2n(dir, dir_len, "", 0);
+   char *dst = ptr;
+   if (!dst)
+   dst = uwsgi_malloc(PATH_MAX + 1);
+@@ -3684,8 +3687,10 @@ char *uwsgi_expand_path(char *dir, int dir_len, char 
*ptr) {
+   uwsgi_error_realpath(src);
+   if (!ptr)
+   free(dst);
++  free(src);
+   return NULL;
+   }
++  free(src);
+   return dst;
+ }
+ 
+-- 
+2.11.0
+
diff -Nru uwsgi-2.0.14+20161117/debian/patches/series 
uwsgi-2.0.14+20161117/debian/patches/series
--- uwsgi-2.0.14+20161117/debian/patches/series 2016-12-07 16:24:30.0 
+0100
+++ uwsgi-2.0.14+20161117/debian/patches/series 2018-02-06 22:31:14.0 
+0100
@@ -1,4 +1,5 @@
 020161123~6b48ac0.patch
+0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
 1001_avoid_setting_RPATH.patch
 1002_fix-reload-process-name.patch
 1003_remove-php-libs.patch