Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: p...@packages.debian.org, david.polver...@gmail.com Control: affects -1 + src:pev
Please unblock package pev [ Reason ] As per https://udd.debian.org/cgi-bin/key_packages.yaml.cgi, pev is considered a key package. The version in testing (0.81-8) suffers from an important bug (#1034725). As such, it will not be removed if the fixed version doesn't migrate to testing. [ Impact ] If pev/0.81-9 does not migrate to testing, bookworm users will likely install and use an exploitable version of pev at release. If used to open a maliciously-crafted PE file, it might result in the compromise of the user's machine. There is a link for a PoC video of exploitability of the bug at the closed upstream issue [1]. [1] (https://github.com/merces/libpe/issues/35) [ Tests ] No existing automated or manual tests exercise the affected code. [ Risks ] The changes made to the package are trivial. The applied patch originated from upstream, and its changes are minimal. There is more risk in not applying the patch than doing it. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock pev/0.81-9
diff -Nru pev-0.81/debian/changelog pev-0.81/debian/changelog --- pev-0.81/debian/changelog 2022-11-07 17:46:55.000000000 +0000 +++ pev-0.81/debian/changelog 2023-04-22 19:41:47.000000000 +0000 @@ -1,3 +1,17 @@ +pev (0.81-9) unstable; urgency=medium + + [ Debian Janitor ] + * Use secure URI in Homepage field. + * Update standards version to 4.6.2, no changes needed. + + [ David da Silva Polverari ] + * debian/copyright: updated packaging copyright years. + * debian/patches/0006-fix-bo-pe_exports.patch: created to fix a buffer + overflow vulnerability present on libpe's pe_exports function + (CVE-2021-45423). (Closes: #1034725) + + -- David da Silva Polverari <david.polver...@gmail.com> Sat, 22 Apr 2023 19:41:47 +0000 + pev (0.81-8) unstable; urgency=medium * debian/control: bumped Standards-Version to 4.6.1. diff -Nru pev-0.81/debian/control pev-0.81/debian/control --- pev-0.81/debian/control 2022-11-07 17:46:55.000000000 +0000 +++ pev-0.81/debian/control 2023-04-22 19:41:47.000000000 +0000 @@ -1,9 +1,9 @@ Source: pev Maintainer: David da Silva Polverari <david.polver...@gmail.com> -Homepage: http://pev.sourceforge.net +Homepage: https://pev.sourceforge.net Section: utils Priority: optional -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Build-Depends: debhelper-compat (= 13), libssl-dev Rules-Requires-Root: no Vcs-Browser: https://salsa.debian.org/debian/pev diff -Nru pev-0.81/debian/copyright pev-0.81/debian/copyright --- pev-0.81/debian/copyright 2022-11-07 17:46:55.000000000 +0000 +++ pev-0.81/debian/copyright 2023-04-22 19:41:47.000000000 +0000 @@ -59,7 +59,7 @@ 2016-2021 Petter Reinholdtsen <p...@debian.org> 2017 Adam Borowski <kilob...@angband.pl> 2020 Adrian Bunk <b...@debian.org> - 2021-2022 David da Silva Polverari <david.polver...@gmail.com> + 2021-2023 David da Silva Polverari <david.polver...@gmail.com> 2021 Jelmer Vernooij <jel...@debian.org> License: BSD-3-Clause diff -Nru pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch --- pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch 1970-01-01 00:00:00.000000000 +0000 +++ pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch 2023-04-22 19:41:47.000000000 +0000 @@ -0,0 +1,28 @@ +Description: fix a buffer overflow vulnerability (CVE-2021-45423) + A Buffer Overflow vulnerability exists in Pev 0.81 via the pe_exports function + from exports.c. The array offsets_to_Names is dynamically allocated on the + stack using exp->NumberOfFunctions as its size. However, the loop uses + exp->NumberOfNames to iterate over it and set its components value. Therefore, + the loop code assumes that exp->NumberOfFunctions is greater than ordinal at + each iteration. This can lead to arbitrary code execution. +Author: Saullo Carvalho Castelo Branco <saullocarva...@gmail.com> +Origin: upstream, https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32 +Bug: https://github.com/merces/libpe/issues/35 +Bug-Debian: https://bugs.debian.org/1034725 +Applied-Upstream: https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32 +Last-Update: 2023-04-22 + +--- pev-0.81.orig/lib/libpe/exports.c ++++ pev-0.81/lib/libpe/exports.c +@@ -130,7 +130,10 @@ pe_exports_t *pe_exports(pe_ctx_t *ctx) + + const uint32_t entry_name_rva = *entry_name_list; + const uint64_t entry_name_ofs = pe_rva2ofs(ctx, entry_name_rva); +- offsets_to_Names[ordinal] = entry_name_ofs; ++ ++ if (ordinal < exp->NumberOfFunctions) { ++ offsets_to_Names[ordinal] = entry_name_ofs; ++ } + } + + // diff -Nru pev-0.81/debian/patches/series pev-0.81/debian/patches/series --- pev-0.81/debian/patches/series 2022-11-07 17:46:55.000000000 +0000 +++ pev-0.81/debian/patches/series 2023-04-22 19:41:47.000000000 +0000 @@ -3,3 +3,4 @@ 0003-makefile-reproducible.patch 0004-avoid-fixed-path.patch 0005-fix-ftbs-hurd-kfreebsd.patch +0006-fix-bo-pe_exports.patch
