Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Control: tags -1 - moreinfo Hello, On 27.05.23 08:19, Paul Gevers wrote: Please go ahead, taking into account that the build needs to be done before tomorrow 12:00 UTC. Remove the moreinfo tag once the upload happened. I just uploaded to ftp-master. Thanks, Gregor
Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Control: tags -1 confirmed moreinfo Hi, On 23-05-2023 08:44, Gregor Jasny wrote: yesterday a version 1.19.1 of c-ares was release which fixes four CVEs. Please go ahead, taking into account that the build needs to be done before tomorrow 12:00 UTC. Remove the moreinfo tag once the upload happened. On the experimental branch I enabled the unit and integration tests: would you consider that commit as acceptable, too? https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09 If I understand correctly that this thus works on all architectures, yes. I don't want the risk it causes a build to fail at this moment because we have no time to repair. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Hi Gregor, On Tue, May 23, 2023 at 02:56:41PM +0200, Salvatore Bonaccorso wrote: > Hi Gregor, > > On Tue, May 23, 2023 at 08:44:48AM +0200, Gregor Jasny wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: c-a...@packages.debian.org > > Control: affects -1 + src:c-ares > > > > Hello, > > > > [ Reason ] > > > > yesterday a version 1.19.1 of c-ares was release which fixes four CVEs. > > The Debian Security team considers two of them relevant for Debian and > > I'd like to cherry-pick them into the unstable package so that the fixes > > can migrate to Bookworm. > > > > Attached you'll find the debdiff. The changes are also visible in Salsa: > > https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false > > > > [ Impact ] > > > > CVE-2023-31130 has a CVSS score of 4.1 > > CVE-2023-32067 has a CVSS score of 7.5 > > > > [ Tests ] > > > > On the experimental branch I enabled the unit and integration tests: > > would you consider that commit as acceptable, too? > > https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09 > > > > [ Risks ] > > > > The fix for the 0-byte DoS issue seems to be straight-forward. > > The fix for inet_net_pton_ipv6 has been synced from OpenBSD and > > is covered by the unit tests. > > > > Both changes are port of the 1.19.1 release which built and passed > > tests on experimental (except Hurd): > > https://buildd.debian.org/status/package.php?p=c-ares=experimental > > > > [ Checklist ] > > [x] all changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > unblock c-ares/1.18.1-3 > > Glad to see you worked on it already. I was on it today to propose a > NMU, due to the deadline for bookworm approaching quickly, until > Moritz pointed out to me that you did already filled a unblock > request pre-approval. > > Attached for reference what I did, and so they match. Release team, > can you accept it as we would like to see as well a bullseye-security > upload for the same two CVEs and avoid a regression > bullseye->bookworm? > > Leaving open the question on enabling the testsuite. Since deadline for unblock requests is approaching quickly I suggest to focus on the isolated security fixes only. Last possibility to get packages unblocked is 2023-05-28 12:00 UTC. Regards, Salvatore
Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Hi Gregor, On Tue, May 23, 2023 at 08:44:48AM +0200, Gregor Jasny wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: c-a...@packages.debian.org > Control: affects -1 + src:c-ares > > Hello, > > [ Reason ] > > yesterday a version 1.19.1 of c-ares was release which fixes four CVEs. > The Debian Security team considers two of them relevant for Debian and > I'd like to cherry-pick them into the unstable package so that the fixes > can migrate to Bookworm. > > Attached you'll find the debdiff. The changes are also visible in Salsa: > https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false > > [ Impact ] > > CVE-2023-31130 has a CVSS score of 4.1 > CVE-2023-32067 has a CVSS score of 7.5 > > [ Tests ] > > On the experimental branch I enabled the unit and integration tests: > would you consider that commit as acceptable, too? > https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09 > > [ Risks ] > > The fix for the 0-byte DoS issue seems to be straight-forward. > The fix for inet_net_pton_ipv6 has been synced from OpenBSD and > is covered by the unit tests. > > Both changes are port of the 1.19.1 release which built and passed > tests on experimental (except Hurd): > https://buildd.debian.org/status/package.php?p=c-ares=experimental > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > unblock c-ares/1.18.1-3 Glad to see you worked on it already. I was on it today to propose a NMU, due to the deadline for bookworm approaching quickly, until Moritz pointed out to me that you did already filled a unblock request pre-approval. Attached for reference what I did, and so they match. Release team, can you accept it as we would like to see as well a bullseye-security upload for the same two CVEs and avoid a regression bullseye->bookworm? Leaving open the question on enabling the testsuite. Regards, Salvatore diff -Nru c-ares-1.18.1/debian/changelog c-ares-1.18.1/debian/changelog --- c-ares-1.18.1/debian/changelog 2023-02-17 23:34:35.0 +0100 +++ c-ares-1.18.1/debian/changelog 2023-05-23 14:34:52.0 +0200 @@ -1,3 +1,11 @@ +c-ares (1.18.1-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130) + * 0-byte UDP payload Denial of Service (CVE-2023-32067) + + -- Salvatore Bonaccorso Tue, 23 May 2023 14:34:52 +0200 + c-ares (1.18.1-2) unstable; urgency=medium * Add str len check in config_sortlist to avoid stack overflow diff -Nru c-ares-1.18.1/debian/patches/CVE-2023-31130.diff c-ares-1.18.1/debian/patches/CVE-2023-31130.diff --- c-ares-1.18.1/debian/patches/CVE-2023-31130.diff1970-01-01 01:00:00.0 +0100 +++ c-ares-1.18.1/debian/patches/CVE-2023-31130.diff2023-05-23 14:34:52.0 +0200 @@ -0,0 +1,325 @@ +From: Brad House +Date: Mon, 22 May 2023 06:51:34 -0400 +Subject: Merge pull request from GHSA-x6mf-cxr9-8q6v +Origin: https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-31130 + +* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares. +* Always use our own IP conversion functions now, do not delegate to OS + so we can have consistency in testing and fuzzing. +* Removed bogus test cases that never should have passed. +* Add new test case for crash bug found. + +Fix By: Brad House (@bradh352) +--- + src/lib/inet_net_pton.c| 155 - + test/ares-test-internal.cc | 7 +- + 2 files changed, 86 insertions(+), 76 deletions(-) + +diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c +index 840de5065290..fc50425b8ea2 100644 +--- a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c +@@ -1,19 +1,20 @@ + + /* +- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2012 by Gilles Chehade + * Copyright (c) 1996,1999 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * +- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * THE SOFTWARE IS PROVIDED "AS
Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: c-a...@packages.debian.org Control: affects -1 + src:c-ares Hello, [ Reason ] yesterday a version 1.19.1 of c-ares was release which fixes four CVEs. The Debian Security team considers two of them relevant for Debian and I'd like to cherry-pick them into the unstable package so that the fixes can migrate to Bookworm. Attached you'll find the debdiff. The changes are also visible in Salsa: https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false [ Impact ] CVE-2023-31130 has a CVSS score of 4.1 CVE-2023-32067 has a CVSS score of 7.5 [ Tests ] On the experimental branch I enabled the unit and integration tests: would you consider that commit as acceptable, too? https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09 [ Risks ] The fix for the 0-byte DoS issue seems to be straight-forward. The fix for inet_net_pton_ipv6 has been synced from OpenBSD and is covered by the unit tests. Both changes are port of the 1.19.1 release which built and passed tests on experimental (except Hurd): https://buildd.debian.org/status/package.php?p=c-ares=experimental [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock c-ares/1.18.1-3 Thanks, Gregor diff -Nru c-ares-1.18.1/debian/changelog c-ares-1.18.1/debian/changelog --- c-ares-1.18.1/debian/changelog 2023-02-17 23:34:35.0 +0100 +++ c-ares-1.18.1/debian/changelog 2023-05-23 07:58:02.0 +0200 @@ -1,3 +1,10 @@ +c-ares (1.18.1-3) unstable; urgency=medium + + * Fix buffer underwrite in ares_inet_net_pton (CVE-2023-31130) + * Zero byte UDP packet causes DoS (CVE-2023-32067) + + -- Gregor Jasny Tue, 23 May 2023 07:58:02 +0200 + c-ares (1.18.1-2) unstable; urgency=medium * Add str len check in config_sortlist to avoid stack overflow diff -Nru c-ares-1.18.1/debian/patches/CVE-2023-31130.diff c-ares-1.18.1/debian/patches/CVE-2023-31130.diff --- c-ares-1.18.1/debian/patches/CVE-2023-31130.diff1970-01-01 01:00:00.0 +0100 +++ c-ares-1.18.1/debian/patches/CVE-2023-31130.diff2023-05-23 07:57:13.0 +0200 @@ -0,0 +1,319 @@ +From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001 +From: Brad House +Date: Mon, 22 May 2023 06:51:34 -0400 +Subject: [PATCH 2/3] Merge pull request from GHSA-x6mf-cxr9-8q6v +Applied-Upstream: 1.19.1, https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2 +Bug: https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v + +* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares. +* Always use our own IP conversion functions now, do not delegate to OS + so we can have consistency in testing and fuzzing. +* Removed bogus test cases that never should have passed. +* Add new test case for crash bug found. + +Fix By: Brad House (@bradh352) +--- + src/lib/inet_net_pton.c| 155 - + test/ares-test-internal.cc | 7 +- + 2 files changed, 86 insertions(+), 76 deletions(-) + +--- a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c +@@ -1,19 +1,20 @@ + + /* +- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") ++ * Copyright (c) 2012 by Gilles Chehade + * Copyright (c) 1996,1999 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * +- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES +- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR +- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS ++ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE ++ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL ++ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR ++ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ++ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS ++ * SOFTWARE. + */ + + #include "ares_setup.h" +@@ -35,9 +36,6 @@ + + const struct ares_in6_addr ares_in6addr_any = { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }; + +- +-#ifndef