Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Control: tags -1 - moreinfo Hello, On 27.05.23 08:19, Paul Gevers wrote: Please go ahead, taking into account that the build needs to be done before tomorrow 12:00 UTC. Remove the moreinfo tag once the upload happened. I just uploaded to ftp-master. Thanks, Gregor
Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Control: tags -1 confirmed moreinfo Hi, On 23-05-2023 08:44, Gregor Jasny wrote: yesterday a version 1.19.1 of c-ares was release which fixes four CVEs. Please go ahead, taking into account that the build needs to be done before tomorrow 12:00 UTC. Remove the moreinfo tag once the upload happened. On the experimental branch I enabled the unit and integration tests: would you consider that commit as acceptable, too? https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09 If I understand correctly that this thus works on all architectures, yes. I don't want the risk it causes a build to fail at this moment because we have no time to repair. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Hi Gregor, On Tue, May 23, 2023 at 02:56:41PM +0200, Salvatore Bonaccorso wrote: > Hi Gregor, > > On Tue, May 23, 2023 at 08:44:48AM +0200, Gregor Jasny wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: c-a...@packages.debian.org > > Control: affects -1 + src:c-ares > > > > Hello, > > > > [ Reason ] > > > > yesterday a version 1.19.1 of c-ares was release which fixes four CVEs. > > The Debian Security team considers two of them relevant for Debian and > > I'd like to cherry-pick them into the unstable package so that the fixes > > can migrate to Bookworm. > > > > Attached you'll find the debdiff. The changes are also visible in Salsa: > > https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false > > > > [ Impact ] > > > > CVE-2023-31130 has a CVSS score of 4.1 > > CVE-2023-32067 has a CVSS score of 7.5 > > > > [ Tests ] > > > > On the experimental branch I enabled the unit and integration tests: > > would you consider that commit as acceptable, too? > > https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09 > > > > [ Risks ] > > > > The fix for the 0-byte DoS issue seems to be straight-forward. > > The fix for inet_net_pton_ipv6 has been synced from OpenBSD and > > is covered by the unit tests. > > > > Both changes are port of the 1.19.1 release which built and passed > > tests on experimental (except Hurd): > > https://buildd.debian.org/status/package.php?p=c-ares=experimental > > > > [ Checklist ] > > [x] all changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > unblock c-ares/1.18.1-3 > > Glad to see you worked on it already. I was on it today to propose a > NMU, due to the deadline for bookworm approaching quickly, until > Moritz pointed out to me that you did already filled a unblock > request pre-approval. > > Attached for reference what I did, and so they match. Release team, > can you accept it as we would like to see as well a bullseye-security > upload for the same two CVEs and avoid a regression > bullseye->bookworm? > > Leaving open the question on enabling the testsuite. Since deadline for unblock requests is approaching quickly I suggest to focus on the isolated security fixes only. Last possibility to get packages unblocked is 2023-05-28 12:00 UTC. Regards, Salvatore
Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Hi Gregor,
On Tue, May 23, 2023 at 08:44:48AM +0200, Gregor Jasny wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: c-a...@packages.debian.org
> Control: affects -1 + src:c-ares
>
> Hello,
>
> [ Reason ]
>
> yesterday a version 1.19.1 of c-ares was release which fixes four CVEs.
> The Debian Security team considers two of them relevant for Debian and
> I'd like to cherry-pick them into the unstable package so that the fixes
> can migrate to Bookworm.
>
> Attached you'll find the debdiff. The changes are also visible in Salsa:
> https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false
>
> [ Impact ]
>
> CVE-2023-31130 has a CVSS score of 4.1
> CVE-2023-32067 has a CVSS score of 7.5
>
> [ Tests ]
>
> On the experimental branch I enabled the unit and integration tests:
> would you consider that commit as acceptable, too?
> https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09
>
> [ Risks ]
>
> The fix for the 0-byte DoS issue seems to be straight-forward.
> The fix for inet_net_pton_ipv6 has been synced from OpenBSD and
> is covered by the unit tests.
>
> Both changes are port of the 1.19.1 release which built and passed
> tests on experimental (except Hurd):
> https://buildd.debian.org/status/package.php?p=c-ares=experimental
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> unblock c-ares/1.18.1-3
Glad to see you worked on it already. I was on it today to propose a
NMU, due to the deadline for bookworm approaching quickly, until
Moritz pointed out to me that you did already filled a unblock
request pre-approval.
Attached for reference what I did, and so they match. Release team,
can you accept it as we would like to see as well a bullseye-security
upload for the same two CVEs and avoid a regression
bullseye->bookworm?
Leaving open the question on enabling the testsuite.
Regards,
Salvatore
diff -Nru c-ares-1.18.1/debian/changelog c-ares-1.18.1/debian/changelog
--- c-ares-1.18.1/debian/changelog 2023-02-17 23:34:35.0 +0100
+++ c-ares-1.18.1/debian/changelog 2023-05-23 14:34:52.0 +0200
@@ -1,3 +1,11 @@
+c-ares (1.18.1-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Buffer Underwrite in ares_inet_net_pton() (CVE-2023-31130)
+ * 0-byte UDP payload Denial of Service (CVE-2023-32067)
+
+ -- Salvatore Bonaccorso Tue, 23 May 2023 14:34:52 +0200
+
c-ares (1.18.1-2) unstable; urgency=medium
* Add str len check in config_sortlist to avoid stack overflow
diff -Nru c-ares-1.18.1/debian/patches/CVE-2023-31130.diff
c-ares-1.18.1/debian/patches/CVE-2023-31130.diff
--- c-ares-1.18.1/debian/patches/CVE-2023-31130.diff1970-01-01
01:00:00.0 +0100
+++ c-ares-1.18.1/debian/patches/CVE-2023-31130.diff2023-05-23
14:34:52.0 +0200
@@ -0,0 +1,325 @@
+From: Brad House
+Date: Mon, 22 May 2023 06:51:34 -0400
+Subject: Merge pull request from GHSA-x6mf-cxr9-8q6v
+Origin:
https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-31130
+
+* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares.
+* Always use our own IP conversion functions now, do not delegate to OS
+ so we can have consistency in testing and fuzzing.
+* Removed bogus test cases that never should have passed.
+* Add new test case for crash bug found.
+
+Fix By: Brad House (@bradh352)
+---
+ src/lib/inet_net_pton.c| 155 -
+ test/ares-test-internal.cc | 7 +-
+ 2 files changed, 86 insertions(+), 76 deletions(-)
+
+diff --git a/src/lib/inet_net_pton.c b/src/lib/inet_net_pton.c
+index 840de5065290..fc50425b8ea2 100644
+--- a/src/lib/inet_net_pton.c
b/src/lib/inet_net_pton.c
+@@ -1,19 +1,20 @@
+
+ /*
+- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (c) 2012 by Gilles Chehade
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR
+- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ * THE SOFTWARE IS PROVIDED "AS
Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: c-a...@packages.debian.org
Control: affects -1 + src:c-ares
Hello,
[ Reason ]
yesterday a version 1.19.1 of c-ares was release which fixes four CVEs.
The Debian Security team considers two of them relevant for Debian and
I'd like to cherry-pick them into the unstable package so that the fixes
can migrate to Bookworm.
Attached you'll find the debdiff. The changes are also visible in Salsa:
https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false
[ Impact ]
CVE-2023-31130 has a CVSS score of 4.1
CVE-2023-32067 has a CVSS score of 7.5
[ Tests ]
On the experimental branch I enabled the unit and integration tests:
would you consider that commit as acceptable, too?
https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09
[ Risks ]
The fix for the 0-byte DoS issue seems to be straight-forward.
The fix for inet_net_pton_ipv6 has been synced from OpenBSD and
is covered by the unit tests.
Both changes are port of the 1.19.1 release which built and passed
tests on experimental (except Hurd):
https://buildd.debian.org/status/package.php?p=c-ares=experimental
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock c-ares/1.18.1-3
Thanks,
Gregor
diff -Nru c-ares-1.18.1/debian/changelog c-ares-1.18.1/debian/changelog
--- c-ares-1.18.1/debian/changelog 2023-02-17 23:34:35.0 +0100
+++ c-ares-1.18.1/debian/changelog 2023-05-23 07:58:02.0 +0200
@@ -1,3 +1,10 @@
+c-ares (1.18.1-3) unstable; urgency=medium
+
+ * Fix buffer underwrite in ares_inet_net_pton (CVE-2023-31130)
+ * Zero byte UDP packet causes DoS (CVE-2023-32067)
+
+ -- Gregor Jasny Tue, 23 May 2023 07:58:02 +0200
+
c-ares (1.18.1-2) unstable; urgency=medium
* Add str len check in config_sortlist to avoid stack overflow
diff -Nru c-ares-1.18.1/debian/patches/CVE-2023-31130.diff
c-ares-1.18.1/debian/patches/CVE-2023-31130.diff
--- c-ares-1.18.1/debian/patches/CVE-2023-31130.diff1970-01-01
01:00:00.0 +0100
+++ c-ares-1.18.1/debian/patches/CVE-2023-31130.diff2023-05-23
07:57:13.0 +0200
@@ -0,0 +1,319 @@
+From f22cc01039b6473b736d3bf438f56a2654cdf2b2 Mon Sep 17 00:00:00 2001
+From: Brad House
+Date: Mon, 22 May 2023 06:51:34 -0400
+Subject: [PATCH 2/3] Merge pull request from GHSA-x6mf-cxr9-8q6v
+Applied-Upstream: 1.19.1,
https://github.com/c-ares/c-ares/commit/f22cc01039b6473b736d3bf438f56a2654cdf2b2
+Bug: https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v
+
+* Merged latest OpenBSD changes for inet_net_pton_ipv6() into c-ares.
+* Always use our own IP conversion functions now, do not delegate to OS
+ so we can have consistency in testing and fuzzing.
+* Removed bogus test cases that never should have passed.
+* Add new test case for crash bug found.
+
+Fix By: Brad House (@bradh352)
+---
+ src/lib/inet_net_pton.c| 155 -
+ test/ares-test-internal.cc | 7 +-
+ 2 files changed, 86 insertions(+), 76 deletions(-)
+
+--- a/src/lib/inet_net_pton.c
b/src/lib/inet_net_pton.c
+@@ -1,19 +1,20 @@
+
+ /*
+- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (c) 2012 by Gilles Chehade
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR
+- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
++ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
++ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
++ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
++ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
++ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
++ * SOFTWARE.
+ */
+
+ #include "ares_setup.h"
+@@ -35,9 +36,6 @@
+
+ const struct ares_in6_addr ares_in6addr_any = { { {
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } };
+
+-
+-#ifndef
