Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
I'd like to fix a vulnerability in the gdomap daemon (no DSA). It is
fixed in testing/unstable and already approved/uploaded for buster
(release.d.o #940943). The patch is the same.
Debdiff attached.
diff -Nru gnustep-base-1.24.9/debian/changelog
gnustep-base-1.24.9/debian/changelog
--- gnustep-base-1.24.9/debian/changelog2017-02-02 21:12:50.0
+0200
+++ gnustep-base-1.24.9/debian/changelog2019-10-10 08:33:21.0
+0300
@@ -1,3 +1,12 @@
+gnustep-base (1.24.9-3.1+deb9u1) stretch; urgency=medium
+
+ * debian/patches/gdomap-udp-amplification.patch: New; fix UDP
+amplification vulnerability. Thanks to Alan Jenkins.
+ * debian/patches/series: Update.
+ * debian/gbp.conf: New file.
+
+ -- Yavor Doganov Thu, 10 Oct 2019 08:33:21 +0300
+
gnustep-base (1.24.9-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru gnustep-base-1.24.9/debian/gbp.conf
gnustep-base-1.24.9/debian/gbp.conf
--- gnustep-base-1.24.9/debian/gbp.conf 1970-01-01 02:00:00.0 +0200
+++ gnustep-base-1.24.9/debian/gbp.conf 2019-10-10 08:33:08.0 +0300
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = stretch
diff -Nru gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch
gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch
--- gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch
1970-01-01 02:00:00.0 +0200
+++ gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch
2019-10-10 08:32:24.0 +0300
@@ -0,0 +1,61 @@
+Description: Fix UDP amplification vulnerability
+ A couple of is_local_net() tests were wrong: they used "&&" with
+ masks, but that is the logical shortcut operator. The correct
+ bitwise operator is "&". The result was that is_local_net() was
+ always returning true.
+ .
+ Only allow local processes to send GDO_SERVERS requests. This
+ request is only useful locally. Do not allow remote requests for the
+ server list. Our response can be large, so it would make a great UDP
+ amplification attack.
+ .
+ Patch by Alan Jenkins ; issue
+ reported to the Debian security team.
+Origin: upstream, commit:de9740c
+Last-Update: 2019-10-10
+---
+
+--- gnustep-base.orig/Tools/gdomap.c
gnustep-base/Tools/gdomap.c
+@@ -419,7 +419,7 @@
+
+ for (i = 0; i < interfaces; i++)
+ {
+- if ((mask[i].s_addr && addr[i].s_addr) == (mask[i].s_addr && a.s_addr))
++ if ((mask[i].s_addr & addr[i].s_addr) == (mask[i].s_addr & a.s_addr))
+ {
+ return 1;
+ }
+@@ -3090,6 +3090,21 @@
+ unsigned inti;
+ unsigned intj;
+
++ /*
++ * See if this is a request from a local process.
++ *
++ * This request is only useful locally. Do not allow remote
++ * requests for the server list. Our response can be large,
++ * so it would make a great UDP amplification attack.
++ */
++ if (is_local_host(ri->addr.sin_addr) == 0)
++ {
++snprintf(ebuf, sizeof(ebuf), "Illegal attempt to list servers!");
++gdomap_log(LOG_ERR);
++clear_chan(desc);
++return;
++ }
++
+ free(wi->buf);
+ wi->buf = (char*)calloc(sizeof(uint32_t)
+ + (prb_used+1)*IASIZE, 1);
+@@ -3250,8 +3265,8 @@
+ {
+ continue;
+ }
+-if ((mask[i].s_addr && addr[i].s_addr) ==
+- (mask[i].s_addr && ri->addr.sin_addr.s_addr))
++if ((mask[i].s_addr & addr[i].s_addr) ==
++ (mask[i].s_addr & ri->addr.sin_addr.s_addr))
+ {
+ laddr = addr[i];
+ memcpy(wbuf, &laddr, IASIZE);
diff -Nru gnustep-base-1.24.9/debian/patches/series
gnustep-base-1.24.9/debian/patches/series
--- gnustep-base-1.24.9/debian/patches/series 2016-08-09 18:49:12.0
+0300
+++ gnustep-base-1.24.9/debian/patches/series 2019-10-09 19:25:53.0
+0300
@@ -19,3 +19,4 @@
fix-gdnc.patch
fix-tests-timings.patch
fix-test-icu2.patch
+gdomap-udp-amplification.patch