buffer overflow vulnerability in netmask 2.3.12

[Guilhem Moulin]

Dear LTS team,

A buffer overflow vulnerability was recently found in the netmask
package (a small utility that helps determining network masks):

https://github.com/tlby/netmask/issues/3

The Security Team argued that the version in stretch (2.4.3-1) doesn't
warrant a DSA as the program is built with hardening options enabled
(thus turning the buffer overflow vulnerability into an harmless clash),
but that's not the case for the version in jessie (2.3.12), so I guess
it makes sense to upload a +deb8u1.

I attach a debdiff with a trivial fix backported from 2.4.4, more
specifically the ‘errors.c’ part of


https://github.com/tlby/netmask/commit/29a9c239bd1008363f5b34ffd6c2cef906f3660c

For convenience, you can also find the source package at

dget -x https://people.debian.org/~guilhem/tmp/netmask_2.3.12+deb8u1.dsc

Notes:
 * I only started maintaining this package after jessie was frozen, but
   the previous maintainer is no longer active and I thus took the
   liberty to update the ‘Maintainer’ field in d/control accordingly.
 * Before 2.4.2-1 the package was (incorrectly) native, so in this
   jessie-security package I applied the fix directly to the upstream
   source rather than going via a patch series.
 * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's
   instructions regarding this.

Thanks!
-- 
Guilhem.
diff -Nru netmask-2.3.12/debian/changelog netmask-2.3.12+deb8u1/debian/changelog
--- netmask-2.3.12/debian/changelog 2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/debian/changelog  2019-02-06 01:08:09.0 
+0100
@@ -1,3 +1,10 @@
+netmask (2.3.12+deb8u1) jessie-security; urgency=medium
+
+  * Fix buffer overflow vulnerability
+https://github.com/tlby/netmask/issues/3
+
+ -- Guilhem Moulin   Wed, 06 Feb 2019 01:08:09 +0100
+
 netmask (2.3.12) unstable; urgency=low
 
   * Include patches directly in source because it's a native package 
diff -Nru netmask-2.3.12/debian/control netmask-2.3.12+deb8u1/debian/control
--- netmask-2.3.12/debian/control   2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/debian/control2019-02-06 01:08:09.0 
+0100
@@ -1,7 +1,7 @@
 Source: netmask
 Section: net
 Priority: optional
-Maintainer: Luis Uribe 
+Maintainer: Guilhem Moulin 
 Build-Depends: debhelper (>= 5), texinfo
 Standards-Version: 3.8.4
 
diff -Nru netmask-2.3.12/errors.c netmask-2.3.12+deb8u1/errors.c
--- netmask-2.3.12/errors.c 2010-04-26 04:29:39.0 +0200
+++ netmask-2.3.12+deb8u1/errors.c  2019-02-06 01:04:57.0 +0100
@@ -66,7 +66,7 @@
 
 if(!show_status) return(0);
 va_start(args, fmt);
-vsprintf(buf, fmt, args);
+vsnprintf(buf, sizeof(buf), fmt, args);
 va_end(args);
 return(message(LOG_DEBUG, buf));
 }
@@ -76,7 +76,7 @@
 va_list args;
 
 va_start(args, fmt);
-vsprintf(buf, fmt, args);
+vsnprintf(buf, sizeof(buf), fmt, args);
 va_end(args);
 return(message(LOG_WARNING, buf));
 }
@@ -86,7 +86,7 @@
 va_list args;
 
 va_start(args, fmt);
-vsprintf(buf, fmt, args);
+vsnprintf(buf, sizeof(buf), fmt, args);
 va_end(args);
 message(LOG_ERR, buf);
 exit(1);
@@ -97,7 +97,7 @@
 
 /* only handle errno if this is not an informational message */
 if(errno && priority < 5) {
-   sprintf(buf, "%s: %s", msg, strerror(errno));
+   snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
errno = 0;
 } else strcpy(buf, msg);
 if(use_syslog) syslog(priority, "%s", buf);


signature.asc
Description: PGP signature

DLA-1654-1 libav missing?

[Antoine Beaupré]

Hi,

It looks like no advisory was sent out for this upload.

I noticed this while auditing the website for missing advisories. Yu'll
be happy to know that with the current patchset, this is the only older
advisory missing until the 2018 gap due to the mailing list crash. :)
See also:

https://salsa.debian.org/webmaster-team/webwml/merge_requests/53

A.

On 2019-01-31 22:50:29, Mike Gabriel wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Format: 1.8
> Date: Mon, 21 Jan 2019 15:30:50 +0100
> Source: libav
> Binary: libav-tools libav-dbg libav-doc libavutil54 libavcodec56 
> libavdevice55 libavformat56 libavfilter5 libswscale3 libavutil-dev 
> libavcodec-dev libavdevice-dev libavformat-dev libavfilter-dev libswscale-dev 
> libavresample-dev libavresample2 libavcodec-extra-56 libavcodec-extra
> Architecture: source all amd64
> Version: 6:11.12-1~deb8u5
> Distribution: jessie-security
> Urgency: medium
> Maintainer: Debian Multimedia Maintainers 
> 
> Changed-By: Mike Gabriel 
> Description:
>  libav-dbg  - Debug symbols for Libav related packages
>  libav-doc  - Documentation of the Libav API
>  libav-tools - Multimedia player, encoder and transcoder
>  libavcodec-dev - Development files for libavcodec
>  libavcodec-extra - Libav codec library (additional codecs meta-package)
>  libavcodec-extra-56 - Libav codec library (additional codecs)
>  libavcodec56 - Libav codec library
>  libavdevice-dev - Development files for libavdevice
>  libavdevice55 - Libav device handling library
>  libavfilter-dev - Development files for libavfilter
>  libavfilter5 - Libav video filtering library
>  libavformat-dev - Development files for libavformat
>  libavformat56 - Libav file format library
>  libavresample-dev - Development files for libavresample
>  libavresample2 - Libav audio resampling library
>  libavutil-dev - Development files for libavutil
>  libavutil54 - Libav utility library
>  libswscale-dev - Development files for libswscale
>  libswscale3 - Libav video scaling library
> Changes:
>  libav (6:11.12-1~deb8u5) jessie-security; urgency=medium
>  .
>* Non-maintainer upload by the LTS team..
>* CVE-2015-1207: avformat/mov: Fix integer overflow in
>  mov_read_udta_string().
>* CVE-2017-14169: In mxf_read_primer_pack() function, catch item_num
>  being negative, to avoid bypassing the check for a large value.
>* CVE-2017-14223: avformat/asfdec: Fix DoS in asf_build_simple_index().
>  Fix missing EOF check in loop.
>* CVE-2017-7863: Bail out if trns was found before IHDR or IDAT in PNG 
> data.
>* CVE-2014-8542: Add case for jv to avcodec_align_dimensions2().
>* CVE-2017-7865: Add case for interplay_video to 
> avcodec_align_dimensions2().
> Checksums-Sha1:
>  d1c670a1ede382a8c0a379895d99f2de6a9d8309 4023 libav_11.12-1~deb8u5.dsc
>  4b74b8714868803c8b6b23df9b31e3c1d7e3a456 71392 
> libav_11.12-1~deb8u5.debian.tar.xz
>  c364c438d26c1fe025166e7cbb541f54c7318496 18445106 
> libav-doc_11.12-1~deb8u5_all.deb
>  3862b02852aec371a5350796e07af48777ff4b39 66616 
> libavcodec-extra_11.12-1~deb8u5_all.deb
>  894d06bcacdf38396263eee1447d6576432f66da 474142 
> libav-tools_11.12-1~deb8u5_amd64.deb
>  df4f9221da0209d855c8b43c4922f60fd66ba90a 21594462 
> libav-dbg_11.12-1~deb8u5_amd64.deb
>  210fc9597bc1f20b2b47d9f10b13bb0eec6b5aa2 131622 
> libavutil54_11.12-1~deb8u5_amd64.deb
>  8bbd6cb7be9e56840566b69514929d90df355428 3108618 
> libavcodec56_11.12-1~deb8u5_amd64.deb
>  9f492a7d32650e046c2e94e70c6eadc0e8c977a4 91496 
> libavdevice55_11.12-1~deb8u5_amd64.deb
>  66eac9eea9f2bc0640a1c123056cf39eb18ee707 586708 
> libavformat56_11.12-1~deb8u5_amd64.deb
>  4ef6c0f8076ef84482b5e44a1b6b2a89448a4df1 172670 
> libavfilter5_11.12-1~deb8u5_amd64.deb
>  08c94862cba93c2a25af004cd55f0f9ab9338788 145058 
> libswscale3_11.12-1~deb8u5_amd64.deb
>  375995325b23da7c3a6902d483527385c22151b2 193714 
> libavutil-dev_11.12-1~deb8u5_amd64.deb
>  1a782d1210d682704263ad81147994eed571273b 3431898 
> libavcodec-dev_11.12-1~deb8u5_amd64.deb
>  1f9411c19c4d4d1c4e3bfa85d4097455c998de8a 94544 
> libavdevice-dev_11.12-1~deb8u5_amd64.deb
>  8e04147d34c357e9de0321049235903b725b34bc 692202 
> libavformat-dev_11.12-1~deb8u5_amd64.deb
>  31887c8c10b450d83b2ffc2fa63a3d1d176f6818 203786 
> libavfilter-dev_11.12-1~deb8u5_amd64.deb
>  b8261e35500052f89513f64f8fb9f1e498719273 157922 
> libswscale-dev_11.12-1~deb8u5_amd64.deb
>  419950f0408b0521c48847088b03aecf17c67d96 112968 
> libavresample-dev_11.12-1~deb8u5_amd64.deb
>  7d2e43e8e94af40eb99dd423a8943292a98beb39 104020 
> libavresample2_11.12-1~deb8u5_amd64.deb
>  9183cc4c375475f84d9b6cb45e8f6790b1264c46 3113166 
> libavcodec-extra-56_11.12-1~deb8u5_amd64.deb
> Checksums-Sha256:
>  814e2e8337cf050ed55f62c1a8ec60934e027df64b84ed9bce9cf8a2c8816578 4023 
> libav_11.12-1~deb8u5.dsc
>  b8c0bc197ef098a9bae1c9180ed3220606fe9c80f9b44ab9d98637417dae28ef 71392 
> libav_11.12-1~deb8u5.debian.tar.xz
>  ab761dea136d2bf1171783c4e779edc6bb9c9a4dc058379ff23f77db0e5b05c5 18445106 
> 

Accepted rssh 2.3.4-4+deb8u2 (source amd64) into oldstable

[Russ Allbery]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 01 Feb 2019 20:28:01 -0800
Source: rssh
Binary: rssh
Architecture: source amd64
Version: 2.3.4-4+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Russ Allbery 
Changed-By: Russ Allbery 
Description:
 rssh   - Restricted shell allowing scp, sftp, cvs, svn, rsync or rdist
Changes:
 rssh (2.3.4-4+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Backport security fixes prepared by Debian's maintainer of rssh (rra).
   * Also reject rsync --daemon and --config command-line options, which
 can be used to run arbitrary commands.  Thanks, Nick Cleaton.
 (CVE-2019-3463)
   * Unset the HOME environment variable when running rsync to prevent popt
 (against which rsync is linked) from loading a ~/.popt configuration
 file, which can run arbitrary commands on the server or redefine
 command-line options to bypass argument checking.  Thanks, Nick
 Cleaton.  (CVE-2019-3464)
   * Do not stop checking the rsync command line at --, since this can be
 an argument to some other option and later arguments may still be
 interpreted as options.  In the few cases where one needs to rsync to
 files named things like --rsh, the client can use ./--rsh instead.
 Thanks, Nick Cleaton.
Checksums-Sha1:
 a6f1d954221c76d4258b64df1101adee9e68a979 1490 rssh_2.3.4-4+deb8u2.dsc
 87d8227e455ddc75a669e6f6ae7bcaa0ffa20f81 29200 
rssh_2.3.4-4+deb8u2.debian.tar.xz
 359749d4d3ec966091a7e28ac4f74a7ae0d326c2 55692 rssh_2.3.4-4+deb8u2_amd64.deb
Checksums-Sha256:
 520c995d07c54501c3c5af86e33b0cfedc8d3d8d9d9c94667bc73c167eff6ab8 1490 
rssh_2.3.4-4+deb8u2.dsc
 f51671d4bf3e59c94191fa4c2bc72c2a9c1a336f7ec157538097cc0b47750658 29200 
rssh_2.3.4-4+deb8u2.debian.tar.xz
 75048359ea0b8742df70e881a88260cc32add643caa876af47447ecc8c7e0f0f 55692 
rssh_2.3.4-4+deb8u2_amd64.deb
Files:
 c268c5dd24aeb73874263e7b4f6b7247 1490 net optional rssh_2.3.4-4+deb8u2.dsc
 69e617c1b9337f0e1490cb8a8a017d5e 29200 net optional 
rssh_2.3.4-4+deb8u2.debian.tar.xz
 b6050922a81903104cdc1f7bba71a631 55692 net optional 
rssh_2.3.4-4+deb8u2_amd64.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlxZ9UcACgkQPqHd3bJh
2XsFMggAmLyHvn6uzD2j0WmMZtjHWr2gP9ksGwWnw6D0YZFjw7LM43oJtb4zB9jH
Jx8S+aZtv3TaMfCT6Tgq3WLdVwcMjVStyNCeek0JHwMjuxpbc7K1fXA4R4DH7AAz
AP3DJABUolXiBjYP47v3KUsQOdUST4RW1Xoy/QwmqiWkjy1z9RpWceh2DDpdrmYC
PAjdZt2It/iT475qd3uBI+vAV4B/kUdkEacdbxtPoHTIAdp8c2RgaC7ZJ/AfluSl
cN+B331cc+DjF7RHqAg3zz/hq4D9FyISQSmoskAOi4JdETxiG8Fh/lAoI4sqZcvg
mO9aeEpSyxuwGZo8uoqTu6qejS7u5g==
=qIIH
-END PGP SIGNATURE-