Bug#972183: buster-pu: package libjpeg-turbo/1:1.5.2-2+deb10u1

2020-10-13 Thread Mike Gabriel 

Hi Moritz,

On  Di 13 Okt 2020 22:39:53 CEST, Moritz Muehlenhoff wrote:


Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ond...@debian.org, sunwea...@debian.org

This fixes a number of security issues in libjpeg,
which don't warrant a DSA. Package has been tested on
a buster system.

Cheers,
Moritz


Will you do the upload onced ACK'ed by the RT (I guess ACK'ing  
pre-upload is not required for the .debdiff you prepared)? Or have you  
already uploaded that version (I am currently on VAC and not following  
all mail channels...)? Or shall I upload?


Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpGtsa2K3HEk.pgp
Description: Digitale PGP-Signatur

Bug#972115: buster-pu: package sqlite3/3.27.2-3+deb10u1

2020-10-13 Thread GCS 
On Mon, Oct 12, 2020 at 10:54 PM Moritz Muehlenhoff  wrote:
> A number of security fixes in sqlite, which don't warrant a DSA.
> This has been tested on a Buster system (along with validating
> included test cases that issues are correctly fixed).
 I don't know if it counts, but being the original maintainer and I do
second the work of Moritz.
My time is limited nowadays, but I did a quick check and the proposed
update is correct. Please let it enter Buster.

Thanks Moritz,
Laszlo/GCS

Bug#972183: buster-pu: package libjpeg-turbo/1:1.5.2-2+deb10u1

2020-10-13 Thread Moritz Muehlenhoff 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ond...@debian.org, sunwea...@debian.org

This fixes a number of security issues in libjpeg,
which don't warrant a DSA. Package has been tested on
a buster system.

Cheers,
Moritz
diff -Nru libjpeg-turbo-1.5.2/debian/changelog 
libjpeg-turbo-1.5.2/debian/changelog
--- libjpeg-turbo-1.5.2/debian/changelog2017-08-25 10:27:48.0 
+0200
+++ libjpeg-turbo-1.5.2/debian/changelog2020-10-07 22:25:43.0 
+0200
@@ -1,3 +1,12 @@
+libjpeg-turbo (1:1.5.2-2+deb10u1) buster; urgency=medium
+
+  * CVE-2018-1152  (Closes: #902950)
+  * CVE-2018-14498 (Closes: #924678)
+  * CVE-2019-2201
+  * CVE-2020-13790 (Closes: #962829)
+
+ -- Moritz Mühlenhoff   Wed, 07 Oct 2020 22:25:43 +0200
+
 libjpeg-turbo (1:1.5.2-2) unstable; urgency=medium
 
   * Drop env declaration patch on mips to fix FTBFS on mips
diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch 
libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch
--- libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch  1970-01-01 
01:00:00.0 +0100
+++ libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch  2020-10-07 
22:25:25.0 +0200
@@ -0,0 +1,19 @@
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61bc6
+
+Index: libjpeg-turbo-1.5.2/rdbmp.c
+===
+--- libjpeg-turbo-1.5.2.orig/rdbmp.c   2018-07-05 14:47:54.525745754 -0400
 libjpeg-turbo-1.5.2/rdbmp.c2018-07-05 14:47:54.521745700 -0400
+@@ -434,6 +434,12 @@ start_input_bmp (j_compress_ptr cinfo, c
+ progress->total_extra_passes++; /* count file input as separate pass */
+   }
+ 
++  /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
++ value of the JDIMENSION type.  This is only a danger with BMP files, 
since
++ their width and height fields are 32-bit integers. */
++  if ((unsigned long long)biWidth *
++  (unsigned long long)cinfo->input_components > 0xULL)
++ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
+   /* Allocate one-row buffer for returned data */
+   source->pub.buffer = (*cinfo->mem->alloc_sarray)
+ ((j_common_ptr) cinfo, JPOOL_IMAGE,
diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch 
libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch
--- libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch 1970-01-01 
01:00:00.0 +0100
+++ libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch 2020-10-07 
22:25:25.0 +0200
@@ -0,0 +1,117 @@
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
+
+diff --git a/cderror.h b/cderror.h
+index 63de498..bb093b8 100644
+--- a/cderror.h
 b/cderror.h
+@@ -49,6 +49,8 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale 
or RGB")
+ JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
+ JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")
+ JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")
++JMESSAGE(JERR_BMP_TOOLARGE, "Integer value too large in BMP file")
++JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file")
+ JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")
+ JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")
+ JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")
+@@ -75,8 +77,8 @@ JMESSAGE(JWRN_GIF_NOMOREDATA, "Ran out of GIF bits")
+ #ifdef PPM_SUPPORTED
+ JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB")
+ JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file")
+-JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file")
+ JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file")
++JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file")
+ JMESSAGE(JTRC_PGM, "%ux%u PGM image")
+ JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image")
+ JMESSAGE(JTRC_PPM, "%ux%u PPM image")
+diff --git a/rdbmp.c b/rdbmp.c
+index 4104b68..9ca4a26 100644
+--- a/rdbmp.c
 b/rdbmp.c
+@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {
+   JDIMENSION row_width; /* Physical width of scanlines in file */
+ 
+   int bits_per_pixel;   /* remembers 8- or 24-bit format */
++  int cmap_length;  /* colormap length */
+ } bmp_source_struct;
+ 
+ 
+@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ {
+   bmp_source_ptr source = (bmp_source_ptr) sinfo;
+   register JSAMPARRAY colormap = source->colormap;
++  int cmaplen = source->cmap_length;
+   JSAMPARRAY image_ptr;
+   register int t;
+   register JSAMPROW inptr, outptr;
+@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+   outptr = source->pub.buffer[0];
+   for (col = cinfo->image_width; col > 0; col--) {
+ t = GETJSAMPLE(*inptr++);
++if ( t >= cmaplen)
++  ERREXIT(cinfo, JERR_BMP_TOOLARGE);
+ *outptr++ =

Bug#972161: buster-pu: package ruby2.5/2.5.5-3+deb10u3

2020-10-13 Thread Utkarsh Gupta 
Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: buster
X-Debbugs-CC: debian-r...@lists.debian.org
Severity: normal

Hello,

ruby2.5 was affected by CVE-2020-25613, where WEBrick, a simple HTTP
server bundled with Ruby, had not checked the transfer-encoding header
value rigorously.

This has been fixed in Sid, Bullseye, and Stretch.
Here's the debdiff for buster-pu:

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

diff -Nru ruby2.5-2.5.5/debian/changelog ruby2.5-2.5.5/debian/changelog
--- ruby2.5-2.5.5/debian/changelog2020-07-04 00:07:58.0 +0530
+++ ruby2.5-2.5.5/debian/changelog2020-10-13 18:32:32.0 +0530
@@ -1,3 +1,10 @@
+ruby2.5 (2.5.5-3+deb10u3) buster; urgency=high
+
+  * Add patch to fix a potential HTTP request smuggling
+vulnerability in WEBrick. (Fixes: CVE-2020-25613)
+
+ -- Utkarsh Gupta   Tue, 13 Oct 2020 18:32:32 +0530
+
 ruby2.5 (2.5.5-3+deb10u2) buster-security; urgency=high

   * Non-maintainer upload by the Security Team.
diff -Nru ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch
ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch
--- ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch1970-01-01
05:30:00.0 +0530
+++ ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch2020-10-13
18:31:51.0 +0530
@@ -0,0 +1,30 @@
+From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh 
+Date: Tue, 29 Sep 2020 13:15:58 +0900
+Subject: [PATCH] Make it more strict to interpret some headers
+
+Some regexps were too tolerant.
+
+--- a/lib/webrick/httprequest.rb
 b/lib/webrick/httprequest.rb
+@@ -226,9 +226,9 @@
+ raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
+   end
+
+-  if /close/io =~ self["connection"]
++  if /\Aclose\z/io =~ self["connection"]
+ @keep_alive = false
+-  elsif /keep-alive/io =~ self["connection"]
++  elsif /\Akeep-alive\z/io =~ self["connection"]
+ @keep_alive = true
+   elsif @http_version < "1.1"
+ @keep_alive = false
+@@ -475,7 +475,7 @@
+   return unless socket
+   if tc = self['transfer-encoding']
+ case tc
+-when /chunked/io then read_chunked(socket, block)
++when /\Achunked\z/io then read_chunked(socket, block)
+ else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
+ end
+   elsif self['content-length'] || @remaining_size
diff -Nru ruby2.5-2.5.5/debian/patches/series
ruby2.5-2.5.5/debian/patches/series
--- ruby2.5-2.5.5/debian/patches/series2020-07-04 00:06:34.0 +0530
+++ ruby2.5-2.5.5/debian/patches/series2020-10-13 18:32:04.0 +0530
@@ -15,3 +15,4 @@
 0015-lib-shell-command-processor.rb-Shell-prevent-unknown.patch
 CVE-2020-10933.patch
 CVE-2020-10663.patch
+CVE-2020-25613.patch

8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

- u
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug#972149: buster-pu: package net-snmp/5.7.3+dfsg-5+deb10u1

2020-10-13 Thread Craig Small 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

[ Reason ]
The security release in deb10u1 made EXTEND-MIB read-only
to close a security hole (CVE-2020-15862/Bug #9651166)
However this meant the cacheTime and execType could not be
changed which caused problems with some SNMP managers or setups.

[ Impact ]
The cachetime and execType cannot be set anywhere as these
parameters appear in net-snmp 5.8 which is in sid but not
buster.

[ Tests ]
Tested with Ubuntu
https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980
Upstream have the patch and their tests:
https://sourceforge.net/p/net-snmp/patches/1290/

My tests.
Install the candidate snmpd on a Debian10 VM
Configuration file is:
rocommunity public default
extend -cacheTime 10 test /usr/bin/date

Run snmpd using this configuration file

On a different host, run
watch -d snmpwalk -v 1 -c public  {test_server_ip} 
.1.3.6.1.4.1.8072.1.3.2.3.1.1.4

Notice the date only changes approximately every 10 seconds as the
result is cached.

[ Risks ]
The patch is about 30 additional lines.  Most users probably don't
use the "extend" option so won't exercise this or the buggy setup.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
Adds two options to the extend command line parameter

[ Other info ]
None

- -- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.8.0-3-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-BEGIN PGP SIGNATURE-

iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+FgaoSHGNzbWFsbEBk
ZWJpYW4ub3JnAAoJEAIhZsD/PITjmX8P/1fCfD2sAxLcc+eC+e5PiIyBVSog2YuI
qytA2SxzXYLXQtOUJeafAM/zqB1qNGvRbTYSPSo9HxRM1L5gUWKIdnENBAoJv4Pd
xnv9Sfsay5Hn+MGecZDkOOybRDK0KrJpPhYg2lO3sZeuilwEKPMnIJ7xoHZD8gDO
V4t+kOFS0AF/EYgAs18NmgemRTjqvCllTiHsrLRLWIdsE7X2N7C44l5Bg5BQAk/V
s/cAuIzZsMxDlMlofLmbWy6yahQiV8UwtG8DTewx4j9seVRUXHgp7i5ibR3yMffS
BbcA4OhBjCe0VHVUcvqSBvEkZY8+v68ifRXQZ9A4M4whQqyICws9MM3Z4HbGxAwc
j67VH9cL6wt9c4vNu+cxW8fts9GeGmOAMJoriqS/+w1rmzlO9Rza2krDcrBLbJQx
5Nc0YYk9TtwRhaeNK2vaIZM8Mj37mq6EbJh9lQ3oP3CR3goWIb9P2n2II/ICvbIY
llQC6fa8V8G/Hv2qOVTqU/qdwCgIeMnjl6nV66Sb64CjkCfa5Adj1z7lXkQvVezt
omCmi+AwdbJLWPxjL8hPoZzSzBTphKcz3D+RxSh6RbIf5wtnm4zD5+eHe1mP21Gs
4QLWjq9RDDSawmH2qWl4EQ4Fba7xJGaw6vkMLiLhAPEPQ+yBjwMdHvd91PdeyMHS
u6+o1BU2BGmq
=gGjJ
-END PGP SIGNATURE-
diff -Nru net-snmp-5.7.3+dfsg/debian/changelog 
net-snmp-5.7.3+dfsg/debian/changelog
--- net-snmp-5.7.3+dfsg/debian/changelog2020-07-31 20:53:22.0 
+1000
+++ net-snmp-5.7.3+dfsg/debian/changelog2020-09-07 07:16:17.0 
+1000
@@ -1,3 +1,13 @@
+net-snmp (5.7.3+dfsg-5+deb10u2) buster-security; urgency=high
+
+  * snmpd: Add cacheTime and execType flags to EXTEND-MIB.
+Previous security release made EXTEND-MIB read-only which meant
+it was not possible to set the timeout of the cache. This patch
+allows administrator to set the value in the snmpd.conf file.
+Closes: #969508
+
+ -- Craig Small   Mon, 07 Sep 2020 07:16:17 +1000
+
 net-snmp (5.7.3+dfsg-5+deb10u1) buster-security; urgency=high
 
   * snmpd: Make EXTEND-MIB readonly access
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/series 
net-snmp-5.7.3+dfsg/debian/patches/series
--- net-snmp-5.7.3+dfsg/debian/patches/series   2020-07-31 20:53:22.0 
+1000
+++ net-snmp-5.7.3+dfsg/debian/patches/series   2020-09-07 07:16:17.0 
+1000
@@ -44,3 +44,4 @@
 snmpd_stop_mib_indexes_files
 snmp_snmptrapd_disallow_user_change
 
+snmpd_cachetime_exectype
diff -Nru net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype 
net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype
--- net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype 1970-01-01 
10:00:00.0 +1000
+++ net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype 2020-09-07 
07:16:17.0 +1000
@@ -0,0 +1,85 @@
+Description: Add a couple of optional flags to the "extend" config
+ directive, enabling non-volatile configuration of a couple of aspects that so
+ far have been configurable only temporarily via SETs:
+ -cacheTime specifies the cache timeout
+Author: Jeff Gehlbach 
+Origin: upstream, 
https://github.com/net-snmp/net-snmp/commit/d8b12900629ed73a78b27535f08c4f0a721a93be
+Bug-Debian: https://bugs.debian.org/969508
+Applied-Upstream: 5.8
+Reviewed-by: Craig Small 
+Last-Update: 2020-09-05
+--- a/agent/mibgroup/agent/extend.c
 b/agent/mibgroup/agent/extend.c
+@@ -528,8 +528,27 @@
+ size_t oid_len;
+

Desinfectante

2020-10-13 Thread Abelardo Silva 
Buenos días,

¿Le gustaría ampliar su gama con productos de desinfección inodoros que 
eliminen eficazmente los virus y las bacterias de sus manos?

Como productor de jabones, líquidos y geles para desinfección de manos, me 
gustaría presentar nuestra oferta para este tipo de surtido, que funciona muy 
bien en el uso diario, así como un agente profesional en instalaciones médicas.

También podemos ofrecerle jabones líquidos, geles de ducha, champús y 
acondicionadores para el cabello con una amplia gama de fragancias y 
detergentes concentrados.

Nuestros productos son muy populares en el mercado mundial debido a la 
disponibilidad de precios y la alta eficiencia, mientras que el alto nivel de 
concentración de sustancias activas garantiza la plena efectividad de los 
medios.

Si desea familiarizarse con nuestra oferta e introducir nuevos productos en su 
gama, con gusto le presentaré lo que podemos ofrecerle.

Por favor póngase en contacto conmigo.


Abelardo Silva