Bug#972183: buster-pu: package libjpeg-turbo/1:1.5.2-2+deb10u1
Hi Moritz, On Di 13 Okt 2020 22:39:53 CEST, Moritz Muehlenhoff wrote: Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ond...@debian.org, sunwea...@debian.org This fixes a number of security issues in libjpeg, which don't warrant a DSA. Package has been tested on a buster system. Cheers, Moritz Will you do the upload onced ACK'ed by the RT (I guess ACK'ing pre-upload is not required for the .debdiff you prepared)? Or have you already uploaded that version (I am currently on VAC and not following all mail channels...)? Or shall I upload? Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpGtsa2K3HEk.pgp Description: Digitale PGP-Signatur
Bug#972115: buster-pu: package sqlite3/3.27.2-3+deb10u1
On Mon, Oct 12, 2020 at 10:54 PM Moritz Muehlenhoff wrote: > A number of security fixes in sqlite, which don't warrant a DSA. > This has been tested on a Buster system (along with validating > included test cases that issues are correctly fixed). I don't know if it counts, but being the original maintainer and I do second the work of Moritz. My time is limited nowadays, but I did a quick check and the proposed update is correct. Please let it enter Buster. Thanks Moritz, Laszlo/GCS
Bug#972183: buster-pu: package libjpeg-turbo/1:1.5.2-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ond...@debian.org, sunwea...@debian.org This fixes a number of security issues in libjpeg, which don't warrant a DSA. Package has been tested on a buster system. Cheers, Moritz diff -Nru libjpeg-turbo-1.5.2/debian/changelog libjpeg-turbo-1.5.2/debian/changelog --- libjpeg-turbo-1.5.2/debian/changelog2017-08-25 10:27:48.0 +0200 +++ libjpeg-turbo-1.5.2/debian/changelog2020-10-07 22:25:43.0 +0200 @@ -1,3 +1,12 @@ +libjpeg-turbo (1:1.5.2-2+deb10u1) buster; urgency=medium + + * CVE-2018-1152 (Closes: #902950) + * CVE-2018-14498 (Closes: #924678) + * CVE-2019-2201 + * CVE-2020-13790 (Closes: #962829) + + -- Moritz Mühlenhoff Wed, 07 Oct 2020 22:25:43 +0200 + libjpeg-turbo (1:1.5.2-2) unstable; urgency=medium * Drop env declaration patch on mips to fix FTBFS on mips diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch --- libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch 1970-01-01 01:00:00.0 +0100 +++ libjpeg-turbo-1.5.2/debian/patches/CVE-2018-1152.patch 2020-10-07 22:25:25.0 +0200 @@ -0,0 +1,19 @@ +https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61bc6 + +Index: libjpeg-turbo-1.5.2/rdbmp.c +=== +--- libjpeg-turbo-1.5.2.orig/rdbmp.c 2018-07-05 14:47:54.525745754 -0400 libjpeg-turbo-1.5.2/rdbmp.c2018-07-05 14:47:54.521745700 -0400 +@@ -434,6 +434,12 @@ start_input_bmp (j_compress_ptr cinfo, c + progress->total_extra_passes++; /* count file input as separate pass */ + } + ++ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum ++ value of the JDIMENSION type. This is only a danger with BMP files, since ++ their width and height fields are 32-bit integers. */ ++ if ((unsigned long long)biWidth * ++ (unsigned long long)cinfo->input_components > 0xULL) ++ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); + /* Allocate one-row buffer for returned data */ + source->pub.buffer = (*cinfo->mem->alloc_sarray) + ((j_common_ptr) cinfo, JPOOL_IMAGE, diff -Nru libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch --- libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch 1970-01-01 01:00:00.0 +0100 +++ libjpeg-turbo-1.5.2/debian/patches/CVE-2018-14498.patch 2020-10-07 22:25:25.0 +0200 @@ -0,0 +1,117 @@ +https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55 + +diff --git a/cderror.h b/cderror.h +index 63de498..bb093b8 100644 +--- a/cderror.h b/cderror.h +@@ -49,6 +49,8 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB") + JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported") + JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image") + JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM") ++JMESSAGE(JERR_BMP_TOOLARGE, "Integer value too large in BMP file") ++JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file") + JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image") + JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image") + JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image") +@@ -75,8 +77,8 @@ JMESSAGE(JWRN_GIF_NOMOREDATA, "Ran out of GIF bits") + #ifdef PPM_SUPPORTED + JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB") + JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file") +-JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file") + JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file") ++JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file") + JMESSAGE(JTRC_PGM, "%ux%u PGM image") + JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image") + JMESSAGE(JTRC_PPM, "%ux%u PPM image") +diff --git a/rdbmp.c b/rdbmp.c +index 4104b68..9ca4a26 100644 +--- a/rdbmp.c b/rdbmp.c +@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct { + JDIMENSION row_width; /* Physical width of scanlines in file */ + + int bits_per_pixel; /* remembers 8- or 24-bit format */ ++ int cmap_length; /* colormap length */ + } bmp_source_struct; + + +@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + { + bmp_source_ptr source = (bmp_source_ptr) sinfo; + register JSAMPARRAY colormap = source->colormap; ++ int cmaplen = source->cmap_length; + JSAMPARRAY image_ptr; + register int t; + register JSAMPROW inptr, outptr; +@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo) + outptr = source->pub.buffer[0]; + for (col = cinfo->image_width; col > 0; col--) { + t = GETJSAMPLE(*inptr++); ++if ( t >= cmaplen) ++ ERREXIT(cinfo, JERR_BMP_TOOLARGE); + *outptr++ =
Bug#972161: buster-pu: package ruby2.5/2.5.5-3+deb10u3
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster X-Debbugs-CC: debian-r...@lists.debian.org Severity: normal Hello, ruby2.5 was affected by CVE-2020-25613, where WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. This has been fixed in Sid, Bullseye, and Stretch. Here's the debdiff for buster-pu: 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< diff -Nru ruby2.5-2.5.5/debian/changelog ruby2.5-2.5.5/debian/changelog --- ruby2.5-2.5.5/debian/changelog2020-07-04 00:07:58.0 +0530 +++ ruby2.5-2.5.5/debian/changelog2020-10-13 18:32:32.0 +0530 @@ -1,3 +1,10 @@ +ruby2.5 (2.5.5-3+deb10u3) buster; urgency=high + + * Add patch to fix a potential HTTP request smuggling +vulnerability in WEBrick. (Fixes: CVE-2020-25613) + + -- Utkarsh Gupta Tue, 13 Oct 2020 18:32:32 +0530 + ruby2.5 (2.5.5-3+deb10u2) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch --- ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch1970-01-01 05:30:00.0 +0530 +++ ruby2.5-2.5.5/debian/patches/CVE-2020-25613.patch2020-10-13 18:31:51.0 +0530 @@ -0,0 +1,30 @@ +From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001 +From: Yusuke Endoh +Date: Tue, 29 Sep 2020 13:15:58 +0900 +Subject: [PATCH] Make it more strict to interpret some headers + +Some regexps were too tolerant. + +--- a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb +@@ -226,9 +226,9 @@ + raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'." + end + +- if /close/io =~ self["connection"] ++ if /\Aclose\z/io =~ self["connection"] + @keep_alive = false +- elsif /keep-alive/io =~ self["connection"] ++ elsif /\Akeep-alive\z/io =~ self["connection"] + @keep_alive = true + elsif @http_version < "1.1" + @keep_alive = false +@@ -475,7 +475,7 @@ + return unless socket + if tc = self['transfer-encoding'] + case tc +-when /chunked/io then read_chunked(socket, block) ++when /\Achunked\z/io then read_chunked(socket, block) + else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}." + end + elsif self['content-length'] || @remaining_size diff -Nru ruby2.5-2.5.5/debian/patches/series ruby2.5-2.5.5/debian/patches/series --- ruby2.5-2.5.5/debian/patches/series2020-07-04 00:06:34.0 +0530 +++ ruby2.5-2.5.5/debian/patches/series2020-10-13 18:32:04.0 +0530 @@ -15,3 +15,4 @@ 0015-lib-shell-command-processor.rb-Shell-prevent-unknown.patch CVE-2020-10933.patch CVE-2020-10663.patch +CVE-2020-25613.patch 8<--8<--8<--8<--8<--8<--8<--8<--8<--8< - u --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.6.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#972149: buster-pu: package net-snmp/5.7.3+dfsg-5+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 [ Reason ] The security release in deb10u1 made EXTEND-MIB read-only to close a security hole (CVE-2020-15862/Bug #9651166) However this meant the cacheTime and execType could not be changed which caused problems with some SNMP managers or setups. [ Impact ] The cachetime and execType cannot be set anywhere as these parameters appear in net-snmp 5.8 which is in sid but not buster. [ Tests ] Tested with Ubuntu https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1892980 Upstream have the patch and their tests: https://sourceforge.net/p/net-snmp/patches/1290/ My tests. Install the candidate snmpd on a Debian10 VM Configuration file is: rocommunity public default extend -cacheTime 10 test /usr/bin/date Run snmpd using this configuration file On a different host, run watch -d snmpwalk -v 1 -c public {test_server_ip} .1.3.6.1.4.1.8072.1.3.2.3.1.1.4 Notice the date only changes approximately every 10 seconds as the result is cached. [ Risks ] The patch is about 30 additional lines. Most users probably don't use the "extend" option so won't exercise this or the buggy setup. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] Adds two options to the extend command line parameter [ Other info ] None - -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.8.0-3-amd64 (SMP w/8 CPU threads) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -BEGIN PGP SIGNATURE- iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl+FgaoSHGNzbWFsbEBk ZWJpYW4ub3JnAAoJEAIhZsD/PITjmX8P/1fCfD2sAxLcc+eC+e5PiIyBVSog2YuI qytA2SxzXYLXQtOUJeafAM/zqB1qNGvRbTYSPSo9HxRM1L5gUWKIdnENBAoJv4Pd xnv9Sfsay5Hn+MGecZDkOOybRDK0KrJpPhYg2lO3sZeuilwEKPMnIJ7xoHZD8gDO V4t+kOFS0AF/EYgAs18NmgemRTjqvCllTiHsrLRLWIdsE7X2N7C44l5Bg5BQAk/V s/cAuIzZsMxDlMlofLmbWy6yahQiV8UwtG8DTewx4j9seVRUXHgp7i5ibR3yMffS BbcA4OhBjCe0VHVUcvqSBvEkZY8+v68ifRXQZ9A4M4whQqyICws9MM3Z4HbGxAwc j67VH9cL6wt9c4vNu+cxW8fts9GeGmOAMJoriqS/+w1rmzlO9Rza2krDcrBLbJQx 5Nc0YYk9TtwRhaeNK2vaIZM8Mj37mq6EbJh9lQ3oP3CR3goWIb9P2n2II/ICvbIY llQC6fa8V8G/Hv2qOVTqU/qdwCgIeMnjl6nV66Sb64CjkCfa5Adj1z7lXkQvVezt omCmi+AwdbJLWPxjL8hPoZzSzBTphKcz3D+RxSh6RbIf5wtnm4zD5+eHe1mP21Gs 4QLWjq9RDDSawmH2qWl4EQ4Fba7xJGaw6vkMLiLhAPEPQ+yBjwMdHvd91PdeyMHS u6+o1BU2BGmq =gGjJ -END PGP SIGNATURE- diff -Nru net-snmp-5.7.3+dfsg/debian/changelog net-snmp-5.7.3+dfsg/debian/changelog --- net-snmp-5.7.3+dfsg/debian/changelog2020-07-31 20:53:22.0 +1000 +++ net-snmp-5.7.3+dfsg/debian/changelog2020-09-07 07:16:17.0 +1000 @@ -1,3 +1,13 @@ +net-snmp (5.7.3+dfsg-5+deb10u2) buster-security; urgency=high + + * snmpd: Add cacheTime and execType flags to EXTEND-MIB. +Previous security release made EXTEND-MIB read-only which meant +it was not possible to set the timeout of the cache. This patch +allows administrator to set the value in the snmpd.conf file. +Closes: #969508 + + -- Craig Small Mon, 07 Sep 2020 07:16:17 +1000 + net-snmp (5.7.3+dfsg-5+deb10u1) buster-security; urgency=high * snmpd: Make EXTEND-MIB readonly access diff -Nru net-snmp-5.7.3+dfsg/debian/patches/series net-snmp-5.7.3+dfsg/debian/patches/series --- net-snmp-5.7.3+dfsg/debian/patches/series 2020-07-31 20:53:22.0 +1000 +++ net-snmp-5.7.3+dfsg/debian/patches/series 2020-09-07 07:16:17.0 +1000 @@ -44,3 +44,4 @@ snmpd_stop_mib_indexes_files snmp_snmptrapd_disallow_user_change +snmpd_cachetime_exectype diff -Nru net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype --- net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype 1970-01-01 10:00:00.0 +1000 +++ net-snmp-5.7.3+dfsg/debian/patches/snmpd_cachetime_exectype 2020-09-07 07:16:17.0 +1000 @@ -0,0 +1,85 @@ +Description: Add a couple of optional flags to the "extend" config + directive, enabling non-volatile configuration of a couple of aspects that so + far have been configurable only temporarily via SETs: + -cacheTime specifies the cache timeout +Author: Jeff Gehlbach +Origin: upstream, https://github.com/net-snmp/net-snmp/commit/d8b12900629ed73a78b27535f08c4f0a721a93be +Bug-Debian: https://bugs.debian.org/969508 +Applied-Upstream: 5.8 +Reviewed-by: Craig Small +Last-Update: 2020-09-05 +--- a/agent/mibgroup/agent/extend.c b/agent/mibgroup/agent/extend.c +@@ -528,8 +528,27 @@ + size_t oid_len; +
Desinfectante
Buenos días, ¿Le gustaría ampliar su gama con productos de desinfección inodoros que eliminen eficazmente los virus y las bacterias de sus manos? Como productor de jabones, líquidos y geles para desinfección de manos, me gustaría presentar nuestra oferta para este tipo de surtido, que funciona muy bien en el uso diario, así como un agente profesional en instalaciones médicas. También podemos ofrecerle jabones líquidos, geles de ducha, champús y acondicionadores para el cabello con una amplia gama de fragancias y detergentes concentrados. Nuestros productos son muy populares en el mercado mundial debido a la disponibilidad de precios y la alta eficiencia, mientras que el alto nivel de concentración de sustancias activas garantiza la plena efectividad de los medios. Si desea familiarizarse con nuestra oferta e introducir nuevos productos en su gama, con gusto le presentaré lo que podemos ofrecerle. Por favor póngase en contacto conmigo. Abelardo Silva