Your message dated Sat, 16 Feb 2019 11:36:33 +0000
with message-id <1550316993.21192.50.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.8
has caused the Debian Bug report #913881,
regarding stretch-pu: package uriparser/0.8.4-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
913881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913881
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
the attached debdiff fix the
CVE-2018-19198,
CVE-2018-19199 and
CVE-2018-19200.
The maintainer email address and the Vcs-* location are
also changed.
CU
Jörg
- -- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (300, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.18.0-2-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEY+AHX8jUOrs1qzDuCfifPIyh0l0FAlvuqgUACgkQCfifPIyh
0l2zqhAAq0bStaT+o8QELmNS2OZBFLGrv/Li3g5DHnEee5juZLQ9VgLIh5eXb96f
ycgBpuItaCfLbMM5WnKGXnmEnB37gMlReYR8nMIF2eVLTeS124SUa6Qeyp/nh3bg
5waNanD9KbxuJDLKzNgeERdf1QKD78VPTnaIPvMQzb6k5ole6PqzxzgqLaOicR/X
omYT26BvG9sDnLGtVPuyYqEeiZm575qTpjqUPJzHJd9styiRQiICwiWBfB7D02U0
OoorOWwm/rvDafhrlyxitpvj15pEg97gcyXkKdBhO+PYM5zIDGemDAGh1T/qlkyl
FQTiZVgHj23udtS+UnpWeJgFpm9E+9/s6gcXdg+b3P/K/zNHFL6wfnlHNYzfp3mz
2OCHi7UKlkFxkkdn8uA50V2VpULUramKWupe2KGYPS7XXDn+Qh+6vbnNncqacAfp
8noPhUo2woT7Gd4HHUOf0size7BLLeDGL+HrbCQzmSKoIjhxBjQ7IjbXsw4Alstv
WZJQWEov+n8ISSJvFuuYkbghbopzsmbDNJvIIUOhKmdbC1yBuGDpY2OaAxahohRy
eG2fIg1ku0txTYgCyYk+5JeO3QQu6hvNGjzdanuVuCKJr+eVHQOKQ5gzx9XP/ffM
82myXAlVHITOUQTMR70NQQ4B4NEvPAMTaQYAWUiVEG03G2rovQ4=
=HbnA
-----END PGP SIGNATURE-----
diff -Nru uriparser-0.8.4/debian/changelog uriparser-0.8.4/debian/changelog
--- uriparser-0.8.4/debian/changelog 2015-11-04 07:02:13.000000000 +0100
+++ uriparser-0.8.4/debian/changelog 2018-11-16 09:43:24.000000000 +0100
@@ -1,3 +1,15 @@
+uriparser (0.8.4-1+deb9u1) stable; urgency=medium
+
+ * Fix multiple CVEs (Closes: #913817):
+ - New debian/patches/CVE-2018-19198.patch to fix CVE-2018-19198.
+ - New debian/patches/CVE-2018-19199.patch to fix CVE-2018-19199.
+ - New debian/patches/CVE-2018-19200.patch to fix CVE-2018-19200.
+ * debian/control:
+ - Change to my new email address.
+ - Switch Vcs-* to new location.
+
+ -- Jörg Frings-Fürst <debian@jff.email> Fri, 16 Nov 2018 09:43:24 +0100
+
uriparser (0.8.4-1) unstable; urgency=medium
* New upstream release.
diff -Nru uriparser-0.8.4/debian/control uriparser-0.8.4/debian/control
--- uriparser-0.8.4/debian/control 2015-11-02 07:02:50.000000000 +0100
+++ uriparser-0.8.4/debian/control 2018-11-16 09:37:15.000000000 +0100
@@ -1,7 +1,7 @@
Source: uriparser
Section: libs
Priority: optional
-Maintainer: Jörg Frings-Fürst <deb...@jff-webhosting.net>
+Maintainer: Jörg Frings-Fürst <debian@jff.email>
Build-Depends:
debhelper (>= 9),
dh-autoreconf,
@@ -14,8 +14,8 @@
libqt5sql5-sqlite
Standards-Version: 3.9.6
Homepage: http://uriparser.sourceforge.net
-Vcs-Git: git://anonscm.debian.org/collab-maint/uriparser.git
-Vcs-Browser: http://anonscm.debian.org/cgit/collab-maint/uriparser.git
+Vcs-Git: git://jff.email/opt/git/uriparser.git
+Vcs-Browser: https://jff.email/cgit/uriparser.git
Package: liburiparser1
Architecture: any
diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19198.patch
uriparser-0.8.4/debian/patches/CVE-2018-19198.patch
--- uriparser-0.8.4/debian/patches/CVE-2018-19198.patch 1970-01-01
01:00:00.000000000 +0100
+++ uriparser-0.8.4/debian/patches/CVE-2018-19198.patch 2018-11-16
09:19:24.000000000 +0100
@@ -0,0 +1,73 @@
+From 864f5d4c127def386dd5cc926ad96934b297f04e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebast...@pipping.org>
+Date: Sun, 23 Sep 2018 20:07:25 +0200
+Subject: [PATCH] UriQuery.c: Fix out-of-bounds-write in ComposeQuery and ...Ex
+
+Reported by Google Autofuzz team
+---
+ src/UriQuery.c | 1 +
+ test/test.cpp | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+Index: stretch/src/UriQuery.c
+===================================================================
+--- stretch.orig/src/UriQuery.c
++++ stretch/src/UriQuery.c
+@@ -223,6 +223,7 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHA
+
+ /* Copy key */
+ if (firstItem == URI_TRUE) {
++ ampersandLen = 1;
+ firstItem = URI_FALSE;
+ } else {
+ write[0] = _UT('&');
+Index: stretch/test/test.cpp
+===================================================================
+--- stretch.orig/test/test.cpp
++++ stretch/test/test.cpp
+@@ -102,6 +102,7 @@ public:
+ TEST_ADD(UriSuite::testQueryList)
+ TEST_ADD(UriSuite::testQueryListPair)
+ TEST_ADD(UriSuite::testQueryDissection_Bug3590761)
++
TEST_ADD(UriSuite::testQueryCompositionMathWrite_GoogleAutofuzz113244572)
+ TEST_ADD(UriSuite::testFreeCrash_Bug20080827)
+ TEST_ADD(UriSuite::testParseInvalid_Bug16)
+ TEST_ADD(UriSuite::testRangeComparison)
+@@ -1718,6 +1719,37 @@ Rule | Ex
+ uriFreeQueryListA(queryList);
+ }
+
++ void testQueryCompositionMathWrite_GoogleAutofuzz113244572() {
++ UriQueryListA second = { .key = "\x11", .value = NULL, .next =
NULL };
++ UriQueryListA first = { .key = "\x01", .value = "\x02", .next =
&second };
++
++ const UriBool spaceToPlus = URI_TRUE;
++ const UriBool normalizeBreaks = URI_FALSE; /* for factor 3 but
6 */
++
++ const int charsRequired = (3 + 1 + 3) + 1 + (3);
++
++ {
++ // Minimum space to hold everything fine
++ const char * const expected = "%01=%02" "&" "%11";
++ char dest[charsRequired + 1];
++ int charsWritten;
++ TEST_ASSERT(uriComposeQueryExA(dest, &first,
sizeof(dest),
++ &charsWritten, spaceToPlus,
normalizeBreaks)
++ == URI_SUCCESS);
++ TEST_ASSERT(! strcmp(dest, expected));
++ TEST_ASSERT(charsWritten == strlen(expected) + 1);
++ }
++
++ {
++ // Previous math failed to take ampersand into account
++ char dest[charsRequired + 1 - 1];
++ int charsWritten;
++ TEST_ASSERT(uriComposeQueryExA(dest, &first,
sizeof(dest),
++ &charsWritten, spaceToPlus,
normalizeBreaks)
++ == URI_ERROR_OUTPUT_TOO_LARGE);
++ }
++ }
++
+ void testFreeCrash_Bug20080827() {
+ char const * const sourceUri = "abc";
+ char const * const baseUri = "http://www.example.org/";;
diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19199.patch
uriparser-0.8.4/debian/patches/CVE-2018-19199.patch
--- uriparser-0.8.4/debian/patches/CVE-2018-19199.patch 1970-01-01
01:00:00.000000000 +0100
+++ uriparser-0.8.4/debian/patches/CVE-2018-19199.patch 2018-11-16
09:20:41.000000000 +0100
@@ -0,0 +1,43 @@
+From f76275d4a91b28d687250525d3a0c5509bbd666f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebast...@pipping.org>
+Date: Sun, 23 Sep 2018 21:30:39 +0200
+Subject: [PATCH] UriQuery.c: Catch integer overflow in ComposeQuery and ...Ex
+
+---
+ ChangeLog | 2 ++
+ src/UriQuery.c | 14 ++++++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+Index: stretch/src/UriQuery.c
+===================================================================
+--- stretch.orig/src/UriQuery.c
++++ stretch/src/UriQuery.c
+@@ -68,6 +68,10 @@
+
+
+
++#include <limits.h>
++
++
++
+ static int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
+ const URI_TYPE(QueryList) * queryList,
+ int maxChars, int * charsWritten, int * charsRequired,
+@@ -201,9 +205,15 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHA
+ const URI_CHAR * const value = queryList->value;
+ const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
+ const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
+- const int keyRequiredChars = worstCase * keyLen;
++ int keyRequiredChars;
+ const int valueLen = (value == NULL) ? 0 :
(int)URI_STRLEN(value);
+- const int valueRequiredChars = worstCase * valueLen;
++ int valueRequiredChars;
++
++ if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX /
worstCase)) {
++ return URI_ERROR_OUTPUT_TOO_LARGE;
++ }
++ keyRequiredChars = worstCase * keyLen;
++ valueRequiredChars = worstCase * valueLen;
+
+ if (dest == NULL) {
+ if (firstItem == URI_TRUE) {
diff -Nru uriparser-0.8.4/debian/patches/CVE-2018-19200.patch
uriparser-0.8.4/debian/patches/CVE-2018-19200.patch
--- uriparser-0.8.4/debian/patches/CVE-2018-19200.patch 1970-01-01
01:00:00.000000000 +0100
+++ uriparser-0.8.4/debian/patches/CVE-2018-19200.patch 2018-11-16
08:49:00.000000000 +0100
@@ -0,0 +1,23 @@
+From f58c25069cf4a986fe17a80c5b38687e31feb539 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebast...@pipping.org>
+Date: Wed, 10 Oct 2018 14:49:51 +0200
+Subject: [PATCH] ResetUri: Protect against NULL
+
+---
+ src/UriCommon.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/UriCommon.c b/src/UriCommon.c
+index 3775306..039beda 100644
+--- a/src/UriCommon.c
++++ b/src/UriCommon.c
+@@ -75,6 +75,9 @@
+
+
+ void URI_FUNC(ResetUri)(URI_TYPE(Uri) * uri) {
++ if (uri == NULL) {
++ return;
++ }
+ memset(uri, 0, sizeof(URI_TYPE(Uri)));
+ }
+
diff -Nru uriparser-0.8.4/debian/patches/series
uriparser-0.8.4/debian/patches/series
--- uriparser-0.8.4/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ uriparser-0.8.4/debian/patches/series 2018-11-16 09:18:50.000000000
+0100
@@ -0,0 +1,3 @@
+CVE-2018-19198.patch
+CVE-2018-19199.patch
+CVE-2018-19200.patch
--- End Message ---
--- Begin Message ---
Version: 9.8
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
--- End Message ---
