Control: tags 889753 + patch Dear maintainer,
I've prepared an NMU for uwsgi (versioned as 2.0.15-10.2). Not yet uploaded (to any delayed queue). Regards, Salvatore
diff -Nru uwsgi-2.0.15/debian/changelog uwsgi-2.0.15/debian/changelog --- uwsgi-2.0.15/debian/changelog 2018-01-24 14:23:23.000000000 +0100 +++ uwsgi-2.0.15/debian/changelog 2018-02-09 21:35:00.000000000 +0100 @@ -1,3 +1,11 @@ +uwsgi (2.0.15-10.2) unstable; urgency=medium + + * Non-maintainer upload. + * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758) + (Closes: #889753) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 09 Feb 2018 21:35:00 +0100 + uwsgi (2.0.15-10.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru uwsgi-2.0.15/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch uwsgi-2.0.15/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch --- uwsgi-2.0.15/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 1970-01-01 01:00:00.000000000 +0100 +++ uwsgi-2.0.15/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 2018-02-09 21:35:00.000000000 +0100 @@ -0,0 +1,46 @@ +From: Unbit <i...@unbit.it> +Date: Tue, 6 Feb 2018 16:01:47 +0100 +Subject: improve uwsgi_expand_path() to sanitize input, avoiding stack + corruption and potential security issue +Origin: https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe +Bug-Debian: https://bugs.debian.org/889753 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6758 + +--- + core/utils.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/core/utils.c b/core/utils.c +index b4c98dfd..fd886932 100644 +--- a/core/utils.c ++++ b/core/utils.c +@@ -3674,9 +3674,12 @@ void uwsgi_write_pidfile_explicit(char *pidfile_name, pid_t pid) { + } + + char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) { +- char src[PATH_MAX + 1]; +- memcpy(src, dir, dir_len); +- src[dir_len] = 0; ++ if (dir_len > PATH_MAX) ++ { ++ uwsgi_log("invalid path size: %d (max %d)\n", dir_len, PATH_MAX); ++ return NULL; ++ } ++ char *src = uwsgi_concat2n(dir, dir_len, "", 0); + char *dst = ptr; + if (!dst) + dst = uwsgi_malloc(PATH_MAX + 1); +@@ -3684,8 +3687,10 @@ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) { + uwsgi_error_realpath(src); + if (!ptr) + free(dst); ++ free(src); + return NULL; + } ++ free(src); + return dst; + } + +-- +2.11.0 + diff -Nru uwsgi-2.0.15/debian/patches/series uwsgi-2.0.15/debian/patches/series --- uwsgi-2.0.15/debian/patches/series 2018-01-24 14:23:23.000000000 +0100 +++ uwsgi-2.0.15/debian/patches/series 2018-02-09 21:35:00.000000000 +0100 @@ -1,6 +1,7 @@ 020170502~a63b659.patch 020170503~ef58701.patch 020170604~8368f94.patch +0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 1001_avoid_setting_RPATH.patch 1002_fix-reload-process-name.patch 1003_remove-php-libs.patch
