Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-CC: pkg-utopia-maintain...@lists.alioth.debian.org
Dear release team, A low-severity CVE has been published for dbus-broker, and it affects bullseye. In accordance with the Security Team, it does not warrant a DSA, so we would like to fix it via p-u instead. The fix is a clean backport, and the diff is minimal. Debdiff attached. Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343 -- Kind regards, Luca Boccassi
diff -Nru dbus-broker-26/debian/changelog dbus-broker-26/debian/changelog --- dbus-broker-26/debian/changelog 2021-01-22 00:00:39.000000000 +0000 +++ dbus-broker-26/debian/changelog 2022-06-22 22:27:17.000000000 +0100 @@ -1,3 +1,10 @@ +dbus-broker (26-1+deb11u1) bullseye; urgency=medium + + * Backport strnspn-fix-buffer-overflow.patch to fix CVE-2022-31212 + (Closes: #1013343) + + -- Luca Boccassi <bl...@debian.org> Wed, 22 Jun 2022 22:27:17 +0100 + dbus-broker (26-1) unstable; urgency=low * Update upstream source from tag 'upstream/26' diff -Nru dbus-broker-26/debian/gbp.conf dbus-broker-26/debian/gbp.conf --- dbus-broker-26/debian/gbp.conf 2020-12-13 22:03:47.000000000 +0000 +++ dbus-broker-26/debian/gbp.conf 2022-06-22 22:27:17.000000000 +0100 @@ -1,6 +1,6 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/sid +debian-branch = debian/bullseye upstream-branch = upstream [pristine-tar] diff -Nru dbus-broker-26/debian/patches/series dbus-broker-26/debian/patches/series --- dbus-broker-26/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ dbus-broker-26/debian/patches/series 2022-06-22 22:27:17.000000000 +0100 @@ -0,0 +1 @@ +strnspn-fix-buffer-overflow.patch diff -Nru dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch --- dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ dbus-broker-26/debian/patches/strnspn-fix-buffer-overflow.patch 2022-06-22 22:27:17.000000000 +0100 @@ -0,0 +1,53 @@ +Author: David Rheinsberg <david.rheinsb...@gmail.com> +Origin: backport, https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013343 +Description: strnspn: fix buffer overflow + Fix the strnspn and strncspn functions to use a properly sized buffer. + It used to be 1 byte too short. Checking for `0xff` in a string will + thus write `0xff` once byte beyond the stack space of the local buffer. + . + Note that the public API does not allow to pass `0xff` to those + functions. Therefore, this is a read-only buffer overrun, possibly + causing bogus reports from the parser, but still well-defined. +--- a/subprojects/c-shquote/src/c-shquote.c ++++ b/subprojects/c-shquote/src/c-shquote.c +@@ -85,7 +85,7 @@ + size_t c_shquote_strnspn(const char *string, + size_t n_string, + const char *accept) { +- bool buffer[UCHAR_MAX] = {}; ++ bool buffer[UCHAR_MAX + 1] = {}; + + for ( ; *accept; ++accept) + buffer[(unsigned char)*accept] = true; +@@ -100,7 +100,7 @@ + size_t c_shquote_strncspn(const char *string, + size_t n_string, + const char *reject) { +- bool buffer[UCHAR_MAX] = {}; ++ bool buffer[UCHAR_MAX + 1] = {}; + + if (strlen(reject) == 1) { + const char *p; +--- a/subprojects/c-shquote/src/test-private.c ++++ b/subprojects/c-shquote/src/test-private.c +@@ -148,6 +148,9 @@ + + len = c_shquote_strnspn("ab", 2, "bc"); + c_assert(len == 0); ++ ++ len = c_shquote_strnspn("ab", 2, "\xff"); ++ c_assert(len == 0); + } + + static void test_strncspn(void) { +@@ -167,6 +170,9 @@ + + len = c_shquote_strncspn("ab", 2, "cd"); + c_assert(len == 2); ++ ++ len = c_shquote_strncspn("ab", 2, "\xff"); ++ c_assert(len == 2); + } + + static void test_discard_comment(void) { diff -Nru dbus-broker-26/debian/salsa-ci.yml dbus-broker-26/debian/salsa-ci.yml --- dbus-broker-26/debian/salsa-ci.yml 2020-12-13 22:03:47.000000000 +0000 +++ dbus-broker-26/debian/salsa-ci.yml 2022-06-22 22:27:17.000000000 +0100 @@ -2,3 +2,6 @@ include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bullseye'
signature.asc
Description: This is a digitally signed message part
