Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: snipr...@packages.debian.org, snipr...@packages.debian.org, r...@debian.org Control: affects -1 + src:sniproxy
Please unblock package sniproxy Version 0.6.0-2.1 fixes the #1033752 RC bug (grave, security) about a buffer overflow that may lead to arbitrary code execution. I am in the process of adopting the package (see #1035759), and I'm in communication with Thorsten Alteholz, who did the NMU to fix the bug. [ Reason ] Security issue, arbitrary code execution due to a buffer overflow. See #1033752 for details. [ Impact ] Systems where sniproxy is used are currently vulnerable to remote code execution. [ Tests ] The next upstream version of sniproxy, 0.6.1, that was released with a single change - to fix this bug - and that I will soon upload to experimental, contains a test case that makes sure sniproxy does not die on such a malformed request: https://github.com/dlundquist/sniproxy/commit/f8d9a433fe22ab2fa15c00179048ab02ae23d583#diff-e1a0a6ea76cf301ec1fc8564ca08c0a20ae7fdc14f27355ab77a217e09efd833 (the bad_dns_request_test change) The patch includes this change, although the tests are not run during the Debian package build or afterwards; however, a manual `make check` in the package build directory will show the test passing. I intend to try to run those tests both during the build and as autopkgtests. [ Risks ] The fix is straightforward (for someone familiar with network programming in C) and targeted. IMHO the risks are minimal, if any at all. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock sniproxy/0.6.0-2.1
diff -Nru sniproxy-0.6.0/debian/changelog sniproxy-0.6.0/debian/changelog
--- sniproxy-0.6.0/debian/changelog 2020-07-23 23:27:57.000000000 +0300
+++ sniproxy-0.6.0/debian/changelog 2023-04-29 20:03:02.000000000 +0300
@@ -1,3 +1,11 @@
+sniproxy (0.6.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-25076 (Closes: #1033752)
+ fix buffer overflow while handling wildcard backend hosts
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Sat, 29 Apr 2023 19:03:02 +0200
+
sniproxy (0.6.0-2) unstable; urgency=medium
* Fix "ftbfs with GCC-10" by applying patch
diff -Nru sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch
sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch
--- sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch 1970-01-01
02:00:00.000000000 +0200
+++ sniproxy-0.6.0/debian/patches/CVE-2023-25076.patch 2023-04-29
20:03:02.000000000 +0300
@@ -0,0 +1,71 @@
+commit f8d9a433fe22ab2fa15c00179048ab02ae23d583
+Author: Dustin Lundquist <dus...@null-ptr.net>
+Date: Thu Mar 16 20:42:20 2023 -0700
+
+ address: fix buffer overflow
+
+ Update tests to work on Debian 11.
+
+Index: sniproxy-0.6.0/src/address.c
+===================================================================
+--- sniproxy-0.6.0.orig/src/address.c 2023-04-29 19:26:00.397699547 +0200
++++ sniproxy-0.6.0/src/address.c 2023-04-29 19:26:00.397699547 +0200
+@@ -143,6 +143,8 @@
+ if (hostname_or_ip[0] == '[' &&
+ (port = strchr(hostname_or_ip, ']')) != NULL) {
+ len = (size_t)(port - hostname_or_ip - 1);
++ if (len >= INET6_ADDRSTRLEN)
++ return NULL;
+
+ /* inet_pton() will not parse the IP correctly unless it is in a
+ * separate string.
+Index: sniproxy-0.6.0/tests/Makefile.am
+===================================================================
+--- sniproxy-0.6.0.orig/tests/Makefile.am 2023-04-29 19:26:00.397699547
+0200
++++ sniproxy-0.6.0/tests/Makefile.am 2023-04-29 19:26:25.017710380 +0200
+@@ -1,5 +1,7 @@
+ AM_CPPFLAGS = -I$(top_srcdir)/src -g $(LIBEV_CFLAGS) $(LIBPCRE_CFLAGS)
$(LIBUDNS_CFLAGS)
+
++.NOTPARALLEL:
++
+ TESTS = address_test \
+ buffer_test \
+ cfg_tokenizer_test \
+Index: sniproxy-0.6.0/tests/bad_dns_request_test
+===================================================================
+--- sniproxy-0.6.0.orig/tests/bad_dns_request_test 2023-04-29
19:26:00.397699547 +0200
++++ sniproxy-0.6.0/tests/bad_dns_request_test 2023-04-29 19:26:00.397699547
+0200
+@@ -36,6 +36,11 @@
+ client => \&http_client,
+ },
+ {
++ # Exceed hostname buffer size
++ request => "GET / HTTP/1.1\r\nHost: [" . 'long.' x 60 .
"example.com]\r\n\r\n",
++ client => \&http_client,
++ },
++ {
+ # Test client aborting connection before DNS response received
+ request => "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
+ client => \&http_client_abort,
+Index: sniproxy-0.6.0/tests/slow_client_test
+===================================================================
+--- sniproxy-0.6.0.orig/tests/slow_client_test 2023-04-29 19:26:00.397699547
+0200
++++ sniproxy-0.6.0/tests/slow_client_test 2023-04-29 19:26:00.397699547
+0200
+@@ -31,11 +31,16 @@
+ my $socket = IO::Socket::INET->new(PeerAddr => '127.0.0.1',
+ PeerPort => $port,
+ Proto => "tcp",
+- Type => SOCK_STREAM)
++ Type => SOCK_STREAM,
++ Timeout => 5)
+ or die "couldn't connect $!";
+
+ $socket->send($request);
+ foreach (split("\r\n", $request)) {
++ unless ($socket->connected()) {
++ print "Disconnected\n";
++ exit(0);
++ }
+ $socket->send("$_\r\n");
+ sleep(1);
+ }
diff -Nru sniproxy-0.6.0/debian/patches/series
sniproxy-0.6.0/debian/patches/series
--- sniproxy-0.6.0/debian/patches/series 2020-07-23 23:27:57.000000000
+0300
+++ sniproxy-0.6.0/debian/patches/series 2023-04-29 20:03:02.000000000
+0300
@@ -1 +1,3 @@
01_fix_gcc-10-build.patch
+
+CVE-2023-25076.patch
signature.asc
Description: PGP signature
