Bug#476241: intent to NMU

Thu, 17 Apr 2008 12:25:15 -0700 

Hi,
attached is a patch fixing this issue.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/mt-daapd-0.9~r1696-1.2_0.9~r1696-1.3.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u mt-daapd-0.9~r1696/debian/patches/00list mt-daapd-0.9~r1696/debian/patches/00list
--- mt-daapd-0.9~r1696/debian/patches/00list
+++ mt-daapd-0.9~r1696/debian/patches/00list
@@ -1,0 +2 @@
+02_CVE-2008-1771
diff -u mt-daapd-0.9~r1696/debian/changelog mt-daapd-0.9~r1696/debian/changelog
--- mt-daapd-0.9~r1696/debian/changelog
+++ mt-daapd-0.9~r1696/debian/changelog
@@ -1,3 +1,12 @@
+mt-daapd (0.9~r1696-1.3) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix integer overflow leading to heap-based buffer overflow causing a
+    remote Denial of Service and possibly allows to execute arbitrary code
+    (CVE-2008-1771; Closes: #476241).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Thu, 17 Apr 2008 19:03:48 +0200
+
 mt-daapd (0.9~r1696-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
--- mt-daapd-0.9~r1696.orig/debian/patches/02_CVE-2008-1771.dpatch
+++ mt-daapd-0.9~r1696/debian/patches/02_CVE-2008-1771.dpatch
@@ -0,0 +1,24 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 02_CVE-2008-1771.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad mt-daapd-0.9~r1696~/src/webserver.c mt-daapd-0.9~r1696/src/webserver.c
+--- mt-daapd-0.9~r1696~/src/webserver.c	2007-10-22 05:40:29.000000000 +0200
++++ mt-daapd-0.9~r1696/src/webserver.c	2008-04-17 19:01:56.000000000 +0200
+@@ -719,7 +719,12 @@
+         return FALSE;
+     }
+ 
+-    length=atoi(content_length);
++    length=strtol(content_length, NULL, 10);
++    if(EINVAL == errno || UINT_MAX - 1 <= length){
++        ws_dprintf(L_WS_WARN, "Thread %d: Suspicious Content-Length value, ignoring request\n", pwsc->threadno);
++        return FALSE;
++    }
++
+     ws_dprintf(L_WS_DBG,"Thread %d: Post var length: %d\n",
+             pwsc->threadno,length);
+

Attachment: pgpiJosufWptJ.pgp
Description: PGP signature

Reply via email to