I somehow missed that libbsd produces a udeb when I was processing
stable-new, so CCing KiBi and -boot now.
Regards,
Adam
On Wed, 2021-03-03 at 12:05 +0100, Gianfranco Costamagna wrote:
> Package: release.debian.org
> User: release.debian....@packages.debian.org
> Usertags: pu
> Tags: buster
> Severity: normal
>
> CVE-2019-20367 (no DSA) has been fixed for stretch in 0.8.3-1+deb9u1
> and
> for bullseye, sid with version 0.10.0-1
> Buster has been left out from the patches, and since the patch is
> trivial, I propose to apply it for buster too
>
>
> diff -Nru libbsd-0.9.1/debian/changelog libbsd-0.9.1/debian/changelog
> --- libbsd-0.9.1/debian/changelog 2019-02-25 01:33:03.000000000
> +0100
> +++ libbsd-0.9.1/debian/changelog 2021-03-03 12:03:12.000000000
> +0100
> @@ -1,3 +1,12 @@
> +libbsd (0.9.1-2+deb10u1) buster; urgency=medium
> +
> + * Non-maintainer upload.
> + * CVE-2019-20367
> + A non-NUL terminated symbol name in the string table might
> + result in a out-of-bounds read.
> +
> + -- Gianfranco Costamagna <locutusofb...@debian.org> Wed, 03 Mar
> 2021 12:03:12 +0100
> +
> libbsd (0.9.1-2) unstable; urgency=medium
>
> * Perform a proper and correct /usr-merge transition by moving the
> package
> diff -Nru libbsd-0.9.1/debian/patches/CVE-2019-20367.patch libbsd-
> 0.9.1/debian/patches/CVE-2019-20367.patch
> --- libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 1970-01-01
> 01:00:00.000000000 +0100
> +++ libbsd-0.9.1/debian/patches/CVE-2019-20367.patch 2021-03-03
> 12:00:40.000000000 +0100
> @@ -0,0 +1,42 @@
> +From 9d917aad37778a9f4a96ba358415f077f3f36f3b Mon Sep 17 00:00:00
> 2001
> +From: Guillem Jover <guil...@hadrons.org>
> +Date: Wed, 7 Aug 2019 22:58:30 +0200
> +Subject: [PATCH] nlist: Fix out-of-bounds read on strtab
> +
> +When doing a string comparison for a symbol name from the string
> table,
> +we should make sure we do a bounded comparison, otherwise a non-NUL
> +terminated string might make the code read out-of-bounds.
> +
> +Warned-by: coverity
> +---
> + src/nlist.c | 6 ++++--
> + 1 file changed, 4 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/nlist.c b/src/nlist.c
> +index 8aa46a2..228c220 100644
> +--- a/src/nlist.c
> ++++ b/src/nlist.c
> +@@ -227,16 +227,18 @@ __fdnlist(int fd, struct nlist *list)
> + symsize -= cc;
> + for (s = sbuf; cc > 0 && nent > 0; ++s, cc -=
> sizeof(*s)) {
> + char *name;
> ++ Elf_Word size;
> + struct nlist *p;
> +
> + name = strtab + s->st_name;
> + if (name[0] == '\0')
> + continue;
> ++ size = symstrsize - s->st_name;
> +
> + for (p = list; !ISLAST(p); p++) {
> + if ((p->n_un.n_name[0] == '_' &&
> +- strcmp(name, p->n_un.n_name+1) ==
> 0)
> +- || strcmp(name, p->n_un.n_name) ==
> 0) {
> ++ strncmp(name, p->n_un.n_name+1,
> size) == 0) ||
> ++ strncmp(name, p->n_un.n_name, size)
> == 0) {
> + elf_sym_to_nlist(p, s, shdr,
> + ehdr.e_shnum);
> + if (--nent <= 0)
> +--
> +GitLab
> +
> diff -Nru libbsd-0.9.1/debian/patches/series libbsd-
> 0.9.1/debian/patches/series
> --- libbsd-0.9.1/debian/patches/series 1970-01-01
> 01:00:00.000000000 +0100
> +++ libbsd-0.9.1/debian/patches/series 2021-03-03
> 12:01:48.000000000 +0100
> @@ -0,0 +1 @@
> +CVE-2019-20367.patch
