Control: tags 1021270 + patch Control: tags 1021270 + pending Dear maintainer,
I've prepared an NMU for libmodbus (versioned as 3.1.6-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
diff -Nru libmodbus-3.1.6/debian/changelog libmodbus-3.1.6/debian/changelog --- libmodbus-3.1.6/debian/changelog 2019-12-09 09:04:49.000000000 +0200 +++ libmodbus-3.1.6/debian/changelog 2022-10-15 13:51:42.000000000 +0300 @@ -1,3 +1,11 @@ +libmodbus (3.1.6-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2022-0367: Heap-based buffer overflow in modbus_reply() + (Closes: #1021270) + + -- Adrian Bunk <[email protected]> Sat, 15 Oct 2022 13:51:42 +0300 + libmodbus (3.1.6-2) unstable; urgency=medium [ Kun-Hung Tsai (蔡昆宏) ] diff -Nru libmodbus-3.1.6/debian/patches/0001-modbus_reply-fix-copy-paste-error-in-sanity-check-fi.patch libmodbus-3.1.6/debian/patches/0001-modbus_reply-fix-copy-paste-error-in-sanity-check-fi.patch --- libmodbus-3.1.6/debian/patches/0001-modbus_reply-fix-copy-paste-error-in-sanity-check-fi.patch 1970-01-01 02:00:00.000000000 +0200 +++ libmodbus-3.1.6/debian/patches/0001-modbus_reply-fix-copy-paste-error-in-sanity-check-fi.patch 2022-10-15 13:51:42.000000000 +0300 @@ -0,0 +1,33 @@ +From b4ef4c17d618eba0adccc4c7d9e9a1ef809fc9b6 Mon Sep 17 00:00:00 2001 +From: Michael Heimpold <[email protected]> +Date: Sat, 8 Jan 2022 20:00:50 +0100 +Subject: modbus_reply: fix copy & paste error in sanity check (fixes #614) + +While handling MODBUS_FC_WRITE_AND_READ_REGISTERS, both address offsets +must be checked, i.e. the read and the write address must be within the +mapping range. + +At the moment, only the read address was considered, it looks like a +simple copy and paste error, so let's fix it. + +Signed-off-by: Michael Heimpold <[email protected]> +--- + src/modbus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/modbus.c b/src/modbus.c +index 99f333b..e13bd0d 100644 +--- a/src/modbus.c ++++ b/src/modbus.c +@@ -961,7 +961,7 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + nb_write, nb, MODBUS_MAX_WR_WRITE_REGISTERS, MODBUS_MAX_WR_READ_REGISTERS); + } else if (mapping_address < 0 || + (mapping_address + nb) > mb_mapping->nb_registers || +- mapping_address < 0 || ++ mapping_address_write < 0 || + (mapping_address_write + nb_write) > mb_mapping->nb_registers) { + rsp_length = response_exception( + ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_ADDRESS, rsp, FALSE, +-- +2.30.2 + diff -Nru libmodbus-3.1.6/debian/patches/series libmodbus-3.1.6/debian/patches/series --- libmodbus-3.1.6/debian/patches/series 2019-12-09 08:57:12.000000000 +0200 +++ libmodbus-3.1.6/debian/patches/series 2022-10-15 13:51:42.000000000 +0300 @@ -1,2 +1,3 @@ Fix-typo.patch Fix-float-endianness-issue-on-big-endian-arch.patch +0001-modbus_reply-fix-copy-paste-error-in-sanity-check-fi.patch
