Hi anarcat, On Wed, 06 Feb 2019 at 14:13:23 -0500, Antoine Beaupré wrote: > On 2019-02-06 01:59:58, Guilhem Moulin wrote: >> * Upstream hasn't yet filed a CVE for this issue; I forwarded jmm's >> instructions regarding this. > > Sorry, forwarded where? Did I miss something?
Ah sorry, that's indeed rather unclear. I told the Security Team I was unsure what the next steps were, since up to now CVEs on the packages I maintain have always been assigned either by a security team member or by upstream itself. Moritz suggested that upstream files this CVE themselves and provided a link to an online form, which I forwarded (privately) to upstream :-) > 1. open a bug report in the BTS Was about to do that, but (as often) carnil was faster ;-) > 2. mention it in the changelog > 3. upload the package to security-master Done, and new debdiff attached. > 4. issue a DLA when the package is accepted I wouldn't mind if you or another LTS team member were talking care of this one :-) Thanks! -- Guilhem.
diff -Nru netmask-2.3.12/debian/changelog netmask-2.3.12+deb8u1/debian/changelog --- netmask-2.3.12/debian/changelog 2010-04-26 04:29:39.000000000 +0200 +++ netmask-2.3.12+deb8u1/debian/changelog 2019-02-06 01:08:09.000000000 +0100 @@ -1,3 +1,10 @@ +netmask (2.3.12+deb8u1) jessie-security; urgency=medium + + * Fix buffer overflow vulnerability. Closes: #921565. + https://github.com/tlby/netmask/issues/3 + + -- Guilhem Moulin <guil...@debian.org> Wed, 06 Feb 2019 01:08:09 +0100 + netmask (2.3.12) unstable; urgency=low * Include patches directly in source because it's a native package diff -Nru netmask-2.3.12/debian/control netmask-2.3.12+deb8u1/debian/control --- netmask-2.3.12/debian/control 2010-04-26 04:29:39.000000000 +0200 +++ netmask-2.3.12+deb8u1/debian/control 2019-02-06 01:08:09.000000000 +0100 @@ -1,7 +1,7 @@ Source: netmask Section: net Priority: optional -Maintainer: Luis Uribe <a...@eviled.org> +Maintainer: Guilhem Moulin <guil...@debian.org> Build-Depends: debhelper (>= 5), texinfo Standards-Version: 3.8.4 diff -Nru netmask-2.3.12/errors.c netmask-2.3.12+deb8u1/errors.c --- netmask-2.3.12/errors.c 2010-04-26 04:29:39.000000000 +0200 +++ netmask-2.3.12+deb8u1/errors.c 2019-02-06 01:04:57.000000000 +0100 @@ -66,7 +66,7 @@ if(!show_status) return(0); va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); return(message(LOG_DEBUG, buf)); } @@ -76,7 +76,7 @@ va_list args; va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); return(message(LOG_WARNING, buf)); } @@ -86,7 +86,7 @@ va_list args; va_start(args, fmt); - vsprintf(buf, fmt, args); + vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); message(LOG_ERR, buf); exit(1); @@ -97,7 +97,7 @@ /* only handle errno if this is not an informational message */ if(errno && priority < 5) { - sprintf(buf, "%s: %s", msg, strerror(errno)); + snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno)); errno = 0; } else strcpy(buf, msg); if(use_syslog) syslog(priority, "%s", buf);
signature.asc
Description: PGP signature
