Bug#899018: marked as done (jessie-pu: package blktrace/1.0.5-1)

Debian Bug Tracking System Sat, 23 Jun 2018 04:40:24 -0700

Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <1529753533.11744.69.ca...@adam-barratt.org.uk>
and subject line Closing bugs for requests included in the EoL jessie point 
release
has caused the Debian Bug report #899018,
regarding jessie-pu: package blktrace/1.0.5-1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
899018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899018
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch,jessie
User: release.debian....@packages.debian.org
Usertags: pu

I would like to update blktrace in Jessie (1.0.5-1) and Stretch
(1.1.0-2) to fix a buffer overflow (CVE-2018-10689, see
https://security-tracker.debian.org/tracker/CVE-2018-10689).

I've already discussed this with the security team, and they feel this
issue doesn't warrant a DSA, be should be fixed via proposed-updates
instead.

My proposed new packages can be found at https://zoetekouw.net/Zooi/blktrace/
The debdiff are as follows:

For jessie:

diff -Nru blktrace-1.0.5/debian/changelog blktrace-1.0.5/debian/changelog
--- blktrace-1.0.5/debian/changelog     2013-05-05 14:43:17.000000000 +0200
+++ blktrace-1.0.5/debian/changelog     2018-05-18 15:57:31.000000000 +0200
@@ -1,3 +1,9 @@
+blktrace (1.0.5-2) oldstable-proposed-updates; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw <b...@debian.org>  Fri, 18 May 2018 15:47:57 +0200
+
 blktrace (1.0.5-1) unstable; urgency=low
 
   * New upstream release [February 2012].
diff -Nru blktrace-1.0.5/debian/patches/cve-2018-10689.patch 
blktrace-1.0.5/debian/patches/cve-2018-10689.patch
--- blktrace-1.0.5/debian/patches/cve-2018-10689.patch  1970-01-01 
01:00:00.000000000 +0100
+++ blktrace-1.0.5/debian/patches/cve-2018-10689.patch  2018-05-18 
16:05:36.000000000 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe <ax...@kernel.dk>
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid 
overflow.  Patch from 
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
+
+Index: blktrace-1.0.5/btt/devmap.c
+===================================================================
+--- blktrace-1.0.5.orig/btt/devmap.c
++++ blktrace-1.0.5/btt/devmap.c
+@@ -23,7 +23,7 @@
+ 
+ struct devmap {
+       struct list_head head;
+-      char device[32], devno[32];
++      char device[PATH_MAX], devno[PATH_MAX];
+ };
+ 
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.0.5/debian/patches/series 
blktrace-1.0.5/debian/patches/series
--- blktrace-1.0.5/debian/patches/series        2012-12-23 12:30:03.000000000 
+0100
+++ blktrace-1.0.5/debian/patches/series        2018-05-18 15:56:41.000000000 
+0200
@@ -1,2 +1,3 @@
 10_btrace_paths.patch
 spelling.patch
+cve-2018-10689.patch



For Stretch:

diff -Nru blktrace-1.1.0/debian/changelog blktrace-1.1.0/debian/changelog
--- blktrace-1.1.0/debian/changelog     2015-05-17 14:35:07.000000000 +0200
+++ blktrace-1.1.0/debian/changelog     2018-05-16 16:19:54.000000000 +0200
@@ -1,3 +1,9 @@
+blktrace (1.1.0-3) stretch-security; urgency=high
+
+  * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw <b...@debian.org>  Wed, 16 May 2018 16:19:54 +0200
+
 blktrace (1.1.0-2) unstable; urgency=low
 
   * Upload to unstable.
diff -Nru blktrace-1.1.0/debian/patches/cve-2018-10689.patch 
blktrace-1.1.0/debian/patches/cve-2018-10689.patch
--- blktrace-1.1.0/debian/patches/cve-2018-10689.patch  1970-01-01 
01:00:00.000000000 +0100
+++ blktrace-1.1.0/debian/patches/cve-2018-10689.patch  2018-05-16 
16:19:54.000000000 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe <ax...@kernel.dk>
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to avoid 
overflow.  Patch from 
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
+
+diff --git a/btt/devmap.c b/btt/devmap.c
+index 0553a9e..5fc1cb2 100644
+--- a/btt/devmap.c
++++ b/btt/devmap.c
+@@ -23,7 +23,7 @@
+
+ struct devmap {
+       struct list_head head;
+-      char device[32], devno[32];
++      char device[PATH_MAX], devno[PATH_MAX];
+ };
+
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.1.0/debian/patches/series 
blktrace-1.1.0/debian/patches/series
--- blktrace-1.1.0/debian/patches/series        2015-03-25 08:40:33.000000000 
+0100
+++ blktrace-1.1.0/debian/patches/series        2018-05-16 16:19:54.000000000 
+0200
@@ -4,3 +4,4 @@
 pdf-date.patch
 procnum.patch
 spelling.patch
+cve-2018-10689.patch

-- System Information:
Debian Release: 9.4
  APT prefers stable
  APT policy: (620, 'stable'), (500, 'stable-updates'), (20, 'unstable'), (10, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Version: 8.11

Hi,

The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).

Regards,

Adam

--- End Message ---

Bug#899018: marked as done (jessie-pu: package blktrace/1.0.5-1)

Reply via email to