Bug#906258: stretch-pu: package yubico-piv-tool/1.4.2-2

[Nicolas Braud-Santoni]

On Wed, Feb 13, 2019 at 03:21:44PM +0100, Nicolas Braud-Santoni wrote:
> > Didn't you do that? (Or your sponsor, I guess, but I still assumed you'd be
> > aware.)
> > [...]
> > I didn't remove anything, no. I have nothing to do with the package, just
> > looking at what's been proposed / uploaded in order to decide whether to
> > accept it.
> 
> OK, I will go, do the necessary fixes and upload to stretch-pu again  :)

Looks like the change was introduced in my sponsor's build,
here is the result from me rebuilding the same thing which was in Git:

  $ debdiff ../yubico-piv-tool_1.4.2-2.dsc 
/opt/deb/buildarea/yubico-piv-tool_1.4.2-2+deb9u1.dsc
  dpkg-source: warning: extracting unsigned source package 
(/opt/deb/buildarea/yubico-piv-tool_1.4.2-2+deb9u1.dsc)
  diff -Nru yubico-piv-tool-1.4.2/debian/changelog 
yubico-piv-tool-1.4.2/debian/changelog
  --- yubico-piv-tool-1.4.2/debian/changelog      2017-01-08 12:41:03.000000000 
+0100
  +++ yubico-piv-tool-1.4.2/debian/changelog      2018-08-14 21:12:50.000000000 
+0200
  @@ -1,3 +1,11 @@
  +yubico-piv-tool (1.4.2-2+deb9u1) stretch-proposed-updates; urgency=high
  +
  +  * Team upload.
  +  * Backport the fix for CVE-2018-14779 & CVE-2018-14780
  +    Closes: #906128
  +
  + -- Nicolas Braud-Santoni <nico...@braud-santoni.eu>  Tue, 14 Aug 2018 
21:12:50 +0200
  +
   yubico-piv-tool (1.4.2-2) unstable; urgency=medium
   
     * Fix openssl 1.1 ftbfs.  Closes: #828616.
  diff -Nru 
yubico-piv-tool-1.4.2/debian/patches/0001-lib-in-ykpiv_transfer_data-handle-overflow-by-exitin.patch
 
yubico-piv-tool-1.4.2/debian/patches/0001-lib-in-ykpiv_transfer_data-handle-overflow-by-exitin.patch
  --- 
yubico-piv-tool-1.4.2/debian/patches/0001-lib-in-ykpiv_transfer_data-handle-overflow-by-exitin.patch
 1970-01-01 01:00:00.000000000 +0100
  +++ 
yubico-piv-tool-1.4.2/debian/patches/0001-lib-in-ykpiv_transfer_data-handle-overflow-by-exitin.patch
 2018-08-14 21:12:50.000000000 +0200
  @@ -0,0 +1,32 @@
  +Subject: lib: in ykpiv_transfer_data() handle overflow by exiting
  +
  +this is detected and printed, but we never exit the function
  +
  +Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
  +---
  + lib/ykpiv.c | 5 ++++-
  + 1 file changed, 4 insertions(+), 1 deletion(-)
  +
  +diff --git a/lib/ykpiv.c b/lib/ykpiv.c
  +index 96a5a90..b5fdcbb 100644
  +Origin: vendor
  +Bug: 906128
  +From: Klas Lindfors <k...@yubico.com>
  +Reviewed-by: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
  +Last-Update: 2018-08-14
  +Applied-Upstream: 01a127a44a2229ea14195208e444ec526eaf45f4
  +
  +--- a/lib/ykpiv.c
  ++++ b/lib/ykpiv.c
  +@@ -317,7 +317,10 @@ ykpiv_rc ykpiv_transfer_data(ykpiv_state *state, const 
unsigned char *templ,
  +       return YKPIV_OK;
  +     }
  +     if(*out_len + recv_len - 2 > max_out) {
  +-      fprintf(stderr, "Output buffer to small, wanted to write %lu, max was 
%lu.", *out_len + recv_len - 2, max_out);
  ++      if(state->verbose) {
  ++        fprintf(stderr, "Output buffer to small, wanted to write %lu, max 
was %lu.", *out_len + recv_len - 2, max_out);
  ++      }
  ++      return YKPIV_SIZE_ERROR;
  +     }
  +     if(out_data) {
  +       memcpy(out_data, data, recv_len - 2);
  diff -Nru 
yubico-piv-tool-1.4.2/debian/patches/0002-lib-in-_ykpiv_fetch_object-handle-bogus-length-by-re.patch
 
yubico-piv-tool-1.4.2/debian/patches/0002-lib-in-_ykpiv_fetch_object-handle-bogus-length-by-re.patch
  --- 
yubico-piv-tool-1.4.2/debian/patches/0002-lib-in-_ykpiv_fetch_object-handle-bogus-length-by-re.patch
 1970-01-01 01:00:00.000000000 +0100
  +++ 
yubico-piv-tool-1.4.2/debian/patches/0002-lib-in-_ykpiv_fetch_object-handle-bogus-length-by-re.patch
 2018-08-14 21:12:50.000000000 +0200
  @@ -0,0 +1,33 @@
  +Subject: lib: in _ykpiv_fetch_object() handle bogus length by returning
  +
  +otherwise we might memmove() to much data
  +
  +Thanks to Eric Sesterhenn of x41 D-Sec for reporting this issue to us.
  +---
  + lib/ykpiv.c | 6 ++++++
  + 1 file changed, 6 insertions(+)
  +
  +diff --git a/lib/ykpiv.c b/lib/ykpiv.c
  +index b5fdcbb..d4aab29 100644
  +Origin: vendor
  +Bug: 906128
  +From: Klas Lindfors <k...@yubico.com>
  +Reviewed-by: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
  +Last-Update: 2018-08-14
  +Applied-Upstream: 80d47c82f019d6676e8cc5392a31d7478af8015e
  +
  +--- a/lib/ykpiv.c
  ++++ b/lib/ykpiv.c
  +@@ -806,6 +806,12 @@ ykpiv_rc ykpiv_fetch_object(ykpiv_state *state, int 
object_id,
  +     if(offs == 0) {
  +       return YKPIV_SIZE_ERROR;
  +     }
  ++    if(outlen > offs + 1 + *len) {
  ++      if(state->verbose) {
  ++        fprintf(stderr, "Invalid length indicated in object, total objlen 
is %lu, indicated length is %lu.", *len, outlen);
  ++      }
  ++      return YKPIV_SIZE_ERROR;
  ++    }
  +     memmove(data, data + 1 + offs, outlen);
  +     *len = outlen;
  +     return YKPIV_OK;
  diff -Nru yubico-piv-tool-1.4.2/debian/patches/series 
yubico-piv-tool-1.4.2/debian/patches/series
  --- yubico-piv-tool-1.4.2/debian/patches/series 1970-01-01 01:00:00.000000000 
+0100
  +++ yubico-piv-tool-1.4.2/debian/patches/series 2018-08-14 21:12:50.000000000 
+0200
  @@ -0,0 +1,2 @@
  +0001-lib-in-ykpiv_transfer_data-handle-overflow-by-exitin.patch
  +0002-lib-in-_ykpiv_fetch_object-handle-bogus-length-by-re.patch


I assume I can't just dput this, as it already exists in stable-new.
Could you reject the existing package first, and I will reupload?


Best,

  nicoo

signature.asc
Description: PGP signature