Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Arnaud Rebillout Thu, 08 Aug 2019 00:57:57 -0700

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu


The debdiff attached brings in an upstream patch to fix
CVE-2019-1020014, hence closes #933801.

This is my first contribution to Debian Stable, please check for
beginners mistake ;)

Also, the devel-announce "Bits from the Stable Release Managers"
mentions:

   * Fixes for security issues should be co-ordinated with the
     Security Team, unless they have explicitly stated that they
     will not issue an DSA for the bug (e.g. via a "no-dsa" marker
     in the Security Tracker) [SECURITY-TRACKER]

So, is there anything else I should do here? Like, CC them or something?

Thanks!

  Arnaud

-- Related links:

- <https://bugs.debian.org/933801>
- <https://security-tracker.debian.org/tracker/CVE-2019-1020014>

-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog 
golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog       
2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/changelog       
2019-08-05 15:04:28.000000000 +0700
@@ -1,3 +1,11 @@
+golang-github-docker-docker-credential-helpers (0.6.1-2+deb10u1) buster; 
urgency=medium
+
+  * Add myself to uploaders.
+  * Adjust gbp.conf for buster.
+  * Add upstream patch to fix CVE-2019-1020014 (Closes: #933801).
+
+ -- Arnaud Rebillout <arnaud.rebill...@collabora.com>  Mon, 05 Aug 2019 
15:04:28 +0700
+
 golang-github-docker-docker-credential-helpers (0.6.1-2) unstable; 
urgency=medium
 
   * Team upload.
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/control 
golang-github-docker-docker-credential-helpers-0.6.1/debian/control
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/control 
2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/control 
2019-08-05 15:04:28.000000000 +0700
@@ -3,7 +3,8 @@
 Priority: optional
 Maintainer: Debian Go Packaging Team 
<pkg-go-maintain...@lists.alioth.debian.org>
 Uploaders: Tim Potter <t...@hpe.com>,
-           Jordi Mallach <jo...@debian.org>
+           Jordi Mallach <jo...@debian.org>,
+           Arnaud Rebillout <arnaud.rebill...@collabora.com>,  
 Build-Depends: debhelper (>= 11~),
                dh-golang,
                golang-any,
diff -Nru golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf 
golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf        
2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/gbp.conf        
2019-08-05 15:04:28.000000000 +0700
@@ -1,2 +1,3 @@
 [DEFAULT]
+debian-branch = debian/buster
 pristine-tar = True
diff -Nru 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
--- 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
  1970-01-01 08:00:00.000000000 +0800
+++ 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch
  2019-08-05 15:04:28.000000000 +0700
@@ -0,0 +1,85 @@
+From: Justin Cormack <justin.corm...@docker.com>
+Date: Mon, 1 Jul 2019 14:37:24 +0100
+Subject: [PATCH] Fix a double free in the List functions
+
+The code was set up so that it would free the individual items and the data
+in `freeListData`, but there was already a Go `defer` to free the data item,
+resulting in a double free.
+
+Remove the `free` in `freeListData` and leave the original one.
+
+In addition, move the `defer` for freeing the list data before the error
+check, so that the data is also free in the error case. This just removes
+a minor leak.
+
+This vulnerability was discovered by:
+Jasiel Spelman of Trend Micro Zero Day Initiative and Trend Micro Team Nebula
+
+Signed-off-by: Justin Cormack <justin.corm...@docker.com>
+Origin: upstream, 
https://github.com/docker/docker-credential-helpers/commit/87c80bf
+---
+ osxkeychain/osxkeychain_darwin.c     | 1 -
+ osxkeychain/osxkeychain_darwin.go    | 5 ++---
+ secretservice/secretservice_linux.c  | 1 -
+ secretservice/secretservice_linux.go | 4 ++--
+ 4 files changed, 4 insertions(+), 7 deletions(-)
+
+--- a/osxkeychain/osxkeychain_darwin.c
++++ b/osxkeychain/osxkeychain_darwin.c
+@@ -223,6 +223,5 @@
+ void freeListData(char *** data, unsigned int length) {
+      for(int i=0; i<length; i++) {
+         free((*data)[i]);
+      }
+-     free(*data);
+ }
+--- a/osxkeychain/osxkeychain_darwin.go
++++ b/osxkeychain/osxkeychain_darwin.go
+@@ -109,17 +109,16 @@
+       var acctsC **C.char
+       defer C.free(unsafe.Pointer(acctsC))
+       var listLenC C.uint
+       errMsg := C.keychain_list(credsLabelC, &pathsC, &acctsC, &listLenC)
++      defer C.freeListData(&pathsC, listLenC)
++      defer C.freeListData(&acctsC, listLenC)
+       if errMsg != nil {
+               defer C.free(unsafe.Pointer(errMsg))
+               goMsg := C.GoString(errMsg)
+               return nil, errors.New(goMsg)
+       }
+ 
+-      defer C.freeListData(&pathsC, listLenC)
+-      defer C.freeListData(&acctsC, listLenC)
+-
+       var listLen int
+       listLen = int(listLenC)
+       pathTmp := (*[1 << 30]*C.char)(unsafe.Pointer(pathsC))[:listLen:listLen]
+       acctTmp := (*[1 << 30]*C.char)(unsafe.Pointer(acctsC))[:listLen:listLen]
+--- a/secretservice/secretservice_linux.c
++++ b/secretservice/secretservice_linux.c
+@@ -157,6 +157,5 @@
+       int i;
+       for(i=0; i<length; i++) {
+               free((*data)[i]);
+       }
+-      free(*data);
+ }
+--- a/secretservice/secretservice_linux.go
++++ b/secretservice/secretservice_linux.go
+@@ -91,14 +91,14 @@
+       var acctsC **C.char
+       defer C.free(unsafe.Pointer(acctsC))
+       var listLenC C.uint
+       err := C.list(credsLabelC, &pathsC, &acctsC, &listLenC)
++      defer C.freeListData(&pathsC, listLenC)
++      defer C.freeListData(&acctsC, listLenC)
+       if err != nil {
+               defer C.g_error_free(err)
+               return nil, errors.New("Error from list function in 
secretservice_linux.c likely due to error in secretservice library")
+       }
+-      defer C.freeListData(&pathsC, listLenC)
+-      defer C.freeListData(&acctsC, listLenC)
+ 
+       resp := make(map[string]string)
+ 
+       listLen := int(listLenC)
diff -Nru 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series 
golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series
--- golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series  
2019-02-28 08:31:29.000000000 +0700
+++ golang-github-docker-docker-credential-helpers-0.6.1/debian/patches/series  
2019-08-05 15:04:28.000000000 +0700
@@ -1 +1,2 @@
 fix-free-err.patch
+cve-2019-1020014-Fix-a-double-free-in-the-List-functions.patch

Bug#934206: buster-pu: package golang-github-docker-docker-credential-helpers/0.6.1-2+deb10u1

Reply via email to