Bug#942110: marked as done (stretch-pu: package gnustep-base/1.24.9-3.1+deb9u1)

Sat, 08 Feb 2020 06:36:46 -0800 

Your message dated Sat, 08 Feb 2020 14:23:35 +0000
with message-id 
<a894a0233c2d264936953d7a69507573c4a5742a.ca...@adam-barratt.org.uk>
and subject line Closing bugs included in 9.12
has caused the Debian Bug report #942110,
regarding stretch-pu: package gnustep-base/1.24.9-3.1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
942110: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942110
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

I'd like to fix a vulnerability in the gdomap daemon (no DSA).  It is
fixed in testing/unstable and already approved/uploaded for buster
(release.d.o #940943).  The patch is the same.

Debdiff attached.

diff -Nru gnustep-base-1.24.9/debian/changelog 
gnustep-base-1.24.9/debian/changelog
--- gnustep-base-1.24.9/debian/changelog        2017-02-02 21:12:50.000000000 
+0200
+++ gnustep-base-1.24.9/debian/changelog        2019-10-10 08:33:21.000000000 
+0300
@@ -1,3 +1,12 @@
+gnustep-base (1.24.9-3.1+deb9u1) stretch; urgency=medium
+
+  * debian/patches/gdomap-udp-amplification.patch: New; fix UDP
+    amplification vulnerability.  Thanks to Alan Jenkins.
+  * debian/patches/series: Update.
+  * debian/gbp.conf: New file.
+
+ -- Yavor Doganov <ya...@gnu.org>  Thu, 10 Oct 2019 08:33:21 +0300
+
 gnustep-base (1.24.9-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru gnustep-base-1.24.9/debian/gbp.conf 
gnustep-base-1.24.9/debian/gbp.conf
--- gnustep-base-1.24.9/debian/gbp.conf 1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.24.9/debian/gbp.conf 2019-10-10 08:33:08.000000000 +0300
@@ -0,0 +1,3 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = stretch
diff -Nru gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch 
gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch
--- gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch   
1970-01-01 02:00:00.000000000 +0200
+++ gnustep-base-1.24.9/debian/patches/gdomap-udp-amplification.patch   
2019-10-10 08:32:24.000000000 +0300
@@ -0,0 +1,61 @@
+Description: Fix UDP amplification vulnerability
+ A couple of is_local_net() tests were wrong: they used "&&" with
+ masks, but that is the logical shortcut operator.  The correct
+ bitwise operator is "&".  The result was that is_local_net() was
+ always returning true.
+ .
+ Only allow local processes to send GDO_SERVERS requests.  This
+ request is only useful locally.  Do not allow remote requests for the
+ server list.  Our response can be large, so it would make a great UDP
+ amplification attack.
+ . 
+ Patch by Alan Jenkins <alan.christopher.jenk...@gmail.com>; issue
+ reported to the Debian security team.
+Origin: upstream, commit:de9740c
+Last-Update: 2019-10-10
+---
+
+--- gnustep-base.orig/Tools/gdomap.c
++++ gnustep-base/Tools/gdomap.c
+@@ -419,7 +419,7 @@
+ 
+   for (i = 0; i < interfaces; i++)
+     {
+-      if ((mask[i].s_addr && addr[i].s_addr) == (mask[i].s_addr && a.s_addr))
++      if ((mask[i].s_addr & addr[i].s_addr) == (mask[i].s_addr & a.s_addr))
+       {
+         return 1;
+       }
+@@ -3090,6 +3090,21 @@
+       unsigned int    i;
+       unsigned int    j;
+ 
++      /*
++       *      See if this is a request from a local process.
++       *
++       *      This request is only useful locally.  Do not allow remote
++       *      requests for the server list.  Our response can be large,
++       *      so it would make a great UDP amplification attack.
++       */
++      if (is_local_host(ri->addr.sin_addr) == 0)
++      {
++        snprintf(ebuf, sizeof(ebuf), "Illegal attempt to list servers!");
++        gdomap_log(LOG_ERR);
++        clear_chan(desc);
++        return;
++      }
++
+       free(wi->buf);
+       wi->buf = (char*)calloc(sizeof(uint32_t)
+       + (prb_used+1)*IASIZE, 1);
+@@ -3250,8 +3265,8 @@
+                   {
+                     continue;
+                   }
+-                if ((mask[i].s_addr && addr[i].s_addr) ==
+-                      (mask[i].s_addr && ri->addr.sin_addr.s_addr))
++                if ((mask[i].s_addr & addr[i].s_addr) ==
++                      (mask[i].s_addr & ri->addr.sin_addr.s_addr))
+                   {
+                     laddr = addr[i];
+                     memcpy(wbuf, &laddr, IASIZE);
diff -Nru gnustep-base-1.24.9/debian/patches/series 
gnustep-base-1.24.9/debian/patches/series
--- gnustep-base-1.24.9/debian/patches/series   2016-08-09 18:49:12.000000000 
+0300
+++ gnustep-base-1.24.9/debian/patches/series   2019-10-09 19:25:53.000000000 
+0300
@@ -19,3 +19,4 @@
 fix-gdnc.patch
 fix-tests-timings.patch
 fix-test-icu2.patch
+gdomap-udp-amplification.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.12

Hi,

Each of the uploads referred to by these bugs was included in today's
oldstable point release.

Regards,

Adam

--- End Message ---

Reply via email to