Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
gerbv is a utility for viewing Gerber RS-274X files, Excellon drill files, and CSV files for pick-and-place files. Gerber files are used for communicating printed circuit board (PCB) designs to PCB manufacturers. [ Reason ] The gerbv upstream project was getting in contact via the pkg-electronic-devel mailing list to inform about a security issue for gerbv that was found by the Cisco Talos team. That issue got the CVE number CVE-2021-40391. https://alioth-lists.debian.net/pipermail/pkg-electronics-devel/2021-November/008221.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40391 This issue was fixed with the release of version 2.7.1, bullseye was released with version 2.7.0, so this version is taking effect of the CVE. Debian testing and unstable are on version 2.8.1 for gerbv while writing. [ Impact ] Users of the unpatched gerbv version from the bullseye release might be affected to get unwanted code exceution and loose data. [ Tests ] Currently there are no automated or manuall test available to check the fixing of this issue. [ Risks ] Nearlly to zero, the fix for this is quite non intrusive and relly small (basically it's just one line of code). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The whole change to get the CVE is fixed is adding one line of code within the C-file drill.c, within the function drill_parse_T_code() a 'return -1' is need to solve the issue. [ Other info ] Anton Gladky within the LTS team did an upload of version 2.6.1-2+deb9u1 to fix this issue for Debian 9. https://tracker.debian.org/news/1283553/accepted-gerbv-261-2deb9u1-source-into-oldoldstable/ The debdiff between the old version 2.7.0-2 in bullseyse and prepared version gerbv_2.7.0-2+deb11u1 is added here as it's not that big. diff -Nru gerbv-2.7.0/debian/changelog gerbv-2.7.0/debian/changelog --- gerbv-2.7.0/debian/changelog 2020-06-07 10:01:13.000000000 +0200 +++ gerbv-2.7.0/debian/changelog 2021-12-05 09:14:05.000000000 +0100 @@ -1,3 +1,14 @@ +gerbv (2.7.0-2+deb11u1) bullseye; urgency=medium + + * Build for bullseye + * [e983451] Rebuild patch queue from patch-queue branch + Added patch: + security/Fix-TALOS-2021-1402.patch + Fixing CVE-2021-40391 + * [7d33020] d/gbp.conf: Adjust to branch debian/bullseye + + -- Carsten Schoenert <c.schoen...@t-online.de> Sun, 05 Dec 2021 09:14:05 +0100 + gerbv (2.7.0-2) unstable; urgency=medium [ أحمد المحمودي (Ahmed El-Mahmoudy) ] diff -Nru gerbv-2.7.0/debian/gbp.conf gerbv-2.7.0/debian/gbp.conf --- gerbv-2.7.0/debian/gbp.conf 2019-02-18 17:55:34.000000000 +0100 +++ gerbv-2.7.0/debian/gbp.conf 2021-12-05 09:14:05.000000000 +0100 @@ -5,7 +5,7 @@ pristine-tar = True # generate gz compressed orig.tar file compression = gz -debian-branch = debian/sid +debian-branch = debian/bullseye upstream-branch = upstream [pq] @@ -13,7 +13,7 @@ [dch] id-length = 7 -debian-branch = debian/sid +debian-branch = debian/bullseye [import-orig] # filter out unwanted files/dirs from upstream diff -Nru gerbv-2.7.0/debian/patches/fixes/gcc10-extern.patch gerbv-2.7.0/debian/patches/fixes/gcc10-extern.patch --- gerbv-2.7.0/debian/patches/fixes/gcc10-extern.patch 2020-06-07 10:00:34.000000000 +0200 +++ gerbv-2.7.0/debian/patches/fixes/gcc10-extern.patch 2021-12-05 09:14:05.000000000 +0100 @@ -1,4 +1,5 @@ -From: أحمد المحمودي (Ahmed El-Mahmoudy) <aelmahmo...@users.sourceforge.net> +From: =?utf-8?b?Itij2K3ZhdivINin2YTZhdit2YXZiNiv2YogKEFobWVkIEVsLU1haG1v?= + =?utf-8?b?dWR5KSI=?= <aelmahmo...@users.sourceforge.net> Date: Mon, 25 May 2020 20:05:28 +0200 Subject: use extern for global vars. diff -Nru gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch --- gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch 1970-01-01 01:00:00.000000000 +0100 +++ gerbv-2.7.0/debian/patches/security/Fix-TALOS-2021-1402.patch 2021-12-05 09:14:05.000000000 +0100 @@ -0,0 +1,27 @@ +From: eyal0 <109809+ey...@users.noreply.github.com> +Date: Tue, 26 Oct 2021 21:39:25 -0600 +Subject: Fix TALOS-2021-1402 + +See issue #30 + +This commit fixes CVE-2021-40391. Background information can be found on +this URL. +https://talosintelligence.com/vulnerability_reports/TALOS-2021-1402 + +Forwarded: https://github.com/gerbv/gerbv/commit/9f83950b772b37b49ee188300e444546e6aab17e +--- + src/drill.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/drill.c b/src/drill.c +index bc90524..414872d 100644 +--- a/src/drill.c ++++ b/src/drill.c +@@ -1115,6 +1115,7 @@ drill_parse_T_code(gerb_file_t *fd, drill_state_t *state, + _("Out of bounds drill number %d " + "at line %ld in file \"%s\""), + tool_num, file_line, fd->filename); ++ return -1; + } + + /* Set the current tool to the correct one */ diff -Nru gerbv-2.7.0/debian/patches/series gerbv-2.7.0/debian/patches/series --- gerbv-2.7.0/debian/patches/series 2020-06-07 10:00:34.000000000 +0200 +++ gerbv-2.7.0/debian/patches/series 2021-12-05 09:14:05.000000000 +0100 @@ -6,3 +6,4 @@ fixes/man-page-fix-misspelled-excercise-exercise.patch fixes/Fix-Werror-format-security-problem.patch fixes/gcc10-extern.patch +security/Fix-TALOS-2021-1402.patch I've uploaded gerbv_2.7.0-2+deb11u1 with the target bullseye, please consider accepting this upload to get into the next point release. Thanks! Regards Carsten
