Bug#1066965: marked as done (bookworm-pu: package newlib/3.3.0-2)

Sat, 31 Aug 2024 04:40:22 -0700 

Your message dated Sat, 31 Aug 2024 12:34:14 +0100
with message-id 
<9e3e8b8cd0db3b52d4adb2cfad04baa007c8e3e8.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 12.7
has caused the Debian Bug report #1066965,
regarding bookworm-pu: package newlib/3.3.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1066965: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066965
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org

The <URL: https://tracker.debian.org/pkg/newlib > package got an open
security problem with malloc and friends in stable and oldstable, see
<URL: https://bugs.debian.org/984446 > for the CVE issue.  The package
is orphaned.

I would like to fix the bug at least in stable, and propose the
following upload.  The change is already in the git repo on salsa in the
debian/bookworm branch.  The problem is already fixed in unstable and
testing with a new version of the upstream code.  The fix to stable is
only the minimal patch to solve the issue.

I propose to use the version number 3.3.0-2, but am open to better
proposals.  The version in testing is 4.4.0.20231231-2.

Complete proposed patch is below:

diff --git a/debian/changelog b/debian/changelog
index b3e3ef851..1c8ddc5cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+newlib (3.3.0-2) bookworm; urgency=medium
+
+  * QA upload.
+  * Orphan package to reflect status in Unstable.
+  * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow
+    check in malloc and friends.
+
+ -- Petter Reinholdtsen <p...@debian.org>  Sat, 16 Mar 2024 08:53:41 +0100
+
 newlib (3.3.0-1.3) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/control b/debian/control
index ff12d0bc5..4daa4e559 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,7 @@
 Source: newlib
 Section: devel
 Priority: optional
-Maintainer: Agustin Henze <t...@debian.org>
+Maintainer: Debian QA Group <packa...@qa.debian.org>
 Build-Depends:
  debhelper (>= 9),
  texinfo,
diff --git a/debian/gbp.conf b/debian/gbp.conf
index f4a0824a9..04f21b160 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,7 @@
 [DEFAULT]
 pristine-tar = True
 merge = True
+debian-branch = debian/bookworm
 
 [import-orig]
 postimport = gbp dch --debian-branch=$GBP_BRANCH 
--new-version=$GBP_DEBIAN_VERSION
diff --git a/debian/patches/mallocr-CVE-2021-3420.patch 
b/debian/patches/mallocr-CVE-2021-3420.patch
new file mode 100644
index 000000000..cd93fa41e
--- /dev/null
+++ b/debian/patches/mallocr-CVE-2021-3420.patch
@@ -0,0 +1,50 @@
+From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001
+From: Corinna Vinschen <vinsc...@redhat.com>
+Date: Tue, 17 Nov 2020 10:50:57 +0100
+Subject: malloc/nano-malloc: correctly check for out-of-bounds allocation reqs
+Origin: 
https://keithp.com/cgit/picolibc.git/patch/newlib/libc/stdlib/mallocr.c?id=aa106b29a6a8a1b0df9e334704292cbc32f2d44e
+Forwarded: not-needed
+
+The overflow check in mEMALIGn erroneously checks for INT_MAX,
+albeit the input parameter is size_t.  Fix this to check for
+__SIZE_MAX__ instead.  Also, it misses to check the req against
+adding the alignment before calling mALLOc.
+
+While at it, add out-of-bounds checks to pvALLOc, nano_memalign,
+nano_valloc, and Cygwin's (unused) dlpvalloc.
+
+Signed-off-by: Corinna Vinschen <cori...@vinschen.de>
+---
+ newlib/libc/stdlib/mallocr.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+(limited to 'newlib/libc/stdlib/mallocr.c')
+
+diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c
+index 9ad720ada..13d014cc8 100644
+--- a/newlib/libc/stdlib/mallocr.c
++++ b/newlib/libc/stdlib/mallocr.c
+@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t 
alignment; size_t bytes;
+   nb = request2size(bytes);
+ 
+   /* Check for overflow. */
+-  if (nb > INT_MAX || nb < bytes)
++  if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes)
+   {
+     RERRNO = ENOMEM;
+     return 0;
+@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes;
+ #endif
+ {
+   size_t pagesize = malloc_getpagesize;
++  if (bytes > __SIZE_MAX__ - pagesize)
++  {
++    RERRNO = ENOMEM;
++    return 0;
++  }
+   return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1));
+ }
+ 
+-- 
+cgit v1.2.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 3de9ae1fa..4b7d26190 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 reproducible-builds-locale.patch
 fix-include-paths-nano-specs.patch
+mallocr-CVE-2021-3420.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.7

Hi,

Each of these bugs relates to an update including in today's bookworm
12.7 point release.

Regards,

Adam

--- End Message ---

Reply via email to