(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, today four packages were unclaimed for LTS: - glib2.0 (Emilio) - golang-1.7 (Sylvain Beucler) - golang-1.8 (Sylvain Beucler) - xmlbeans (Roberto C. Sánchez) and two for ELTS: - glib2.0 (Emilio) - golang (Sylvain Beucler) Noone claimed 4 packages or more. Three DLAs which already had been reserved last week have not yet been published: - DLA 2553-2 (08 Mar 2021) (xcftools) - DLA 2586-1 (08 Mar 2021) (linux) - DLA 2557-1 (12 Feb 2021) (linux-4.19) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
privoxy stretch package 3.0.26-3+deb9u2 prepared
Hi!
(please Cc: me in reply, since I'm not subscribed to debian-lts)
Privoxy upstream just released version 3.0.32, which fixes five new
CVEs, which are also reported at security-tracker.
I prepared a package that fixes CVE-2021-20272, CVE-2021-20273,
CVE-2021-20275, and CVE-2021-20276.
CVE-2021-20274 is missing, since this affects code, that was
introduced in 3.0.29, so stretch package is not affected, since we
shipped 3.0.26 in stretch. I requested on IRC #debian-security to
tag stretch and buster as not affected for this CVE.
Since all other CVEs are tagged "minor issue" on security-tracker, I'm
not sure whether it's worth doing a LTS upload for this.
If you think so, feel free to use it or tell me, what I have to do to
upload it...
A patch agains 3.0.26-3+deb9u1 is attached.
Salsa pipeline was successful with this:
https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including
the testsuite.
Greetings
Roland
diff -Nru privoxy-3.0.26/debian/changelog privoxy-3.0.26/debian/changelog
--- privoxy-3.0.26/debian/changelog 2021-02-06 21:42:01.0 +0100
+++ privoxy-3.0.26/debian/changelog 2021-03-08 14:11:04.0 +0100
@@ -1,3 +1,17 @@
+privoxy (3.0.26-3+deb9u2) stretch-security; urgency=medium
+
+ * 49_CVE-2021-20272: ssplit(): Remove an assertion that could be
+triggered with a crafted CGI request (CVE-2021-20272).
+ * 50_CVE-2021-20273: cgi_send_banner(): Overrule invalid image types.
+Prevents a crash with a crafted CGI request if Privoxy is toggled off
+(CVE-2021-20273).
+ * 51_CVE-2021-20275: chunked_body_is_complete(): Prevent invalid read of
+size two (CVE-2021-20275).
+ * 52_CVE-2021-20276: Obsolete pcre: Prevent invalid memory accesses
+(CVE-2021-20276).
+
+ -- Roland Rosenfeld Mon, 08 Mar 2021 14:11:04 +0100
+
privoxy (3.0.26-3+deb9u1) stretch-security; urgency=medium
* 38_CVE-2021-20217: Prevent an assertion by a crafted CGI request
diff -Nru privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch
--- privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch 1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.26/debian/patches/49_CVE-2021-20272.patch 2021-03-08 14:11:04.0 +0100
@@ -0,0 +1,32 @@
+commit 2256d7b4d67dd9c364386877d5af59943433458b
+Author: Fabian Keil
+Date: Wed Feb 3 19:08:20 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=2256d7b4d67
+Subject: ssplit(): Remove an assertion that could be triggered with a crafted
+ CGI request (CVE-2021-20272).
+
+This reverts dc4e311bcf.
+
+OVE-20210203-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/ssplit.c
b/ssplit.c
+@@ -37,7 +37,6 @@ const char ssplit_rcs[] = "$Id: ssplit.c
+
+ #include
+ #include
+-#include
+
+ #include "ssplit.h"
+ #include "miscutil.h"
+@@ -153,8 +152,6 @@ int ssplit(char *str, const char *delim,
+ }
+}
+/* null terminate the substring */
+- /* XXX: this shouldn't be necessary, so assert that it isn't. */
+- assert(*str == '\0');
+*str = '\0';
+
+return(vec_count);
diff -Nru privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch
--- privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch 1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.26/debian/patches/50_CVE-2021-20273.patch 2021-03-08 14:11:04.0 +0100
@@ -0,0 +1,28 @@
+commit e711c505c4830ab271938d61af90a2075523f058
+Author: Fabian Keil
+Date: Sat Feb 6 20:43:06 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=e711c505c48
+Subject: cgi_send_banner(): Overrule invalid image types. Prevents a crash with
+ a crafted CGI request if Privoxy is toggled off.(CVE-2021-20273).
+
+OVE-20210206-0001.
+
+Reported by: Joshua Rogers (Opera)
+
+--- a/cgisimple.c
b/cgisimple.c
+@@ -468,6 +468,14 @@ jb_err cgi_send_banner(struct client_sta
+ {
+char imagetype = lookup(parameters, "type")[0];
+
++ if (imagetype != 'a' && imagetype != 'b' &&
++ imagetype != 'p' && imagetype != 't')
++ {
++ log_error(LOG_LEVEL_ERROR, "Overruling invalid image type '%c'.",
++ imagetype);
++ imagetype = 'p';
++ }
++
+/*
+ * If type is auto, then determine the right thing
+ * to do from the set-image-blocker action
diff -Nru privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch
--- privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch 1970-01-01 01:00:00.0 +0100
+++ privoxy-3.0.26/debian/patches/51_CVE-2021-20275.patch 2021-03-08 14:11:04.0 +0100
@@ -0,0 +1,26 @@
+commit a912ba7bc9ce5855a810d09332e9d94566ce1521
+Author: Fabian Keil
+Date: Fri Feb 5 05:06:56 2021 +0100
+Applied-Upstream: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=a912ba7bc9c
+Subject: chunked_body_is_complete(): Prevent invalid read of size two
+ (CVE-2021-20275).
Re: privoxy stretch package 3.0.26-3+deb9u2 prepared
Hi! Thanks for preparing a LTS fix for privoxy. For reference, our full procedure is documented at: https://wiki.debian.org/LTS/Development To answer your points: - The debdiff looks good to me - Salvatore updated the CVE-2021-20274 status accordingly - 'minor issue' means there is not immediate urgency, so the buster/stable fixes may be delayed to a point release. LTS does not have a point release system so an LTS upload sounds good. - Abhijith (in Cc:) announced his intention to work on the package yesterday [1], you probably can coordinate with him for the next steps, in particular who will take care of sending the e-mail and website announcements. [1] https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt - If you plan to work on future LTS updates of privoxy and would like to be contacted before the LTS team starts working on an update, let us know and we'll add you in [2] [2] https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/packages/lts-do-call-me Cheers! Sylvain On 08/03/2021 14:38, Roland Rosenfeld wrote: Hi! (please Cc: me in reply, since I'm not subscribed to debian-lts) Privoxy upstream just released version 3.0.32, which fixes five new CVEs, which are also reported at security-tracker. I prepared a package that fixes CVE-2021-20272, CVE-2021-20273, CVE-2021-20275, and CVE-2021-20276. CVE-2021-20274 is missing, since this affects code, that was introduced in 3.0.29, so stretch package is not affected, since we shipped 3.0.26 in stretch. I requested on IRC #debian-security to tag stretch and buster as not affected for this CVE. Since all other CVEs are tagged "minor issue" on security-tracker, I'm not sure whether it's worth doing a LTS upload for this. If you think so, feel free to use it or tell me, what I have to do to upload it... A patch agains 3.0.26-3+deb9u1 is attached. Salsa pipeline was successful with this: https://salsa.debian.org/debian/privoxy/-/pipelines/237014 including the testsuite. Greetings Roland
LTS report for February 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 February was my 36th month as a Debian LTS paid contributor. I had a total of 19h (assigned and carried from last month). I spent all of them for the following; * python-pysaml2: Fixed CVE-2017-1000433, CVE-2021-21239. Marked CVE-2021-21238 as ignored[1]. Kept other issues as it is due to invasive changes. DLA 2577-1[2]. * spip: Fixed TEMP-000-803658[3]. Backported all related patches from buster. DLA 2579-1[4]. * mqtt-client: Included mqtt-client in CVE-2019-0222. Fixed and released DLA 2582-1[5] * activemq: Fixed CVE-2017-15709 CVE-2018-11775 CVE-2019-0222 CVE-2021-26117. Thanks to Markus for testing the build. DLA 2583-1[6] * libcaca: Fixed CVE-2021-3410. Tested against PoC[7]. DLA 2584-1[8] * jackson-dataformat-cbor: Marked CVE-2020-28491 as no-dsa though fixes are backported patch and tests are adjusted. Patch[9] * 01/03 - 07/03, 1 week of front desk duty. Regards Abhijith PA [1] - https://security-tracker.debian.org/tracker/CVE-2021-21238 [2] - https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html [3] - https://security-tracker.debian.org/tracker/TEMP-000-803658 [4] - https://lists.debian.org/debian-lts-announce/2021/03/msg1.html [5] - https://lists.debian.org/debian-lts-announce/2021/03/msg4.html [6] - https://lists.debian.org/debian-lts-announce/2021/03/msg5.html [7] - https://bugzilla.redhat.com/attachment.cgi?id=1756895 [8] - https://lists.debian.org/debian-lts-announce/2021/03/msg6.html [9] - https://people.debian.org/~abhijith/CVE-2020-28491.txt -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBGZ6QACgkQhj1N8u2c KO8N2g/8CSoPZuwVMs2u1j6xVLsaqf7S3UMJgC2BlH+XxOUs8Eyl2buh3WQDzMuY 8Y/kjzJHSggANy/vPLJ4JEhOBCveSElPx4xNpokz/2EO1rY6oxZ1vjZdDkewd22o URNbkAwNZOn6fN3KUK2unCg2MyCtpbquxvs6G3RBM+09x7FGsVZ3xCj5OhpHTTT9 if4QDpdZvCZ9L06b51NHBJtUs/dMboL9q5PFT2DlTboWBHEhqCgdv2UVuNIg23J+ T2gzuYSNJbEoaMZRMp5cSSCi4+jt/OmfN9Aj3ZLnQWJfUz5BNHMNJj5xhQYb0nup tsQiOtwmv+GUW/26t1uJVl0PK84Zt32hgnyYH4AcqXDmpIXCPFwAxKwem/B+tjmG ElY8/OVi2s7oNC9/JerrFE+Q/oN7I4YNe37khyMBcFgBTxDC2P81EG18992DjQ8l QZFKweKlh8Jk8rHTrvivGbkjv11/BNaKaK7YAhB7qylsQwP+MeVx0i2sg6TJMzS5 yqhDLH5v8GnMUiFRp3df1KUI8Ktmb3z5pXGEHq/ldxR5sNlg/WIXHN6rgWqLaMpT Js0g0s3EmOwLzlefuT7thNE4VE81P2lwNegeHSjv9MYrQrSvQWvjSbaDK1JohsUF H1WkyzT32PY8wMoWAM2fHZYMQUT+/QT9HvA900qQ+hxxyPqOgXQ= =KZi8 -END PGP SIGNATURE-
Re: privoxy stretch package 3.0.26-3+deb9u2 prepared
Hello On 08/03/21 05:16 PM, Sylvain Beucler wrote: > Hi! > > Thanks for preparing a LTS fix for privoxy. > > For reference, our full procedure is documented at: > https://wiki.debian.org/LTS/Development > > To answer your points: > > - The debdiff looks good to me > > - Salvatore updated the CVE-2021-20274 status accordingly > > - 'minor issue' means there is not immediate urgency, so the buster/stable > fixes may be delayed to a point release. > LTS does not have a point release system so an LTS upload sounds good. > > - Abhijith (in Cc:) announced his intention to work on the package yesterday > [1], you probably can coordinate with him for the next steps, in particular > who will take care of sending the e-mail and website announcements. > [1] > https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt Roland, thanks again for the patch. I can see that last LTS update (3.0.26-3+deb9u1) done by you. Hope you can upload this time as well. If not, let me know. I am happy to help. Once uploaded to archive I will take care of DLA and announcements. --abhijith
CVE-2021-3121 stretch patch review request and request for test help
Hi I have prepared a patch for CVE-2021-3121 described in: https://security-tracker.debian.org/tracker/CVE-2021-3121 You can find the patch here: http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch The patch is based on the following commit: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc My conclusion is that the field function in stretch is unaffected. The reason is that there is no skippy check there at all in the stretch version. For the generate function the iNdEx check was not in place so I added it, similar to the patch. I do have a problem, and that is to check whether the code introduce some regression issue. Also since the CVE lack a description of the effect of this problem I have little knowledge on what the result of this may be. Therefore I would highly appreciate a description of what this problem is and how to regression test the package. Thank you in advance! // Ola -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
Re: CVE-2020-36193 php-pear vs drupal7
Hi Salvatore, Gunnar, all
When looking further into this issue I do not think drupal7 is completely
fixed.
The durpal 7 package include the following fix:
+if (strpos(realpath(dirname($v_header['link'])),
realpath($p_path)) !== 0) {
But it is missing the depth check
https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
Or is it something that makes that depth check unnecessary?
I'm asking since I'm looking into the php-pear fix and it should be very
similar to the drupal 7 fix.
Cheers
// Ola
On Thu, 25 Feb 2021 at 23:04, Ola Lundqvist wrote:
> Great! Thank you all for the good answers.
>
> // Ola
>
> On Thu, 25 Feb 2021 at 10:53, Salvatore Bonaccorso
> wrote:
>
>> Hi,
>>
>> On Thu, Feb 25, 2021 at 09:09:08AM +, Chris Lamb wrote:
>> > Morning Ola,
>> >
>> > > Today I looked at CVE-2020-36193 since we have php-pear in dla-needed.
>> > > Ths thing is that this CVE tells that drupal7 is also vulnerable but
>> > > drupal7 is not in dla-needed.txt.
>> >
>> > It may be that drupal7 was not marked as being vulnerable to
>> > CVE-2020-36193 at the time of triage. After all, the code copy of
>> > Tar.php (in "system.tar.inc") is very slightly hidden. I would go
>> > ahead and add drupal7 as well -- a very quick glance suggests that it
>> > is, indeed, vulnerable.
>>
>> The specifc issue was already fixed in drupal7 by Gunnar's upload in
>> DLA 2530-1.
>>
>> Regards,
>> Salvatore
>>
>
>
> --
> --- Inguza Technology AB --- MSc in Information Technology
> | o...@inguza.como...@debian.org|
> | http://inguza.com/Mobile: +46 (0)70-332 1551 |
> ---
>
>
--
--- Inguza Technology AB --- MSc in Information Technology
| o...@inguza.como...@debian.org|
| http://inguza.com/Mobile: +46 (0)70-332 1551 |
---
Re: CVE-2020-36193 php-pear vs drupal7
Hello Ola, Salvatore, Chris et. al.!
Ola Lundqvist dijo [Mon, Mar 08, 2021 at 11:51:35PM +0100]:
> Hi Salvatore, Gunnar, all
>
> When looking further into this issue I do not think drupal7 is completely
> fixed.
> The durpal 7 package include the following fix:
> +if (strpos(realpath(dirname($v_header['link'])),
> realpath($p_path)) !== 0) {
>
> But it is missing the depth check
> https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
>
> Or is it something that makes that depth check unnecessary?
>
> I'm asking since I'm looking into the php-pear fix and it should be very
> similar to the drupal 7 fix.
Umh... Did you consider the following patch?
https://salsa.debian.org/debian/drupal7/-/blob/stretch/debian/patches/SA-CORE-2021-001
I understand, but will admit that I didn't dig deep at all, that the
Drupal7 team considers this as fixed WRT CVE-2020-36193. But, of
course, my handling of this issue was basically only backporting the
(very simple) diff in question from their 7.78 to our 7.52.
Greetings,
