Discussion:
Bug#988278: [pre-approval] unblock: libgetdata/0.10.0-10
(too old to reply)
Anton Gladky
2021-05-09 12:50:01 UTC
Permalink
Package: release.debian.org
Severity: normal
User: ***@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear release team,

this is the pre-approval request for libgetdata/0.10.0-10

It fixes CVE-2021-20204 (#988239). It is not a release critical bug,
but security issue. Diff is attached.

Thanks

unblock libgetdata/0.10.0-10
Debian Bug Tracking System
2021-05-10 20:40:02 UTC
Permalink
tags -1 moreinfo
Bug #988278 [release.debian.org] [pre-approval] unblock: libgetdata/0.10.0-10
Added tag(s) moreinfo.
--
988278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988278
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Sebastian Ramacher
2021-05-10 20:40:02 UTC
Permalink
Control: tags -1 moreinfo
Post by Anton Gladky
Package: release.debian.org
Severity: normal
Usertags: unblock
Dear release team,
this is the pre-approval request for libgetdata/0.10.0-10
It fixes CVE-2021-20204 (#988239). It is not a release critical bug,
but security issue. Diff is attached.
Thanks
unblock libgetdata/0.10.0-10
diff --git a/debian/changelog b/debian/changelog
index 2c30a9c..514058c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libgetdata (0.10.0-10) unstable; urgency=medium
+
+ * Team upload.
+ * [4ee5ad0] Fix CVE-2021-20204. (Closes: #988239)
+
+
libgetdata (0.10.0-9) unstable; urgency=medium
* Fix FTBFFS on binary-all build (missing file). Closes: #966522
diff --git a/debian/patches/CVE-2021-20204.patch b/debian/patches/CVE-2021-20204.patch
new file mode 100644
index 0000000..08bb876
--- /dev/null
+++ b/debian/patches/CVE-2021-20204.patch
@@ -0,0 +1,18 @@
+Description: Raise error if returned first_raw in _GD_ParseFieldSpec is NULL
+ Fix for CVE-2021-20204
+Bug-Debian: https://bugs.debian.org/988239
+Last-Update: 2021-05-09
+
+--- libgetdata-0.10.0.orig/src/parse.c
++++ libgetdata-0.10.0/src/parse.c
+ if (D->error == GD_E_OK && !match)
+ first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols, strlen(in_cols[0]),
+ NULL, me, 0, 1, &outstring, tok_pos);
++ if (first_raw == NULL) {
++ _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0, NULL);
++ }
Is it intentional that newly addeded if is evaluated in any case or is
this patch missing curly brackets for the body of "if (D->error =
GD_E_OK && !match)"?

Cheers
Post by Anton Gladky
+
+ if (D->error == GD_E_FORMAT) {
+ /* call the callback for this error */
diff --git a/debian/patches/series b/debian/patches/series
index 24c0911..cc09615 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
#python3.patch
+CVE-2021-20204.patch
--
Sebastian Ramacher
Sebastian Ramacher
2021-05-10 20:50:01 UTC
Permalink
Control: tags -1 confirmed
Control: tags -1 -moreinfo
Hi Sebastian,
Thanks for looking into this issue. Yes, it is intentional. We should always
check whether first_raw is NULL or not.
Then please go ahead.

Cheers
I have reproduced the issue in the CI-pipeline [1], and the proposed patch
fixes
the issue [2]: no more segfault, just an error message due to exploit.
[1] https://salsa.debian.org/science-team/libgetdata/-/jobs/1631525
[2] https://salsa.debian.org/science-team/libgetdata/-/jobs/1633848
Anton
Am Mo., 10. Mai 2021 um 22:27 Uhr schrieb Sebastian Ramacher <
<skip>
Post by Anton Gladky
Post by Anton Gladky
+--- libgetdata-0.10.0.orig/src/parse.c
++++ libgetdata-0.10.0/src/parse.c
+ if (D->error == GD_E_OK && !match)
+ first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols,
strlen(in_cols[0]),
Post by Anton Gladky
+ NULL, me, 0, 1, &outstring, tok_pos);
++ if (first_raw == NULL) {
++ _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0,
NULL);
Post by Anton Gladky
++ }
Is it intentional that newly addeded if is evaluated in any case or is
this patch missing curly brackets for the body of "if (D->error =
GD_E_OK && !match)"?
--
Sebastian Ramacher
Anton Gladky
2021-05-11 18:40:01 UTC
Permalink
Sebastian, I have double checked the code, and you are probably right.
It is better to put this if-check into the internal scope of "(D->error ==
GD_E_OK && !match)".
Pipeline is passed, so I will upload it into unstable.

Thanks again.

Anton


Am Mo., 10. Mai 2021 um 22:42 Uhr schrieb Sebastian Ramacher <
Post by Sebastian Ramacher
Control: tags -1 confirmed
Control: tags -1 -moreinfo
Hi Sebastian,
Thanks for looking into this issue. Yes, it is intentional. We should
always
check whether first_raw is NULL or not.
Then please go ahead.
Cheers
I have reproduced the issue in the CI-pipeline [1], and the proposed
patch
fixes
the issue [2]: no more segfault, just an error message due to exploit.
[1] https://salsa.debian.org/science-team/libgetdata/-/jobs/1631525
[2] https://salsa.debian.org/science-team/libgetdata/-/jobs/1633848
Anton
Am Mo., 10. Mai 2021 um 22:27 Uhr schrieb Sebastian Ramacher <
<skip>
Post by Anton Gladky
Post by Anton Gladky
+--- libgetdata-0.10.0.orig/src/parse.c
++++ libgetdata-0.10.0/src/parse.c
+ if (D->error == GD_E_OK && !match)
+ first_raw = _GD_ParseFieldSpec(D, p, n_cols, in_cols,
strlen(in_cols[0]),
Post by Anton Gladky
+ NULL, me, 0, 1, &outstring, tok_pos);
++ if (first_raw == NULL) {
++ _GD_SetError(D, GD_E_BAD_DIRFILE, GD_E_ENTRY_TYPE, NULL, 0,
NULL);
Post by Anton Gladky
++ }
Is it intentional that newly addeded if is evaluated in any case or is
this patch missing curly brackets for the body of "if (D->error =
GD_E_OK && !match)"?
--
Sebastian Ramacher
Debian Bug Tracking System
2021-05-10 20:50:01 UTC
Permalink
Post by Sebastian Ramacher
tags -1 confirmed
Bug #988278 [release.debian.org] [pre-approval] unblock: libgetdata/0.10.0-10
Added tag(s) confirmed.
--
988278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988278
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2021-05-11 20:10:02 UTC
Permalink
Your message dated Tue, 11 May 2021 20:08:19 +0000
with message-id <E1lgYfz-0003sp-***@respighi.debian.org>
and subject line unblock libgetdata
has caused the Debian Bug report #988278,
regarding [pre-approval] unblock: libgetdata/0.10.0-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
988278: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988278
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...