Bug#890125: jessie-pu: package uwsgi/2.0.7-1+deb8u2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
The attached debdiff adresses CVE-2018-6758 / 889753 for uwsgi in
jessie. Cf.
http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html . The
issue does not warrant a DSA.
+uwsgi (2.0.7-1+deb8u2) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+ (Closes: #889753)
Can it be considered for the upcoming jessie point release?
Regards,
Salvatore
diff -Nru uwsgi-2.0.7/debian/changelog uwsgi-2.0.7/debian/changelog
--- uwsgi-2.0.7/debian/changelog 2017-02-19 22:17:18.000000000 +0100
+++ uwsgi-2.0.7/debian/changelog 2018-02-06 21:39:42.000000000 +0100
@@ -1,3 +1,11 @@
+uwsgi (2.0.7-1+deb8u2) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Stack-based buffer overflow in uwsgi_expand_path function (CVE-2018-6758)
+ (Closes: #889753)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 06 Feb 2018 21:39:42 +0100
+
uwsgi (2.0.7-1+deb8u1) jessie; urgency=medium
* Add patch cherry-picked upstream to fix compilation with recent
diff -Nru uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
--- uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 1970-01-01 01:00:00.000000000 +0100
+++ uwsgi-2.0.7/debian/patches/0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch 2018-02-06 21:39:42.000000000 +0100
@@ -0,0 +1,46 @@
+From: Unbit <info@unbit.it>
+Date: Tue, 6 Feb 2018 16:01:47 +0100
+Subject: improve uwsgi_expand_path() to sanitize input, avoiding stack
+ corruption and potential security issue
+Origin: https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
+Bug-Debian: https://bugs.debian.org/889753
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-6758
+
+---
+ core/utils.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/core/utils.c b/core/utils.c
+index b4c98dfd..fd886932 100644
+--- a/core/utils.c
++++ b/core/utils.c
+@@ -3674,9 +3674,12 @@ void uwsgi_write_pidfile_explicit(char *pidfile_name, pid_t pid) {
+ }
+
+ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
+- char src[PATH_MAX + 1];
+- memcpy(src, dir, dir_len);
+- src[dir_len] = 0;
++ if (dir_len > PATH_MAX)
++ {
++ uwsgi_log("invalid path size: %d (max %d)\n", dir_len, PATH_MAX);
++ return NULL;
++ }
++ char *src = uwsgi_concat2n(dir, dir_len, "", 0);
+ char *dst = ptr;
+ if (!dst)
+ dst = uwsgi_malloc(PATH_MAX + 1);
+@@ -3684,8 +3687,10 @@ char *uwsgi_expand_path(char *dir, int dir_len, char *ptr) {
+ uwsgi_error_realpath(src);
+ if (!ptr)
+ free(dst);
++ free(src);
+ return NULL;
+ }
++ free(src);
+ return dst;
+ }
+
+--
+2.11.0
+
diff -Nru uwsgi-2.0.7/debian/patches/series uwsgi-2.0.7/debian/patches/series
--- uwsgi-2.0.7/debian/patches/series 2017-02-08 20:11:59.000000000 +0100
+++ uwsgi-2.0.7/debian/patches/series 2018-02-06 21:39:42.000000000 +0100
@@ -1,4 +1,5 @@
020150415~f6e5db9.patch
+0001-improve-uwsgi_expand_path-to-sanitize-input-avoiding.patch
1001_avoid_setting_RPATH.patch
1002_fix-reload-process-name.patch
1003_remove-php-libs.patch
Reply to: