[Debian-iot-maintainers] Bug#994763: ulfius: Fix CVE-2021-40540 in bullseye

Salvatore Bonaccorso carnil at debian.org
Mon Sep 20 19:42:20 BST 2021


Hi Nicolas,

On Mon, Sep 20, 2021 at 11:43:55AM -0400, Nicolas Mora wrote:
> Source: ulfius
> Version: 2.7.1-1
> Severity: important
> Tags: patch
> 
> 
> 
> 
> -- System Information:
> Debian Release: 11.0
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
> 'proposed-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
> Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not
> set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)

> Description: Fix CVE-2021-40540
> Author: Nicolas Mora <babelouest at debian.org>
> Forwarded: not-needed
> --- a/src/ulfius.c
> +++ b/src/ulfius.c
> @@ -207,6 +207,7 @@
>    UNUSED(cls);
>  
>    if (con_info != NULL) {
> +    memset(con_info, 0, sizeof(struct connection_info_struct));
>      con_info->callback_first_iteration = 1;
>      con_info->u_instance = NULL;
>      u_map_init(&con_info->map_url_initial);

FWIW, It's actually not needed to fill a sepaate bug for the suites in
which you want to fix a bug. So I think we simply can merge #993851
and #994763 as the BTS has a version tracking.

Regards,
Salvatore



More information about the Debian-iot-maintainers mailing list