Bug#781806: CVE-2015-2831

Salvatore Bonaccorso carnil at debian.org
Fri Apr 10 07:44:41 UTC 2015 

Control: tags -1 + patch

Hi

The issue is mitigated in jessie since das-watchdog is built hardened
in jessie. Attached is though the debdiff for unstable, plan to
double-check this and upload it later today to a delayed queue.

Regards,
Salvatore
-------------- next part --------------
diff -Nru das-watchdog-0.9.0/debian/changelog das-watchdog-0.9.0/debian/changelog
--- das-watchdog-0.9.0/debian/changelog	2013-10-16 18:37:01.000000000 +0200
+++ das-watchdog-0.9.0/debian/changelog	2015-04-10 09:39:41.000000000 +0200
@@ -1,3 +1,11 @@
+das-watchdog (0.9.0-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix buffer overflow in the handling of the XAUTHORITY env variable
+    (CVE-2015-2831) (Closes: #781806)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Fri, 10 Apr 2015 09:34:55 +0200
+
 das-watchdog (0.9.0-3) unstable; urgency=low
 
   * Team upload.
diff -Nru das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch
--- das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch	1970-01-01 01:00:00.000000000 +0100
+++ das-watchdog-0.9.0/debian/patches/0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch	2015-04-10 09:39:41.000000000 +0200
@@ -0,0 +1,50 @@
+From 286489dd7dad59f8b5a9b9fdfececb95bcf5c570 Mon Sep 17 00:00:00 2001
+From: Kjetil Matheussen <k.s.matheussen at usit.uio.no>
+Date: Wed, 1 Apr 2015 16:12:39 +0200
+Subject: [PATCH] Fixed memory leak in bd20bb02e75e2c0483832b52f2577253febfb690
+
+---
+ das_watchdog.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/das_watchdog.c b/das_watchdog.c
+index 8381d56..26385b2 100644
+--- a/das_watchdog.c
++++ b/das_watchdog.c
+@@ -316,9 +316,10 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+   sprintf(temp,"/proc/%d/environ",pid);
+ 
+   fp=fopen(temp,"r");
+-  if(fp==NULL)
++  if(fp==NULL){
++    free(temp);
+     return NULL;
+-
++  }
+   
+   for(;;){
+     
+@@ -330,17 +331,15 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+     temp[i]=fgetc(fp);    
+ 
+     if(foundit==1 && (temp[i]==0 || temp[i]=='\0' || temp[i]==EOF)){
+-      char *ret;
+-      temp[i]=0;
+-      ret=malloc(strlen(temp)+10);
+-      sprintf(ret,"%s",temp);
+       fclose(fp);
+-      return ret;
++      temp[i]=0;
++      return temp;
+     }
+ 
+     switch(temp[i]){
+     case EOF:
+       fclose(fp);
++      free(temp);
+       return NULL;
+     case '=':
+       temp[i]=0;
+-- 
+2.1.4
+
diff -Nru das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch
--- das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch	1970-01-01 01:00:00.000000000 +0100
+++ das-watchdog-0.9.0/debian/patches/0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch	2015-04-10 09:39:41.000000000 +0200
@@ -0,0 +1,41 @@
+From bd20bb02e75e2c0483832b52f2577253febfb690 Mon Sep 17 00:00:00 2001
+From: Kjetil Matheussen <k.s.matheussen at usit.uio.no>
+Date: Wed, 1 Apr 2015 16:06:48 +0200
+Subject: [PATCH] Fix memory overflow if the name of an environment is larger
+ than 500 characters. Bug found by Adam Sampson.
+
+---
+ das_watchdog.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/das_watchdog.c b/das_watchdog.c
+index c98bbea..8473fe8 100644
+--- a/das_watchdog.c
++++ b/das_watchdog.c
+@@ -306,7 +306,9 @@ static int checksoftirq(int force){
+ 
+ 
+ static char *get_pid_environ_val(pid_t pid,char *val){
+-  char temp[500];
++  int temp_size = 500;
++  char *temp = malloc(temp_size);
++  
+   int i=0;
+   int foundit=0;
+   FILE *fp;
+@@ -319,6 +321,12 @@ static char *get_pid_environ_val(pid_t pid,char *val){
+ 
+   
+   for(;;){
++    
++    if (i >= temp_size) {
++      temp_size *= 2;
++      temp = realloc(temp, temp_size);
++    }
++      
+     temp[i]=fgetc(fp);    
+ 
+     if(foundit==1 && (temp[i]==0 || temp[i]=='\0' || temp[i]==EOF)){
+-- 
+2.1.4
+
diff -Nru das-watchdog-0.9.0/debian/patches/series das-watchdog-0.9.0/debian/patches/series
--- das-watchdog-0.9.0/debian/patches/series	2013-10-16 18:34:25.000000000 +0200
+++ das-watchdog-0.9.0/debian/patches/series	2015-04-10 09:39:41.000000000 +0200
@@ -1,3 +1,5 @@
 01-rc.patch
 02-makefile.patch
 03-hardening.patch
+0001-Fix-memory-overflow-if-the-name-of-an-environment-is.patch
+0001-Fixed-memory-leak-in-bd20bb02e75e2c0483832b52f257725.patch

More information about the pkg-multimedia-maintainers mailing list