Version in base suite: 0.11.0-1 Base version: librabbitmq_0.11.0-1 Target version: librabbitmq_0.11.0-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libr/librabbitmq/librabbitmq_0.11.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libr/librabbitmq/librabbitmq_0.11.0-1+deb12u1.dsc changelog | 9 +++ control | 4 - patches/CVE-2023-35789.patch | 125 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 4 files changed, 136 insertions(+), 3 deletions(-) diff -Nru librabbitmq-0.11.0/debian/changelog librabbitmq-0.11.0/debian/changelog --- librabbitmq-0.11.0/debian/changelog 2022-02-21 22:42:45.000000000 +0000 +++ librabbitmq-0.11.0/debian/changelog 2024-12-15 06:32:03.000000000 +0000 @@ -1,3 +1,12 @@ +librabbitmq (0.11.0-1+deb12u1) bookworm; urgency=medium + + * [4e71ff7] d/patches/CVE-2023-35789.patch: added for addressing + CVE-2023-35789 (Closes: #1037322) + * [c4d0d0b] d/control: adjust Maintainer/Uploaders to match current + situation + + -- Florian Ernst Sun, 15 Dec 2024 07:32:03 +0100 + librabbitmq (0.11.0-1) unstable; urgency=low * New upstream release (Closes: #1004590, #1006244). diff -Nru librabbitmq-0.11.0/debian/control librabbitmq-0.11.0/debian/control --- librabbitmq-0.11.0/debian/control 2022-02-21 22:42:45.000000000 +0000 +++ librabbitmq-0.11.0/debian/control 2024-12-15 06:29:31.000000000 +0000 @@ -1,9 +1,7 @@ Source: librabbitmq Priority: optional Section: libs -Maintainer: Michael Fladischer -Uploaders: - Brian May , +Maintainer: Florian Ernst Build-Depends: cmake, debhelper-compat (= 13), diff -Nru librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch --- librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch 1970-01-01 00:00:00.000000000 +0000 +++ librabbitmq-0.11.0/debian/patches/CVE-2023-35789.patch 2024-12-15 06:29:25.000000000 +0000 @@ -0,0 +1,125 @@ +Applied-Upstream: 463054383fbeef889b409a7f843df5365288e2a0 +Author: Christian Kastner +Date: Tue Jun 13 14:21:52 2023 +0200 +Description: Add option to read username/password from file (#781), CVE-2023-35789 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037322 +Forwarded: https://github.com/alanxz/rabbitmq-c/issues/575 +Origin: https://github.com/alanxz/rabbitmq-c/pull/781 + +Index: git/tools/common.c +=================================================================== +--- git.orig/tools/common.c ++++ git/tools/common.c +@@ -54,6 +54,11 @@ + #include "compat.h" + #endif + ++/* For when reading auth data from a file */ ++#define MAXAUTHTOKENLEN 128 ++#define USERNAMEPREFIX "username:" ++#define PASSWORDPREFIX "password:" ++ + void die(const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); +@@ -161,6 +166,7 @@ static char *amqp_vhost; + static char *amqp_username; + static char *amqp_password; + static int amqp_heartbeat = 0; ++static char *amqp_authfile; + #ifdef WITH_SSL + static int amqp_ssl = 0; + static char *amqp_cacert = "/etc/ssl/certs/cacert.pem"; +@@ -183,6 +189,8 @@ struct poptOption connect_options[] = { + "the password to login with", "password"}, + {"heartbeat", 0, POPT_ARG_INT, &amqp_heartbeat, 0, + "heartbeat interval, set to 0 to disable", "heartbeat"}, ++ {"authfile", 0, POPT_ARG_STRING, &amqp_authfile, 0, ++ "path to file containing username/password for authentication", "file"}, + #ifdef WITH_SSL + {"ssl", 0, POPT_ARG_NONE, &amqp_ssl, 0, "connect over SSL/TLS", NULL}, + {"cacert", 0, POPT_ARG_STRING, &amqp_cacert, 0, +@@ -194,6 +202,50 @@ struct poptOption connect_options[] = { + #endif /* WITH_SSL */ + {NULL, '\0', 0, NULL, 0, NULL, NULL}}; + ++void read_authfile(const char *path) { ++ size_t n; ++ FILE *fp = NULL; ++ char token[MAXAUTHTOKENLEN]; ++ ++ if ((amqp_username = malloc(MAXAUTHTOKENLEN)) == NULL || ++ (amqp_password = malloc(MAXAUTHTOKENLEN)) == NULL) { ++ die("Out of memory"); ++ } else if ((fp = fopen(path, "r")) == NULL) { ++ die("Could not read auth data file %s", path); ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, USERNAMEPREFIX, strlen(USERNAMEPREFIX))) { ++ die("Malformed auth file (missing username)"); ++ } ++ strncpy(amqp_username, &token[strlen(USERNAMEPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_username); ++ if (amqp_username[n - 1] != '\n') { ++ die("Username too long"); ++ } else { ++ amqp_username[n - 1] = '\0'; ++ } ++ ++ if (fgets(token, MAXAUTHTOKENLEN, fp) == NULL || ++ strncmp(token, PASSWORDPREFIX, strlen(PASSWORDPREFIX))) { ++ die("Malformed auth file (missing password)"); ++ } ++ strncpy(amqp_password, &token[strlen(PASSWORDPREFIX)], MAXAUTHTOKENLEN); ++ /* Missing newline means token was cut off */ ++ n = strlen(amqp_password); ++ if (amqp_password[n - 1] != '\n') { ++ die("Password too long"); ++ } else { ++ amqp_password[n - 1] = '\0'; ++ } ++ ++ (void)fgetc(fp); ++ if (!feof(fp)) { ++ die("Malformed auth file (trailing data)"); ++ } ++} ++ + static void init_connection_info(struct amqp_connection_info *ci) { + ci->user = NULL; + ci->password = NULL; +@@ -269,6 +321,8 @@ static void init_connection_info(struct + if (amqp_username) { + if (amqp_url) { + die("--username and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--username and --authfile options cannot be used at the same time"); + } + + ci->user = amqp_username; +@@ -277,11 +331,23 @@ static void init_connection_info(struct + if (amqp_password) { + if (amqp_url) { + die("--password and --url options cannot be used at the same time"); ++ } else if (amqp_authfile) { ++ die("--password and --authfile options cannot be used at the same time"); + } + + ci->password = amqp_password; + } + ++ if (amqp_authfile) { ++ if (amqp_url) { ++ die("--authfile and --url options cannot be used at the same time"); ++ } ++ ++ read_authfile(amqp_authfile); ++ ci->user = amqp_username; ++ ci->password = amqp_password; ++ } ++ + if (amqp_vhost) { + if (amqp_url) { + die("--vhost and --url options cannot be used at the same time"); diff -Nru librabbitmq-0.11.0/debian/patches/series librabbitmq-0.11.0/debian/patches/series --- librabbitmq-0.11.0/debian/patches/series 2022-02-21 22:42:45.000000000 +0000 +++ librabbitmq-0.11.0/debian/patches/series 2024-12-15 06:29:25.000000000 +0000 @@ -2,3 +2,4 @@ 0002-use_cmake_package.patch 0003-disable-test-basic.patch 0004-Fix-typo-in-amqp-publish.1-manpage.patch +CVE-2023-35789.patch