Version in base suite: 18.16.1+ds-7.2

Base version: clickhouse_18.16.1+ds-7.2
Target version: clickhouse_18.16.1+ds-7.2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/clickhouse/clickhouse_18.16.1+ds-7.2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/clickhouse/clickhouse_18.16.1+ds-7.2+deb11u1.dsc

 changelog                              |    9 ++
 patches/CVE-2021-4238x-and-4330x.patch |  134 +++++++++++++++++++++++++++++++++
 patches/series                         |    1 
 salsa-ci.yml                           |   12 ++
 4 files changed, 156 insertions(+)

diff -Nru clickhouse-18.16.1+ds/debian/changelog clickhouse-18.16.1+ds/debian/changelog
--- clickhouse-18.16.1+ds/debian/changelog	2020-12-03 19:45:03.000000000 +0000
+++ clickhouse-18.16.1+ds/debian/changelog	2022-10-31 16:27:03.000000000 +0000
@@ -1,3 +1,12 @@
+clickhouse (18.16.1+ds-7.2+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Add Salsa CI config for bullseye.
+  * Fix CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
+    (Closes: #1008216)
+
+ -- Tobias Frost <tobi@debian.org>  Mon, 31 Oct 2022 17:27:03 +0100
+
 clickhouse (18.16.1+ds-7.2) unstable; urgency=medium
 
   [Balint Reczey]
diff -Nru clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch
--- clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch	1970-01-01 00:00:00.000000000 +0000
+++ clickhouse-18.16.1+ds/debian/patches/CVE-2021-4238x-and-4330x.patch	2022-10-31 16:27:03.000000000 +0000
@@ -0,0 +1,134 @@
+Description: Fix for CVE-2021-42387, CVE-2021-42388, CVE-2021-43304, CVE-2021-43305
+ Cherry pick relevant parts from upstream PR, adapted to version in Debian.
+Origin: https://github.com/ClickHouse/ClickHouse/pull/27136
+Bug-Debian: https://bugs.debian.org/1008216
+Forwarded: no
+Applied-Upstream: yes, https://github.com/ClickHouse/ClickHouse/pull/27136
+Last-Update: 2022-10-30 <YYYY-MM-DD, last update of the meta-information, optional>
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/dbms/src/IO/LZ4_decompress_faster.cpp
++++ b/dbms/src/IO/LZ4_decompress_faster.cpp
+@@ -342,13 +342,16 @@
+ 
+ 
+ template <size_t copy_amount, bool use_shuffle>
+-void NO_INLINE decompressImpl(
++bool NO_INLINE decompressImpl(
+      const char * const source,
+      char * const dest,
++     size_t source_size,
+      size_t dest_size)
+ {
+     const UInt8 * ip = (UInt8 *)source;
+     UInt8 * op = (UInt8 *)dest;
++    const UInt8 * const input_end = ip + source_size;
++    UInt8 * const output_begin = op;
+     UInt8 * const output_end = op + dest_size;
+ 
+     while (1)
+@@ -387,13 +390,19 @@
+         /// output: xyzHello, w
+         ///                  ^-op (we will overwrite excessive bytes on next iteration)
+ 
+-        wildCopy<copy_amount>(op, ip, copy_end);    /// Here we can write up to copy_amount - 1 bytes after buffer.
++        {
++            auto * target = std::min(copy_end, output_end);
++            wildCopy<copy_amount>(op, ip, target);    /// Here we can write up to copy_amount - 1 bytes after buffer.
++
++            if (target == output_end)
++                return true;
++        }
+ 
+         ip += length;
+         op = copy_end;
+ 
+-        if (copy_end >= output_end)
+-            return;
++        if (unlikely(ip > input_end))
++            return false;
+ 
+         /// Get match offset.
+ 
+@@ -401,6 +410,9 @@
+         ip += 2;
+         const UInt8 * match = op - offset;
+ 
++        if (unlikely(match < output_begin))
++            return false;
++
+         /// Get match length.
+ 
+         length = token & 0x0F;
+@@ -441,7 +453,10 @@
+ 
+         copy<copy_amount>(op, match);   /// copy_amount + copy_amount - 1 - 4 * 2 bytes after buffer.
+         if (length > copy_amount * 2)
+-            wildCopy<copy_amount>(op + copy_amount, match + copy_amount, copy_end);
++        {
++            auto * target = std::min(copy_end, output_end);
++            wildCopy<copy_amount>(op + copy_amount, match + copy_amount, target);
++        }
+ 
+         op = copy_end;
+     }
+@@ -450,7 +465,7 @@
+ }
+ 
+ 
+-void decompress(
++bool decompress(
+     const char * const source,
+     char * const dest,
+     size_t source_size,
+@@ -458,7 +473,7 @@
+     PerformanceStatistics & statistics [[maybe_unused]])
+ {
+     if (source_size == 0 || dest_size == 0)
+-        return;
++        return true;
+ 
+     /// Don't run timer if the block is too small.
+     if (dest_size >= 32768)
+@@ -468,23 +483,26 @@
+         /// Run the selected method and measure time.
+ 
+         Stopwatch watch;
++        bool success = true;
+ 
+         if (best_variant == 0)
+-            decompressImpl<16, true>(source, dest, dest_size);
++            success = decompressImpl<16, true>(source, dest, source_size, dest_size);
+         if (best_variant == 1)
+-            decompressImpl<16, false>(source, dest, dest_size);
++            success = decompressImpl<16, false>(source, dest, source_size, dest_size);
+         if (best_variant == 2)
+-            decompressImpl<8, true>(source, dest, dest_size);
++            success = decompressImpl<8, true>(source, dest, source_size, dest_size);
+ 
+         watch.stop();
+ 
+         /// Update performance statistics.
+ 
+         statistics.data[best_variant].update(watch.elapsedSeconds(), dest_size);
++
++        return success;
+     }
+     else
+     {
+-        decompressImpl<8, false>(source, dest, dest_size);
++        return decompressImpl<8, false>(source, dest, source_size, dest_size);
+     }
+ }
+ 
+--- a/dbms/src/IO/LZ4_decompress_faster.h
++++ b/dbms/src/IO/LZ4_decompress_faster.h
+@@ -128,7 +128,7 @@
+ 
+ /** This method dispatch to one of different implementations depending on performance statistics.
+   */
+-void decompress(
++bool decompress(
+     const char * const source,
+     char * const dest,
+     size_t source_size,
diff -Nru clickhouse-18.16.1+ds/debian/patches/series clickhouse-18.16.1+ds/debian/patches/series
--- clickhouse-18.16.1+ds/debian/patches/series	2020-12-03 19:45:03.000000000 +0000
+++ clickhouse-18.16.1+ds/debian/patches/series	2022-10-31 16:27:03.000000000 +0000
@@ -19,3 +19,4 @@
 python3.patch
 gcc10-ftbfs.patch
 dont-redefine-numeric-limits-for-int128.patch
+CVE-2021-4238x-and-4330x.patch
diff -Nru clickhouse-18.16.1+ds/debian/salsa-ci.yml clickhouse-18.16.1+ds/debian/salsa-ci.yml
--- clickhouse-18.16.1+ds/debian/salsa-ci.yml	1970-01-01 00:00:00.000000000 +0000
+++ clickhouse-18.16.1+ds/debian/salsa-ci.yml	2022-10-31 16:27:03.000000000 +0000
@@ -0,0 +1,12 @@
+include:
+
+- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+    RELEASE: 'bullseye'
+    SALSA_CI_COMPONENTS: 'main contrib non-free'
+    SALSA_CI_DISABLE_REPROTEST: 1
+    SALSA_CI_DISABLE_LINTIAN: 1
+    # Package does not support i386
+    SALSA_CI_DISABLE_BUILD_PACKAGE_I386: "1"
+    DEB_BUILD_OPTIONS: "noddebs optimize=-lto parallel=1"