[getdata-devel] GetData vulnerability (CVE-2021-20204) and problems with Debian bugfix

[Graeme S. <gsm...@th...>]

Hi all,

I'm a long-time happy GetData user. Thanks for all your efforts 
producing a widely useful package.

I wanted to point out the following tale of woe, starting with the 
following use-after-free problem from June 2021:

https://nvd.nist.gov/vuln/detail/CVE-2021-20204

The CVE leads to responses from both Red Hat and Debian:

https://bugzilla.redhat.com/show_bug.cgi?id=1956348
https://lists.debian.org/debian-lts-announce/2021/05/msg00015.html

Debian produced the following patch:

https://salsa.debian.org/science-team/libgetdata/-/commit/61275e4c051090ce11467207eb361a6d81c405d9

...which, unfortunately, breaks much of libgetdata (as can be seen in 
the regression tests after the patch is applied.) There is an active bug 
report here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992437

This is where the trail gets cold. Debian's packaged libgetdata 0.10 is 
still broken, Red Hat doesn't seem to have patched the CVE, and there 
does not appear to be a CVE fix in the public getdata repositories.

Are getdata devs aware of the CVE, and/or formulating a response? The 
easiest way to break up the logjam would be to fix the CVE in 
libgetdata, and for Debian to remove their problematic patch when they 
update.

Thanks again for all your hard work - I am guessing maintaining this 
package is a volunteer position, and I'm grateful for whatever time you 
can put into it.

best,
Graeme