squeeze update of tidy?

To: Jason Thomas <jason@debian.org>
Cc: debian-lts@lists.debian.org, team@security.debian.org
Subject: squeeze update of tidy?
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Sat, 11 Jul 2015 16:41:31 +0200
Message-id: <[🔎] 20150711144130.GA27907@nomada>

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of tidy:
https://security-tracker.debian.org/tracker/TEMP-0000000-616DBB

I have already prepared a patched package, available for review and test
at the repository:
    deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/

Please, tell me if you want to upload it by yourself, following the
workflow we have defined here:
http://wiki.debian.org/LTS/Development
Otherwise, I will upload it in the following days.

Santiago Ruano Rincón,
  on behalf of the Debian LTS team.

P.S. The same patch can be applied to the tidy versions available in
debian, including stable.

diff -u tidy-20091223cvs/debian/changelog tidy-20091223cvs/debian/changelog
--- tidy-20091223cvs/debian/changelog
+++ tidy-20091223cvs/debian/changelog
@@ -1,3 +1,11 @@
+tidy (20091223cvs-1+deb6u1~1) santiago-squeeze-lts; urgency=medium
+
+  * Non-maintainer upload.
+  * Add 20-prevent-heap-buffer-overflow.patch: Fix heap-buffer-overflow when
+    processing malformed html files.
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net>  Sun, 05 Jul 2015 14:24:52 +0200
+
 tidy (20091223cvs-1) unstable; urgency=low
 
   * New cvs snapshot
only in patch2:
unchanged:
--- tidy-20091223cvs.orig/debian/patches/20-prevent-heap-buffer-overflow.patch
+++ tidy-20091223cvs/debian/patches/20-prevent-heap-buffer-overflow.patch
@@ -0,0 +1,30 @@
+Desription: Prevents heap-buffer-overflow when processing malformed html files.
+Origin: upstream, https://github.com/htacg/tidy-html5/issues/217
+
+---
+
+diff --git a/src/lexer.c b/src/lexer.c
+index 3ae2897..801fb8c 100644
+--- a/src/lexer.c
++++ b/src/lexer.c
+@@ -3467,16 +3467,17 @@ static tmbstr ParseValue( TidyDocImpl* doc, ctmbstr name,
+         /* and prompts attributes unless --literal-attributes is set to yes      */
+         /* #994841 - Whitespace is removed from value attributes                 */
+ 
+-        if (munge &&
++        /* Issue #217 - Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */
++        if ((len > 0) && munge &&
+             TY_(tmbstrcasecmp)(name, "alt") &&
+             TY_(tmbstrcasecmp)(name, "title") &&
+             TY_(tmbstrcasecmp)(name, "value") &&
+             TY_(tmbstrcasecmp)(name, "prompt"))
+         {
+-            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]))
++            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0))
+                 --len;
+ 
+-            while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len)
++            while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0))
+             {
+                 ++start;
+                 --len;

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: squeeze update of bind9?
Next by Date: Re: squeeze update of bind9?
Previous by thread: Re: squeeze update of bind9?
Next by thread: squeeze update of quassel?
Index(es):
- Date
- Thread