Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of tidy: https://security-tracker.debian.org/tracker/TEMP-0000000-616DBB I have already prepared a patched package, available for review and test at the repository: deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/ Please, tell me if you want to upload it by yourself, following the workflow we have defined here: http://wiki.debian.org/LTS/Development Otherwise, I will upload it in the following days. Santiago Ruano Rincón, on behalf of the Debian LTS team. P.S. The same patch can be applied to the tidy versions available in debian, including stable.
diff -u tidy-20091223cvs/debian/changelog tidy-20091223cvs/debian/changelog --- tidy-20091223cvs/debian/changelog +++ tidy-20091223cvs/debian/changelog @@ -1,3 +1,11 @@ +tidy (20091223cvs-1+deb6u1~1) santiago-squeeze-lts; urgency=medium + + * Non-maintainer upload. + * Add 20-prevent-heap-buffer-overflow.patch: Fix heap-buffer-overflow when + processing malformed html files. + + -- Santiago Ruano Rincón <santiagorr@riseup.net> Sun, 05 Jul 2015 14:24:52 +0200 + tidy (20091223cvs-1) unstable; urgency=low * New cvs snapshot only in patch2: unchanged: --- tidy-20091223cvs.orig/debian/patches/20-prevent-heap-buffer-overflow.patch +++ tidy-20091223cvs/debian/patches/20-prevent-heap-buffer-overflow.patch @@ -0,0 +1,30 @@ +Desription: Prevents heap-buffer-overflow when processing malformed html files. +Origin: upstream, https://github.com/htacg/tidy-html5/issues/217 + +--- + +diff --git a/src/lexer.c b/src/lexer.c +index 3ae2897..801fb8c 100644 +--- a/src/lexer.c ++++ b/src/lexer.c +@@ -3467,16 +3467,17 @@ static tmbstr ParseValue( TidyDocImpl* doc, ctmbstr name, + /* and prompts attributes unless --literal-attributes is set to yes */ + /* #994841 - Whitespace is removed from value attributes */ + +- if (munge && ++ /* Issue #217 - Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */ ++ if ((len > 0) && munge && + TY_(tmbstrcasecmp)(name, "alt") && + TY_(tmbstrcasecmp)(name, "title") && + TY_(tmbstrcasecmp)(name, "value") && + TY_(tmbstrcasecmp)(name, "prompt")) + { +- while (TY_(IsWhite)(lexer->lexbuf[start+len-1])) ++ while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0)) + --len; + +- while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len) ++ while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0)) + { + ++start; + --len;
Attachment:
signature.asc
Description: Digital signature