diff for 2.0.3+dfsg1-2.2 NMU

To: 414832@bugs.debian.org, debian-release@lists.debian.org
Subject: diff for 2.0.3+dfsg1-2.2 NMU
From: Pierre HABOUZIT <madcoder@debian.org>
Date: Thu, 22 Mar 2007 16:52:16 +0100
Message-id: <[🔎] 20070322155216.GA4720@mad.intersec.eu>
Mail-followup-to: 414832@bugs.debian.org, debian-release@lists.debian.org
In-reply-to: <[🔎] 20070322105957.GA26871@mad.intersec.eu>

Hi,

Attached is the diff for my ktorrent 2.0.3+dfsg1-2.2 NMU.

  This one is without touching the build-system (no quilt dependency).

@the RM: please unblock this one that is less intrusive.
@the maintainer: you can keep the 2.1 NMU in your packaging the 2.2 is
     IMHO gross, but the previous one was not complying with the FREEZE
     requirements.

Cheers,
-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org

diff -u ktorrent-2.0.3+dfsg1/debian/changelog ktorrent-2.0.3+dfsg1/debian/changelog
--- ktorrent-2.0.3+dfsg1/debian/changelog
+++ ktorrent-2.0.3+dfsg1/debian/changelog
@@ -1,3 +1,21 @@
+ktorrent (2.0.3+dfsg1-2.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Redo the previous patch without kilt, integrating it into the buildsystem
+    directly (yuck !).
+
+ -- Pierre Habouzit <madcoder@debian.org>  Thu, 22 Mar 2007 16:41:39 +0100
+
+ktorrent (2.0.3+dfsg1-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix security issue (Closes: 414832, 414830):
+    + drop patch from #414832 in debian/patches.
+    + use quilt as a patches management system to deal with it.
+    + urgency set to high due to RC bugfix.
+
+ -- Pierre Habouzit <madcoder@debian.org>  Thu, 22 Mar 2007 11:11:20 +0100
+
 ktorrent (2.0.3+dfsg1-2) unstable; urgency=low
 
   * Resolve FTBFS - remove nonportable "-z now" from LDFLAGS  (Closes: 395897)
only in patch2:
unchanged:
--- ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/peer.cpp
+++ ktorrent-2.0.3+dfsg1/libktorrent/torrent/peer.cpp
@@ -182,11 +182,21 @@
 				{
 					Out() << "len err HAVE" << endl;
 					kill();
-					return;
 				}
-				
-				haveChunk(this,ReadUint32(tmp_buf,1));
-				pieces.set(ReadUint32(tmp_buf,1),true);
+				else	
+				{
+					Uint32 ch = ReadUint32(tmp_buf,1);
+					if (ch < pieces.getNumBits())
+					{
+						haveChunk(this,ch);
+						pieces.set(ch,true);
+					}
+					else
+					{
+						Out(SYS_CON|LOG_NOTICE) << "Received invalid have value, kicking peer" << endl;
+						kill();
+					}
+				}
 				break;
 			case BITFIELD:
 				if (len != 1 + pieces.getNumBytes())
only in patch2:
unchanged:
--- ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/torrent.cpp
+++ ktorrent-2.0.3+dfsg1/libktorrent/torrent/torrent.cpp
@@ -141,9 +141,13 @@
 				if (!v || v->data().getType() != Value::STRING)
 					throw Error(i18n("Corrupted torrent!"));
 	
-				path += v->data().toString(encoding);
-				if (j + 1 < ln->getNumChildren())
-					path += bt::DirSeparator();
+				QString sd = v->data().toString(encoding);
+				if (sd != "..")
+				{
+					path += sd;
+					if (j + 1 < ln->getNumChildren())
+						path += bt::DirSeparator();
+				}
 			}
 
 			// we do not want empty dirs
only in patch2:
unchanged:
--- ktorrent-2.0.3+dfsg1.orig/libktorrent/torrent/chunkcounter.cpp
+++ ktorrent-2.0.3+dfsg1/libktorrent/torrent/chunkcounter.cpp
@@ -59,12 +59,13 @@
 
 	void ChunkCounter::inc(Uint32 idx)
 	{
+		if (idx < cnt.size())
 		cnt[idx]++;
 	}
 		
 	void ChunkCounter::dec(Uint32 idx)
 	{
-		if (cnt[idx] > 0)
+		if (idx < cnt.size() && cnt[idx] > 0)
 			cnt[idx]--;
 	}

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- diff for 2.0.3+dfsg1-2.1 NMU
  - From: Pierre HABOUZIT <madcoder@debian.org>

Prev by Date: Re: please unblock openoffice.org
Next by Date: Re: Iceweasel ready for etch (?)
Previous by thread: diff for 2.0.3+dfsg1-2.1 NMU
Next by thread: xfce4-diskperf-plugin does not work on Debian Etch
Index(es):
- Date
- Thread