Please except jupp (3.1.21-1) from the freeze

[Thorsten Glaser <tg@mirbsd.de>]

Hi,

please add a freeze exception for jupp (3.1.21-1), exact debdiff
attached. I got a report from a user for memory freelist corruption
in eglibc, tracked it down (thanks Valgrind!) and fixed the issues
found upstream: a use of uninitialised memory, and a buffer underflow
which most likely trashed malloc’s data structures. When preparing
the new version, also, a version of automake with the recent CVE
fixed was used. The problem is triggered very occasionally: in our
scenario, only with a specific file, only when the file is not in
the cwd, only with Europe/Berlin set system-wide (crashes immediately)
or via $TZ (crashes on exit), only on i386. But the issue is always
there, and I vaguely recall having seen it once or twice myself.
(I believe src:joe would also be affected, Josip.)

bw.c second hunk: yes, this is really an assignment (hence the
double parenthesēs), it’s the missing initialisation.

Also corrected the number of help cards available (I counted, this
time! This changed from joe 3.1 to joe 3.7 / jupp 3.1.1x) and made
the DEB_BUILD_OPTIONS list in the debian/rules comments complete.

Thanks in advance,
//mirabilos
-- 
<Natureshadow> Dann mach ich git annex copy --to shore und fertig ist das
<Natureshadow> das ist ja viel cooler als ownCloud ...
<mirabilos> sag ich doch
<Natureshadow> ja wieso stimmt das denn immer was du sagst ...

diff -Nru jupp-3.1.20/Makefile.in jupp-3.1.21/Makefile.in
--- jupp-3.1.20/Makefile.in	2012-06-07 22:42:47.000000000 +0000
+++ jupp-3.1.21/Makefile.in	2012-07-18 17:10:24.000000000 +0000
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.9.6-MirPorts-5 from Makefile.am.
+# Makefile.in generated by automake 1.9.6-MirPorts-6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -14,7 +14,7 @@
 
 @SET_MAKE@
 
-# $MirOS: contrib/code/jupp/Makefile.in,v 1.11 2012/06/07 22:42:23 tg Exp $
+# $MirOS: contrib/code/jupp/Makefile.in,v 1.12 2012/07/18 17:09:59 tg Exp $
 # $miros: contrib/code/jupp/Makefile.am,v 1.8 2012/06/07 22:16:07 tg Exp $
 
 
@@ -715,7 +715,7 @@
 	*.zip*) \
 	  unzip $(distdir).zip ;;\
 	esac
-	chmod -R a-w $(distdir); chmod a+w $(distdir)
+	chmod -R a-w $(distdir); chmod u+w $(distdir)
 	mkdir $(distdir)/_build
 	mkdir $(distdir)/_inst
 	chmod a-w $(distdir)
diff -Nru jupp-3.1.20/NEWS jupp-3.1.21/NEWS
--- jupp-3.1.20/NEWS	2012-06-08 17:07:45.000000000 +0000
+++ jupp-3.1.21/NEWS	2012-07-18 17:10:24.000000000 +0000
@@ -1,6 +1,12 @@
-$MirOS: contrib/code/jupp/NEWS,v 1.48 2012/06/08 17:07:21 tg Exp $
+$MirOS: contrib/code/jupp/NEWS,v 1.50 2012/07/18 17:09:59 tg Exp $
 ------------------------------------------------------------------
 
+JOE 3.1jupp21
+
+- Fix use of uninitialised memory
+- Do not underflow attribute buffer in syntax highlighting code
+- Use automake version fixing CVE-2012-3386
+
 JOE 3.1jupp20
 
 - Fix mistakes in the ctime replacement code for klibc
diff -Nru jupp-3.1.20/aclocal.m4 jupp-3.1.21/aclocal.m4
--- jupp-3.1.20/aclocal.m4	2010-04-08 15:46:59.000000000 +0000
+++ jupp-3.1.21/aclocal.m4	2012-07-18 17:10:25.000000000 +0000
@@ -1,4 +1,4 @@
-# generated automatically by aclocal 1.9.6-MirPorts-5 -*- Autoconf -*-
+# generated automatically by aclocal 1.9.6-MirPorts-6 -*- Autoconf -*-
 
 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
 # 2005  Free Software Foundation, Inc.
diff -Nru jupp-3.1.20/bw.c jupp-3.1.21/bw.c
--- jupp-3.1.20/bw.c	2010-04-08 15:31:25.000000000 +0000
+++ jupp-3.1.21/bw.c	2012-07-18 16:46:28.000000000 +0000
@@ -1,4 +1,4 @@
-/* $MirOS: contrib/code/jupp/bw.c,v 1.15 2010/04/08 15:31:01 tg Exp $ */
+/* $MirOS: contrib/code/jupp/bw.c,v 1.16 2012/07/18 16:46:03 tg Exp $ */
 /*
  *	Edit buffer window generation
  *	Copyright
@@ -924,7 +924,7 @@
 	w->object = NULL;
 	w->offset = 0;
 	w->o = w->b->o;
-	if (w->o.linums) {
+	if ((w->linums = w->o.linums)) {
 		w->x = window->x + LINCOLS;
 		w->w = window->w - LINCOLS;
 	} else {
diff -Nru jupp-3.1.20/configure jupp-3.1.21/configure
--- jupp-3.1.20/configure	2012-06-08 17:13:26.000000000 +0000
+++ jupp-3.1.21/configure	2012-07-18 17:10:25.000000000 +0000
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61-MirPorts-1 for joe 3.1jupp20.
+# Generated by GNU Autoconf 2.61-MirPorts-1 for joe 3.1jupp21.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
 # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
@@ -572,8 +572,8 @@
 # Identity of this package.
 PACKAGE_NAME='joe'
 PACKAGE_TARNAME='joe'
-PACKAGE_VERSION='3.1jupp20'
-PACKAGE_STRING='joe 3.1jupp20'
+PACKAGE_VERSION='3.1jupp21'
+PACKAGE_STRING='joe 3.1jupp21'
 PACKAGE_BUGREPORT=''
 
 ac_unique_file="b.c"
@@ -1223,7 +1223,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures joe 3.1jupp20 to adapt to many kinds of systems.
+\`configure' configures joe 3.1jupp21 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1294,7 +1294,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of joe 3.1jupp20:";;
+     short | recursive ) echo "Configuration of joe 3.1jupp21:";;
    esac
   cat <<\_ACEOF
 
@@ -1385,7 +1385,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-joe configure 3.1jupp20
+joe configure 3.1jupp21
 generated by GNU Autoconf 2.61-MirPorts-1
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -1399,7 +1399,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by joe $as_me 3.1jupp20, which was
+It was created by joe $as_me 3.1jupp21, which was
 generated by GNU Autoconf 2.61-MirPorts-1.  Invocation command line was
 
   $ $0 $@
@@ -2200,7 +2200,7 @@
 
 # Define the identity of the package.
  PACKAGE='joe'
- VERSION='3.1jupp20'
+ VERSION='3.1jupp21'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -10908,7 +10908,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by joe $as_me 3.1jupp20, which was
+This file was extended by joe $as_me 3.1jupp21, which was
 generated by GNU Autoconf 2.61-MirPorts-1.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -10961,7 +10961,7 @@
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-joe config.status 3.1jupp20
+joe config.status 3.1jupp21
 configured by $0, generated by GNU Autoconf 2.61-MirPorts-1,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
diff -Nru jupp-3.1.20/configure.ac jupp-3.1.21/configure.ac
--- jupp-3.1.20/configure.ac	2012-06-08 17:07:46.000000000 +0000
+++ jupp-3.1.21/configure.ac	2012-07-18 17:08:07.000000000 +0000
@@ -1,4 +1,4 @@
-# $MirOS: contrib/code/jupp/configure.ac,v 1.38 2012/06/08 17:07:22 tg Exp $
+# $MirOS: contrib/code/jupp/configure.ac,v 1.39 2012/07/18 17:07:42 tg Exp $
 #-
 # Process this file with autoconf to produce a configure script.
 
@@ -6,7 +6,7 @@
 AC_PREREQ(2.54)
 
 #### Here's the only place where to change version number ####
-AC_INIT(joe, 3.1jupp20)
+AC_INIT(joe, 3.1jupp21)
 #### But see main.c for the Copyright (c) owner and year! ####
 AC_CONFIG_SRCDIR([b.c])
 
diff -Nru jupp-3.1.20/debian/changelog jupp-3.1.21/debian/changelog
--- jupp-3.1.20/debian/changelog	2012-06-08 21:43:23.000000000 +0000
+++ jupp-3.1.21/debian/changelog	2012-07-18 17:39:25.000000000 +0000
@@ -1,3 +1,13 @@
+jupp (3.1.21-1) unstable; urgency=medium
+
+  * New upstream release “with omalloc, this would not have happened”
+    - critical bugfixes wrt. uninitialised memory and buffer underflow
+      (reported crash on wheezy/i386 by a user)
+    - uses automake version fixing CVE-2012-3386
+  * Small improvements to package description and d/rules comments
+
+ -- Thorsten Glaser <tg@mirbsd.de>  Wed, 18 Jul 2012 17:37:12 +0000
+
 jupp (3.1.20-1) unstable; urgency=medium
 
   * New upstream release “nik”
diff -Nru jupp-3.1.20/debian/control jupp-3.1.21/debian/control
--- jupp-3.1.20/debian/control	2012-06-08 21:43:23.000000000 +0000
+++ jupp-3.1.21/debian/control	2012-07-18 17:39:26.000000000 +0000
@@ -1,4 +1,4 @@
-# $MirOS: contrib/hosted/tg/deb/jupp/debian/control,v 1.29 2012/06/08 21:42:59 tg Exp $
+# $MirOS: contrib/hosted/tg/deb/jupp/debian/control,v 1.30 2012/07/18 17:39:01 tg Exp $
 #
 Source: jupp
 Section: editors
@@ -29,7 +29,7 @@
  set is much larger than of those.  Joe has all of the features a Unix
  user should expect: full use of termcap/terminfo, complete VI-style Unix
  integration, a powerful configuration file, and regular expression search
- system.  It also has six help reference cards which are always available,
+ system.  It also has eight help reference cards which are always available,
  and an intuitive, simple, and well thought-out user interface.
  .
  Joe has a great screen update optimisation algorithm, multiple windows
@@ -65,4 +65,4 @@
  using the jupp package and implementation (both binaries and manpages).
  It also contains the appropriate conffiles and, in contrast to Debian's
  joe flavour, supports SELinux context copying (on Debian systems with
- the Linux kernel) and a number of bugs are fixed.
+ the Linux kernel), and has many bugs fixed.
diff -Nru jupp-3.1.20/debian/copyright jupp-3.1.21/debian/copyright
--- jupp-3.1.20/debian/copyright	2012-06-08 21:43:23.000000000 +0000
+++ jupp-3.1.21/debian/copyright	2012-07-18 17:39:26.000000000 +0000
@@ -3,7 +3,7 @@
 texts taken from the joe package.
 
 It was downloaded from:
-https://www.mirbsd.org/MirOS/dist/jupp/joe-3.1jupp20.tgz
+https://www.mirbsd.org/MirOS/dist/jupp/joe-3.1jupp21.tgz
 
 
 Copyright (c) 1992-2012 by
diff -Nru jupp-3.1.20/debian/rules jupp-3.1.21/debian/rules
--- jupp-3.1.20/debian/rules	2012-06-08 00:27:44.000000000 +0000
+++ jupp-3.1.21/debian/rules	2012-07-18 17:39:26.000000000 +0000
@@ -1,5 +1,5 @@
 #!/usr/bin/make -f
-# $MirOS: contrib/hosted/tg/deb/jupp/debian/rules,v 1.22 2012/06/08 00:27:20 tg Exp $
+# $MirOS: contrib/hosted/tg/deb/jupp/debian/rules,v 1.23 2012/07/18 17:39:01 tg Exp $
 #-
 # Possible flavourisation (in addition to stock Debian rules):
 # export DEB_BUILD_OPTIONS=diet
@@ -8,6 +8,7 @@
 # export DEB_BUILD_OPTIONS='diet debug' (or 'klibc debug')
 # export DEB_BUILD_OPTIONS=static (for eglibc)
 # All can be combined with 'nopwnam' (aids static linkage).
+# The 'nostrip' and 'parallel=n' options are supported as well.
 #
 # Setting diet or klibc disables -O0/-O2 and -g and, if unset,
 # sets CC. Adding debug enables -g3. Cross-compiling also sets
diff -Nru jupp-3.1.20/syntax.c jupp-3.1.21/syntax.c
--- jupp-3.1.20/syntax.c	2012-06-07 22:35:16.000000000 +0000
+++ jupp-3.1.21/syntax.c	2012-07-18 17:03:21.000000000 +0000
@@ -1,4 +1,4 @@
-/* $MirOS: contrib/code/jupp/syntax.c,v 1.7 2012/06/07 22:34:52 tg Exp $ */
+/* $MirOS: contrib/code/jupp/syntax.c,v 1.8 2012/07/18 17:02:56 tg Exp $ */
 /*
  *	Syntax highlighting DFA interpreter
  *	Copyright
@@ -77,8 +77,11 @@
 				h = cmd->new_state;
 			}
 			/* Recolor if necessary */
-			for(x=cmd->recolor;x<0;++x)
-				attr[x] = h -> color;
+			x = cmd->recolor;
+			while (&attr[x] < attr_buf)
+				++x;
+			while (x < 0)
+				attr[x++] = h->color;
 
 			/* Start buffering? */
 			if (cmd->start_buffering) {