Bug#698621: pu: package swath/0.4.0-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
swath has got a trivial security fix, addressing Bug #698189, which the
security team considers trivial enough to upload to stable-proposed-updates.
(See the quoted conversation below.)
The prepared upload can be found here:
http://linux.thai.net/~thep/debs/swath-squeeze/swath_0.4.0-4+squeeze1.dsc
The debdiff is also attached for your review.
On Mon, Jan 21, 2013 at 4:14 PM, Yves-Alexis Perez <corsac@debian.org> wrote:
> On lun., 2013-01-21 at 15:56 +0700, Theppitak Karoonboonyanan wrote:
>> Dear security team,
>>
>> I have been reported a potential buffer overflow vulnerability in
>> swath,
>> which allows shell injection via long command-line argument:
>>
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698189
>>
>> The exploit is not known yet, but the report is already public
>> (in the bug log).
>>
>> Both stable (0.4.0-4) and testing/unstable (0.4.3-2) versions are
>> affected.
>>
>> For testing/unstable, the fix has been uploaded (0.4.3-3).
>> For stable, I have prepared the deb for your review here:
>>
>> http://linux.thai.net/~thep/debs/swath-squeeze/swath_0.4.0-4
>> +squeeze1.dsc
>>
>> The debdiff is also attached.
>
> Thanks for the report. It doesn't look bad enough to warrant a DSA imho.
> Can you please ask release team for a stable upload? I'll contact
> oss-sec to have a CVE assigned.
>
> Regards,
> --
> Yves-Alexis
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=th_TH.utf8, LC_CTYPE=th_TH.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru swath-0.4.0/debian/changelog swath-0.4.0/debian/changelog
--- swath-0.4.0/debian/changelog 2010-01-14 15:24:18.000000000 +0700
+++ swath-0.4.0/debian/changelog 2013-01-21 16:26:19.000000000 +0700
@@ -1,3 +1,11 @@
+swath (0.4.0-4+squeeze1) stable; urgency=high
+
+ * debian/patches/01_buffer-overflow.patch: backport patch from upstream
+ to fix potential buffer overflow in Mule mode.
+ Thanks Dominik Maier for the report. (Closes: #698189)
+
+ -- Theppitak Karoonboonyanan <thep@debian.org> Mon, 21 Jan 2013 15:03:30 +0700
+
swath (0.4.0-4) unstable; urgency=low
* debian/rules: Fix failure to build twice in a row:
diff -Nru swath-0.4.0/debian/patches/01_buffer-overflow.patch swath-0.4.0/debian/patches/01_buffer-overflow.patch
--- swath-0.4.0/debian/patches/01_buffer-overflow.patch 1970-01-01 07:00:00.000000000 +0700
+++ swath-0.4.0/debian/patches/01_buffer-overflow.patch 2013-01-21 16:26:19.000000000 +0700
@@ -0,0 +1,22 @@
+Author: Theppitak Karoonboonyanan <thep@linux.thai.net>
+Description: Fix potential buffer overflow
+Origin: backport, http://linux.thai.net/websvn/wsvn/software.swath/trunk?op=revision&rev=238&peg=238
+Bug-Debian: http://bugs.debian.org/698189
+
+Index: swath/src/wordseg.cpp
+===================================================================
+--- swath.orig/src/wordseg.cpp 2013-01-21 13:19:24.261886743 +0700
++++ swath/src/wordseg.cpp 2013-01-21 13:20:31.693890376 +0700
+@@ -253,11 +253,7 @@
+ }
+ delete FltX;
+ }else{
+- char stopstr[20];
+- if (muleMode)
+- strcpy(stopstr,wbr);
+- else
+- stopstr[0]='\0';
++ const char *stopstr = muleMode ? wbr : "";
+ for (;;) { // read until end of file.
+ if (mode == 0) printf("Input : ");
+ for (i = 0; ((c = fgetc(tmpin)) != '\n')
diff -Nru swath-0.4.0/debian/patches/series swath-0.4.0/debian/patches/series
--- swath-0.4.0/debian/patches/series 1970-01-01 07:00:00.000000000 +0700
+++ swath-0.4.0/debian/patches/series 2013-01-21 16:26:19.000000000 +0700
@@ -0,0 +1 @@
+01_buffer-overflow.patch
Reply to: