--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
protozero 1.5.1 in stretch contains a serious bug that was fixed in
1.5.2. The fix has been cherry-picked and I'd like to upload this
proposed-update.
>From the changelog and patch description:
"
This fixes a rather embarrassing bug in the equality operator of the
data_view class. The equality operator is actually never used in the
protozero code itself, but users of protozero might use it. This is a
serious bug that could lead to buffer overrun type problems.
"
The issue was pointed out by the upstream author in:
https://lists.debian.org/debian-gis/2017/07/msg00000.html
Kind Regards,
Bas
diff -Nru protozero-1.5.1/debian/changelog protozero-1.5.1/debian/changelog
--- protozero-1.5.1/debian/changelog 2017-01-14 11:19:51.000000000 +0100
+++ protozero-1.5.1/debian/changelog 2017-07-01 15:59:15.000000000 +0200
@@ -1,3 +1,14 @@
+protozero (1.5.1-1+deb9u1) stretch; urgency=medium
+
+ * Update branch in gbp.conf & Vcs-Git URL.
+ * Include upstream patch to fix data_view equality operator.
+ This fixes a rather embarrassing bug in the equality operator of the
+ data_view class. The equality operator is actually never used in the
+ protozero code itself, but users of protozero might use it. This is a
+ serious bug that could lead to buffer overrun type problems.
+
+ -- Bas Couwenberg <sebastic@debian.org> Sat, 01 Jul 2017 15:59:15 +0200
+
protozero (1.5.1-1) unstable; urgency=medium
* New upstream release.
diff -Nru protozero-1.5.1/debian/control protozero-1.5.1/debian/control
--- protozero-1.5.1/debian/control 2017-01-12 15:17:23.000000000 +0100
+++ protozero-1.5.1/debian/control 2017-07-01 15:59:12.000000000 +0200
@@ -11,7 +11,7 @@
pkg-config
Standards-Version: 3.9.8
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-grass/protozero.git/
-Vcs-Git: https://anonscm.debian.org/git/pkg-grass/protozero.git
+Vcs-Git: https://anonscm.debian.org/git/pkg-grass/protozero.git -b stretch
Homepage: https://github.com/mapbox/protozero
Package: libprotozero-dev
diff -Nru protozero-1.5.1/debian/gbp.conf protozero-1.5.1/debian/gbp.conf
--- protozero-1.5.1/debian/gbp.conf 2017-01-12 15:17:23.000000000 +0100
+++ protozero-1.5.1/debian/gbp.conf 2017-07-01 15:59:12.000000000 +0200
@@ -6,7 +6,7 @@
# The default name for the Debian branch is "master".
# Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
# git-import-orig uses the following names for the upstream tags.
# Change the value if you are not using git-import-orig
diff -Nru protozero-1.5.1/debian/patches/0001-Bugfix-in-data_view-equality-operator.patch protozero-1.5.1/debian/patches/0001-Bugfix-in-data_view-equality-operator.patch
--- protozero-1.5.1/debian/patches/0001-Bugfix-in-data_view-equality-operator.patch 1970-01-01 01:00:00.000000000 +0100
+++ protozero-1.5.1/debian/patches/0001-Bugfix-in-data_view-equality-operator.patch 2017-07-01 15:59:15.000000000 +0200
@@ -0,0 +1,63 @@
+Description: Bugfix in data_view equality operator.
+ This fixes a rather embarrassing bug in the equality operator of the
+ data_view class. The equality operator is actually never used in the
+ protozero code itself, but users of protozero might use it. This is a
+ serious bug that could lead to buffer overrun type problems.
+Author: Jochen Topf <jochen@topf.org>
+Origin: https://github.com/mapbox/protozero/commit/3d998ed0864f0db1d876d72a2658e5bdff9a0474
+
+--- a/include/protozero/types.hpp
++++ b/include/protozero/types.hpp
+@@ -16,6 +16,7 @@ documentation.
+ * @brief Contains the declaration of low-level types used in the pbf format.
+ */
+
++#include <algorithm>
+ #include <cstddef>
+ #include <cstdint>
+ #include <cstring>
+@@ -178,7 +179,7 @@ inline void swap(data_view& lhs, data_vi
+ * @param rhs Second object.
+ */
+ inline bool operator==(const data_view& lhs, const data_view& rhs) noexcept {
+- return lhs.size() == rhs.size() && !std::strcmp(lhs.data(), rhs.data());
++ return lhs.size() == rhs.size() && std::equal(lhs.data(), lhs.data() + lhs.size(), rhs.data());
+ }
+
+ /**
+--- a/test/t/data_view/test_cases.cpp
++++ b/test/t/data_view/test_cases.cpp
+@@ -64,20 +64,32 @@ TEST_CASE("comparing data_views") {
+ protozero::data_view v2{"bar"};
+ protozero::data_view v3{"foox"};
+ protozero::data_view v4{"foo"};
++ protozero::data_view v5{"fooooooo", 3};
++ protozero::data_view v6{"f\0o", 3};
++ protozero::data_view v7{"f\0obar", 3};
+
+ REQUIRE_FALSE(v1 == v2);
+ REQUIRE_FALSE(v1 == v3);
+ REQUIRE(v1 == v4);
++ REQUIRE(v1 == v5);
++ REQUIRE_FALSE(v1 == v6);
++ REQUIRE_FALSE(v1 == v7);
+ REQUIRE_FALSE(v2 == v3);
+ REQUIRE_FALSE(v2 == v4);
+ REQUIRE_FALSE(v3 == v4);
++ REQUIRE(v4 == v5);
++ REQUIRE(v6 == v7);
+
+ REQUIRE(v1 != v2);
+ REQUIRE(v1 != v3);
+ REQUIRE_FALSE(v1 != v4);
++ REQUIRE_FALSE(v1 != v5);
++ REQUIRE(v1 != v6);
++ REQUIRE(v1 != v7);
+ REQUIRE(v2 != v3);
+ REQUIRE(v2 != v4);
+ REQUIRE(v3 != v4);
++ REQUIRE_FALSE(v4 != v5);
++ REQUIRE_FALSE(v6 != v7);
+ }
+
+-
diff -Nru protozero-1.5.1/debian/patches/series protozero-1.5.1/debian/patches/series
--- protozero-1.5.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ protozero-1.5.1/debian/patches/series 2017-07-01 15:59:15.000000000 +0200
@@ -0,0 +1 @@
+0001-Bugfix-in-data_view-equality-operator.patch
--- End Message ---