Bug#899014: stretch-pu: package blktrace/1.1.0-2
Hi!
> Please use 1.0.5-1+deb8u1 and as target distribution just 'jessie'.
> Use 1.1.0-2+deb9u1 and targeting 'stretch' instead (not
> stretch-security).
>
Fixed. New debdiffs follow:
Jessie:
diff -Nru blktrace-1.0.5/debian/changelog blktrace-
1.0.5/debian/changelog
--- blktrace-1.0.5/debian/changelog 2013-05-05
14:43:17.000000000 +0200
+++ blktrace-1.0.5/debian/changelog 2018-05-18
21:02:54.000000000 +0200
@@ -1,3 +1,9 @@
+blktrace (1.0.5-1+deb8u1) jessie; urgency=high
+
+ * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw <bas@debian.org> Fri, 18 May 2018 15:47:57 +0200
+
blktrace (1.0.5-1) unstable; urgency=low
* New upstream release [February 2012].
diff -Nru blktrace-1.0.5/debian/patches/cve-2018-10689.patch blktrace-
1.0.5/debian/patches/cve-2018-10689.patch
--- blktrace-1.0.5/debian/patches/cve-2018-10689.patch 1970-01-
01 01:00:00.000000000 +0100
+++ blktrace-1.0.5/debian/patches/cve-2018-10689.patch 2018-05-
18 16:05:36.000000000 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe <axboe@kernel.dk>
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to
avoid overflow. Patch from https://git.kernel.org/pub/scm/linux/kernel
/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaa
c5b7
+
+Index: blktrace-1.0.5/btt/devmap.c
+===================================================================
+--- blktrace-1.0.5.orig/btt/devmap.c
++++ blktrace-1.0.5/btt/devmap.c
+@@ -23,7 +23,7 @@
+
+ struct devmap {
+ struct list_head head;
+- char device[32], devno[32];
++ char device[PATH_MAX], devno[PATH_MAX];
+ };
+
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.0.5/debian/patches/series blktrace-
1.0.5/debian/patches/series
--- blktrace-1.0.5/debian/patches/series 2012-12-23
12:30:03.000000000 +0100
+++ blktrace-1.0.5/debian/patches/series 2018-05-18
15:56:41.000000000 +0200
@@ -1,2 +1,3 @@
10_btrace_paths.patch
spelling.patch
+cve-2018-10689.patch
Stretch:
diff -Nru blktrace-1.1.0/debian/changelog blktrace-
1.1.0/debian/changelog
--- blktrace-1.1.0/debian/changelog 2015-05-17
14:35:07.000000000 +0200
+++ blktrace-1.1.0/debian/changelog 2018-05-16
16:19:54.000000000 +0200
@@ -1,3 +1,9 @@
+blktrace (1.1.0-2+deb9u1) stretch; urgency=high
+
+ * Fix buffer overflow in btt (CVE-2018-10689) (Closes: #897695)
+
+ -- Bas Zoetekouw <bas@debian.org> Wed, 16 May 2018 16:19:54 +0200
+
blktrace (1.1.0-2) unstable; urgency=low
* Upload to unstable.
diff -Nru blktrace-1.1.0/debian/patches/cve-2018-10689.patch blktrace-
1.1.0/debian/patches/cve-2018-10689.patch
--- blktrace-1.1.0/debian/patches/cve-2018-10689.patch 1970-01-
01 01:00:00.000000000 +0100
+++ blktrace-1.1.0/debian/patches/cve-2018-10689.patch 2018-05-
16 16:19:54.000000000 +0200
@@ -0,0 +1,18 @@
+Last-Update: 2018-05-16
+Forwarded: yes
+Author: Jens Axboe <axboe@kernel.dk>
+Description: fix CVE-2018-10689: make device/devno use PATH_MAX to
avoid overflow. Patch from https://git.kernel.org/pub/scm/linux/kernel
/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaa
c5b7
+
+diff --git a/btt/devmap.c b/btt/devmap.c
+index 0553a9e..5fc1cb2 100644
+--- a/btt/devmap.c
++++ b/btt/devmap.c
+@@ -23,7 +23,7 @@
+
+ struct devmap {
+ struct list_head head;
+- char device[32], devno[32];
++ char device[PATH_MAX], devno[PATH_MAX];
+ };
+
+ LIST_HEAD(all_devmaps);
diff -Nru blktrace-1.1.0/debian/patches/series blktrace-
1.1.0/debian/patches/series
--- blktrace-1.1.0/debian/patches/series 2015-03-25
08:40:33.000000000 +0100
+++ blktrace-1.1.0/debian/patches/series 2018-05-16
16:19:54.000000000 +0200
@@ -4,3 +4,4 @@
pdf-date.patch
procnum.patch
spelling.patch
+cve-2018-10689.patch
Reply to: