Bug#906167: stretch-pu: package confuse/3.0+dfsg-2+deb9u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#906167: stretch-pu: package confuse/3.0+dfsg-2+deb9u1
From: Aurelien Jarno <aurel32@debian.org>
Date: Wed, 15 Aug 2018 10:48:50 +0200
Message-id: <[🔎] 153432293017.29279.9651769352694291024.reportbug@ohm.local>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 906167@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear stable team,

I would like to do an update of the confuse package in stretch to fix a
security issue, CVE-2018-14447 / #904159. The patch to fix the issue is
from upstream and is a one-liner. It's already present in testing/sid.
You'll find the full diff below.

Given the change looks trivial, I have just uploaded the package.

Thanks,
Aurelien
 

diff -Nru confuse-3.0+dfsg/debian/changelog confuse-3.0+dfsg/debian/changelog
--- confuse-3.0+dfsg/debian/changelog	2016-06-06 21:41:37.000000000 +0200
+++ confuse-3.0+dfsg/debian/changelog	2018-08-15 10:46:39.000000000 +0200
@@ -1,3 +1,11 @@
+confuse (3.0+dfsg-2+deb9u1) stretch; urgency=medium
+
+  * Add debian/patches/CVE-2018-14447.patch from upstream to fix
+    an out of bound read in trim_whitespace (CVE-2018-14447).  Closes:
+    #904159.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Wed, 15 Aug 2018 10:46:39 +0200
+
 confuse (3.0+dfsg-2) unstable; urgency=medium
 
   * Upload to unstable. 
diff -Nru confuse-3.0+dfsg/debian/patches/CVE-2018-14447.patch confuse-3.0+dfsg/debian/patches/CVE-2018-14447.patch
--- confuse-3.0+dfsg/debian/patches/CVE-2018-14447.patch	1970-01-01 01:00:00.000000000 +0100
+++ confuse-3.0+dfsg/debian/patches/CVE-2018-14447.patch	2018-08-15 00:14:16.000000000 +0200
@@ -0,0 +1,17 @@
+commit f2bfb905f2b8c1e8f20a608768ebf49d3a5a6d0b
+Author: Sebastian Roland <seroland86@gmail.com>
+Date:   Sun Aug 12 09:56:36 2018 +0200
+
+    Fixes #109
+
+--- a/src/lexer.l
++++ b/src/lexer.l
+@@ -337,7 +337,7 @@ static void qputc(char ch)
+ {
+     if(qstring_index >= qstring_len) {
+         qstring_len += CFG_QSTRING_BUFSIZ;
+-        cfg_qstring = (char *)realloc(cfg_qstring, qstring_len);
++        cfg_qstring = (char *)realloc(cfg_qstring, qstring_len + 1);
+         assert(cfg_qstring);
+         memset(cfg_qstring + qstring_index, 0, CFG_QSTRING_BUFSIZ);
+     }
diff -Nru confuse-3.0+dfsg/debian/patches/series confuse-3.0+dfsg/debian/patches/series
--- confuse-3.0+dfsg/debian/patches/series	2016-05-29 18:14:41.000000000 +0200
+++ confuse-3.0+dfsg/debian/patches/series	2018-08-15 00:10:19.000000000 +0200
@@ -0,0 +1 @@
+CVE-2018-14447.patch

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

Follow-Ups:
- Bug#906167: confuse 3.0+dfsg-2+deb9u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Processed: confuse 3.0+dfsg-2+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: confuse 3.0+dfsg-2+deb9u1 flagged for acceptance
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: tagging 864631
Next by Date: Bug#905150: ^2 Bug#905150: transition: libpqxx
Previous by thread: Processed: tagging 864631
Next by thread: Bug#906167: confuse 3.0+dfsg-2+deb9u1 flagged for acceptance
Index(es):
- Date
- Thread