Your message dated Sat, 27 Mar 2021 10:26:45 +0000 with message-id <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk> and subject line Closing p-u requests for fixes included in 10.9 point release has caused the Debian Bug report #985466, regarding buster-pu: package libpano13/2.9.19+dfsg-3+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 985466: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985466 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package libpano13/2.9.19+dfsg-3+deb10u1
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Thu, 18 Mar 2021 18:01:01 +0100
- Message-id: <[🔎] YFOHTYwkLja5aJ7+@argenau.bebt.de>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: libpano13@packages.debian.org Hello, I would like to fix 985249 for buster. It is a straightforward format string issue, as documented in the respective report. The issue is fixed in unstable (2.9.20~rc3+dfsg-1) but not yet in testing. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'diff -Nru libpano13-2.9.19+dfsg/debian/changelog libpano13-2.9.19+dfsg/debian/changelog --- libpano13-2.9.19+dfsg/debian/changelog 2017-09-10 14:39:18.000000000 +0200 +++ libpano13-2.9.19+dfsg/debian/changelog 2021-03-18 14:12:08.000000000 +0100 @@ -1,3 +1,12 @@ +libpano13 (2.9.19+dfsg-3+deb10u1) buster; urgency=medium + + * 850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff + cherry-picked from 2.9.20 rc3: Fixes format string bug, pasing along + format strings in user specified output filename to printf. + Closes: #985249 + + -- Andreas Metzler <ametzler@debian.org> Thu, 18 Mar 2021 14:12:08 +0100 + libpano13 (2.9.19+dfsg-3) unstable; urgency=medium * Move Vcs-* from git/http to https. diff -Nru libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff --- libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff 1970-01-01 01:00:00.000000000 +0100 +++ libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff 2021-03-18 14:12:08.000000000 +0100 @@ -0,0 +1,40 @@ +# HG changeset patch +# User tmodes +# Date 1615911819 -3600 +# Tue Mar 16 17:23:39 2021 +0100 +# Node ID f02459498cb44c0087900616a7e61563d614c05f +# Parent 2e9ee0a5e32f2ca6e1a5b3f9c2d5c393a41903c3 +Prevent string vulnerability by refusing prefix strings with percentage sign + +diff -r 2e9ee0a5e32f -r f02459498cb4 file.c +--- a/file.c Sun Dec 13 15:37:56 2020 +0100 ++++ b/file.c Tue Mar 16 17:23:39 2021 +0100 +@@ -2910,6 +2910,16 @@ + } + strcat(outputPrefix, DEFAULT_PREFIX_NUMBER_FORMAT); + } ++ else { ++ // TODO: sanitize outputPrefix, only a single format specifier %??d or %??i ++ // is allowed, all other should be escaped ++ // until this is implemented refuse to process further if prefix string ++ // contains a percentage sign to prevent string vulnerability in ++ // sprintf(outputFilename, outputPrefix ...) below ++ PrintError("Output prefix must not contain a percentage sign"); ++ return 0; ++ } ++ + + for (i =0; i< filesCount ; i++) { + sprintf( outputFilename, outputPrefix, i ); +diff -r 2e9ee0a5e32f -r f02459498cb4 tools/PTcrop.c +--- a/tools/PTcrop.c Sun Dec 13 15:37:56 2020 +0100 ++++ b/tools/PTcrop.c Tue Mar 16 17:23:39 2021 +0100 +@@ -36,7 +36,7 @@ + + #define PT_CROP_USAGE "PTuncrop [options] <inputFiles+>\n\n" \ + "Options:\n" \ +- "\t-p <prefix>\tPrefix for output files (defaults to " DEFAULT_PREFIX "%%4d)\n" \ ++ "\t-p <prefix>\tPrefix for output files (defaults to " DEFAULT_PREFIX ")\n" \ + "\t-f\t\tForce processing: Overwrite output files if they exists (use with care)\n" \ + "\t-x\t\tDelete source files (use with care)\n"\ + "\t-q\t\tQuiet run\n"\ diff -Nru libpano13-2.9.19+dfsg/debian/patches/series libpano13-2.9.19+dfsg/debian/patches/series --- libpano13-2.9.19+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libpano13-2.9.19+dfsg/debian/patches/series 2021-03-18 14:12:08.000000000 +0100 @@ -0,0 +1 @@ +850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diffAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 981453-done@bugs.debian.org, 981664-done@bugs.debian.org, 982002-done@bugs.debian.org, 982311-done@bugs.debian.org, 982571-done@bugs.debian.org, 982669-done@bugs.debian.org, 982796-done@bugs.debian.org, 983051-done@bugs.debian.org, 983113-done@bugs.debian.org, 983134-done@bugs.debian.org, 983485-done@bugs.debian.org, 983527-done@bugs.debian.org, 983918-done@bugs.debian.org, 984790-done@bugs.debian.org, 984886-done@bugs.debian.org, 984896-done@bugs.debian.org, 984899-done@bugs.debian.org, 985115-done@bugs.debian.org, 985359-done@bugs.debian.org, 985371-done@bugs.debian.org, 985450-done@bugs.debian.org, 985466-done@bugs.debian.org, 985472-done@bugs.debian.org, 985545-done@bugs.debian.org, 985609-done@bugs.debian.org, 985624-done@bugs.debian.org
- Subject: Closing p-u requests for fixes included in 10.9 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 27 Mar 2021 10:26:45 +0000
- Message-id: <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.9 Hi, Each of the updates referenced in these bugs was included in the 10.9 point release today. Regards, Adam
--- End Message ---