[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#993792: marked as done (bullseye-pu: package iotop-c/1.17-1)

Your message dated Sat, 09 Oct 2021 12:09:40 +0100
with message-id <81741a2f4e370c14a3bec08b7fe6e2b10c32267b.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 11.1
has caused the Debian Bug report #993792,
regarding bullseye-pu: package iotop-c/1.17-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
993792: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993792
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
There is bug in processing unicode process names in iotop-c 1.17
that leads to out of bounds access and crash. Because the access is
of a static array with negative index, it is highly unlikely that
to cause a security problem, it only affects user experience.

Architectures where char is unsigned are not affected.

The test case to reproduce is the same as in
https://bugs.launchpad.net/ubuntu/+source/iotop/+bug/1932523

[ Impact ]
The program will crash when there are processes with name that
contain bytes between 128 and 255.

[ Tests ]
Manual tests confirm the bug and also confirm that the proposed
fix is a proper one.

[ Risks ]
The proposed fixes are trivial and risk level should be low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
This update includes backported fixed from version 1.18 (already
in unstable). There are 4 patches, two of which are related, and
the other two are independent.

diff -Nru iotop-c-1.17/debian/changelog iotop-c-1.17/debian/changelog
--- iotop-c-1.17/debian/changelog	2021-02-06 03:02:03.000000000 +0200
+++ iotop-c-1.17/debian/changelog	2021-09-06 04:54:40.000000000 +0300
@@ -1,3 +1,12 @@
+iotop-c (1.17-1+deb11u1) bullseye; urgency=medium
+
+  * Backport bugfixes from 1.18
+    - fix OOB access caused by UTF8 process names
+    - fix screen flicker during refresh with visible help
+    - allow ESC to close the help window
+
+ -- Boian Bonev <bbonev@ipacct.com>  Mon, 06 Sep 2021 01:54:40 +0000
+
 iotop-c (1.17-1) unstable; urgency=medium
 
   * Update to new upstream release of 1.17
diff -Nru iotop-c-1.17/debian/patches/document-esc-key.patch iotop-c-1.17/debian/patches/document-esc-key.patch
--- iotop-c-1.17/debian/patches/document-esc-key.patch	1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/document-esc-key.patch	2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1,20 @@
+Description: Document that ESC key closing the help window
+ Users were expecting that pressing ESC should close the help window
+
+---
+Origin: upstream, https://github.com/Tomas-M/iotop/commit/383443d650bb29bfb7187cae98e21faa40cbf977
+Forwarded: not-needed
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/iotop.8
++++ iotop-c-1.17/iotop.8
+@@ -196,6 +196,9 @@ Sort by next column
+ \fB<left>\fR
+ Sort by previous column
+ .TP
++\fB<esc>\fR
++Cancel ionice or filter selection. In case only the help window is open then close it
++.TP
+ \fBo\fR, \fBO\fR
+ Toggle showing only processes with IO activity
+ .TP
diff -Nru iotop-c-1.17/debian/patches/esc-closes-help.patch iotop-c-1.17/debian/patches/esc-closes-help.patch
--- iotop-c-1.17/debian/patches/esc-closes-help.patch	1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/esc-closes-help.patch	2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1,20 @@
+Description: Let ESC close the help
+ It was suggested by users that it is desired for ESC to close the help
+ window.
+---
+Origin: upstream, https://github.com/Tomas-M/iotop/commit/8ea414c53ca3b5986191d06a8f99f96282975e02 https://github.com/Tomas-M/iotop/commit/0d48498cc593d3b72d56fb5a5519b2b8612fbc31
+Forwarded: not-needed
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/src/view_curses.c
++++ iotop-c-1.17/src/view_curses.c
+@@ -1092,6 +1092,9 @@ static inline int curses_key(int ch) {
+ 			config.f.deadx=!config.f.deadx;
+ 			break;
+ 		case 27: // ESC
++			if (showhelp&&!in_ionice&&!in_filter)
++				showhelp=0;
++			// unlike help window these cannot happen at the same time
+ 			if (in_ionice)
+ 				in_ionice=0;
+ 			if (in_filter)
diff -Nru iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch
--- iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch	1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch	2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1,21 @@
+Description: Fix OOB access on some UTF input
+ On architectures with signed char type and input that is >=128 there is
+ an out-of-bounds access causing SIGSEGV. It is most probably not exploitable
+ but degrades user experience.
+---
+Origin: upstream, https://github.com/Tomas-M/iotop/commit/8aaa4fce743cf14a5a727c6cb24c63450d317a28
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/iotop/+bug/1932523
+Forwarded: not-needed
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/src/utils.c
++++ iotop-c-1.17/src/utils.c
+@@ -171,7 +171,7 @@ inline const char *esc_low_ascii1(char c
+ 	static char ehex[0x20][6];
+ 	static int initialized=0;
+ 
+-	if (c>=0x20) // no escaping needed
++	if (c<0||c>=0x20) // no escaping needed
+ 		return NULL;
+ 	if (!initialized) {
+ 		int i;
diff -Nru iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch
--- iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch	1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch	2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1,29 @@
+Description: Fix flicker with help shown
+ Change the refresh sequence to avoid flicker
+---
+Origin: upstream, https://github.com/Tomas-M/iotop/commit/1b36b51c72088f9e346dc5dc473653487d97cfed
+Forwarded: not-needed
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/src/view_curses.c
++++ iotop-c-1.17/src/view_curses.c
+@@ -841,7 +841,7 @@ donedraw:
+ 		move(promptx,prompty);
+ 	curs_set(show);
+ 	draw_vscroll(maxx-1,head1row?2:3,maxy-1,dispcount,saveskip);
+-	refresh();
++	wnoutrefresh(stdscr);
+ 	if (showhelp) {
+ 		int rhh,rhw;
+ 
+@@ -874,8 +874,9 @@ donedraw:
+ 		wresize(whelp,rhh,rhw);
+ 		mvwin(whelp,hy,hx);
+ 		view_help();
+-		wrefresh(whelp);
++		wnoutrefresh(whelp);
+ 	}
++	doupdate();
+ }
+ 
+ static inline int curses_key(int ch) {
diff -Nru iotop-c-1.17/debian/patches/series iotop-c-1.17/debian/patches/series
--- iotop-c-1.17/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/series	2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1,4 @@
+document-esc-key.patch
+fix-OOB-on-utf.patch
+fix-flicker-with-help-shown.patch
+esc-closes-help.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.1

Hi,

The updates relating to these bugs were included in this morning's 11.1
point release for bullseye.

Regards,

Adam

--- End Message ---
Reply to: