Bug#988437: unblock: cod-tools/3.1.0+dfsg-3

To: submit@bugs.debian.org
Subject: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
From: Andrius Merkys <merkys@debian.org>
Date: Thu, 13 May 2021 08:52:30 +0300
Message-id: <[🔎] 243bb317-82b8-1ae0-9f49-2f847704b4fe@debian.org>
Reply-to: Andrius Merkys <merkys@debian.org>, 988437@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release-team,

I am seeking pre-approval to upload cod-tools/3.1.0+dfsg-3.

[ Reason ]
cod-tools/3.1.0+dfsg-2 is susceptible to buffer overrun due to a single
occurrence of unchecked C buffer boundary (an upstream bug, forwarded).
cod-tools/3.1.0+dfsg-3 fixes this bug via patch by using C function
which writes no more bytes than the length of the current buffer.

[ Impact ]
Without the fix, buffer overrun may occur in specific circumstances.

[ Tests ]
* Built on clean sid chroot;
* Upstream test suite and autopkgtest pass.

[ Risks ]
Most likely none. All binary packages built from source:cod-tools are
leaf packages.

[ Checklist ]
  [*] all changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in testing

unblock cod-tools/3.1.0+dfsg-3

Best,
Andrius

diff -Nru cod-tools-3.1.0+dfsg/debian/changelog cod-tools-3.1.0+dfsg/debian/changelog
--- cod-tools-3.1.0+dfsg/debian/changelog	2021-03-05 11:44:59.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/changelog	2021-05-12 06:21:45.000000000 -0400
@@ -1,3 +1,9 @@
+cod-tools (3.1.0+dfsg-3) unstable; urgency=medium
+
+  * Patching buffer overflow in code responsible for composing error messages.
+
+ -- Andrius Merkys <merkys@debian.org>  Wed, 12 May 2021 06:21:45 -0400
+
 cod-tools (3.1.0+dfsg-2) unstable; urgency=medium
 
   * Adding missing Breaks+Replaces: cod-tools (<< 3) for libcod-tools-perl
diff -Nru cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff
--- cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff	1969-12-31 19:00:00.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff	2021-05-12 06:18:47.000000000 -0400
@@ -0,0 +1,21 @@
+Description: Fixes buffer overflow.
+Author: Andrius Merkys <merkys@debian.org>
+Forwarded: mailto:cod-bugs@ibt.lt
+--- a/src/externals/cexceptions/cxprintf.c
++++ b/src/externals/cexceptions/cxprintf.c
+@@ -27,11 +27,11 @@
+ 
+ const char* vcxprintf( const char * format, va_list args )
+ {
+-    static char error_message[200] = "";
++    static char error_message[1024] = "";
++
+ 
+-    /*
+     vsnprintf( error_message, sizeof(error_message), format, args );
+-    */
+-    vsprintf( error_message, format, args );
++
++    // vsprintf( error_message, format, args );
+     return error_message;
+ }
diff -Nru cod-tools-3.1.0+dfsg/debian/patches/series cod-tools-3.1.0+dfsg/debian/patches/series
--- cod-tools-3.1.0+dfsg/debian/patches/series	2021-03-05 11:44:59.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/patches/series	2021-05-12 03:46:26.000000000 -0400
@@ -2,3 +2,4 @@
 hardening.diff
 disable-test-network-access.diff
 spglib.diff
+fix-buffer-overflow.diff

Reply to:

Follow-Ups:
- Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
  - From: Sebastian Ramacher <sramacher@debian.org>
- Processed: Re: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#988437: marked as done (unblock: cod-tools/3.1.0+dfsg-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#988296: marked as done ([pre-approval] unblock: linbox/1.6.3-3)
Next by Date: Bug#988412: marked as done (unblock: stunnel4/3:5.56+dfsg-10)
Previous by thread: Re: unblock request for fai 5.10.2
Next by thread: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
Index(es):
- Date
- Thread