Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release-team,
I am seeking pre-approval to upload cod-tools/3.1.0+dfsg-3.
[ Reason ]
cod-tools/3.1.0+dfsg-2 is susceptible to buffer overrun due to a single
occurrence of unchecked C buffer boundary (an upstream bug, forwarded).
cod-tools/3.1.0+dfsg-3 fixes this bug via patch by using C function
which writes no more bytes than the length of the current buffer.
[ Impact ]
Without the fix, buffer overrun may occur in specific circumstances.
[ Tests ]
* Built on clean sid chroot;
* Upstream test suite and autopkgtest pass.
[ Risks ]
Most likely none. All binary packages built from source:cod-tools are
leaf packages.
[ Checklist ]
[*] all changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in testing
unblock cod-tools/3.1.0+dfsg-3
Best,
Andrius
diff -Nru cod-tools-3.1.0+dfsg/debian/changelog cod-tools-3.1.0+dfsg/debian/changelog
--- cod-tools-3.1.0+dfsg/debian/changelog 2021-03-05 11:44:59.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/changelog 2021-05-12 06:21:45.000000000 -0400
@@ -1,3 +1,9 @@
+cod-tools (3.1.0+dfsg-3) unstable; urgency=medium
+
+ * Patching buffer overflow in code responsible for composing error messages.
+
+ -- Andrius Merkys <merkys@debian.org> Wed, 12 May 2021 06:21:45 -0400
+
cod-tools (3.1.0+dfsg-2) unstable; urgency=medium
* Adding missing Breaks+Replaces: cod-tools (<< 3) for libcod-tools-perl
diff -Nru cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff
--- cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff 1969-12-31 19:00:00.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff 2021-05-12 06:18:47.000000000 -0400
@@ -0,0 +1,21 @@
+Description: Fixes buffer overflow.
+Author: Andrius Merkys <merkys@debian.org>
+Forwarded: mailto:cod-bugs@ibt.lt
+--- a/src/externals/cexceptions/cxprintf.c
++++ b/src/externals/cexceptions/cxprintf.c
+@@ -27,11 +27,11 @@
+
+ const char* vcxprintf( const char * format, va_list args )
+ {
+- static char error_message[200] = "";
++ static char error_message[1024] = "";
++
+
+- /*
+ vsnprintf( error_message, sizeof(error_message), format, args );
+- */
+- vsprintf( error_message, format, args );
++
++ // vsprintf( error_message, format, args );
+ return error_message;
+ }
diff -Nru cod-tools-3.1.0+dfsg/debian/patches/series cod-tools-3.1.0+dfsg/debian/patches/series
--- cod-tools-3.1.0+dfsg/debian/patches/series 2021-03-05 11:44:59.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/patches/series 2021-05-12 03:46:26.000000000 -0400
@@ -2,3 +2,4 @@
hardening.diff
disable-test-network-access.diff
spglib.diff
+fix-buffer-overflow.diff
Reply to: