[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988437: unblock: cod-tools/3.1.0+dfsg-3

Control: tags -1 moreinfo confirmed

On 2021-05-13 08:52:30 +0300, Andrius Merkys wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Dear release-team,
> 
> I am seeking pre-approval to upload cod-tools/3.1.0+dfsg-3.

ACK, please remove the moreinfo tag once the new version is available in
unstable.

Cheers

> 
> [ Reason ]
> cod-tools/3.1.0+dfsg-2 is susceptible to buffer overrun due to a single
> occurrence of unchecked C buffer boundary (an upstream bug, forwarded).
> cod-tools/3.1.0+dfsg-3 fixes this bug via patch by using C function
> which writes no more bytes than the length of the current buffer.
> 
> [ Impact ]
> Without the fix, buffer overrun may occur in specific circumstances.
> 
> [ Tests ]
> * Built on clean sid chroot;
> * Upstream test suite and autopkgtest pass.
> 
> [ Risks ]
> Most likely none. All binary packages built from source:cod-tools are
> leaf packages.
> 
> [ Checklist ]
>   [*] all changes are documented in the d/changelog
>   [*] I reviewed all changes and I approve them
>   [*] attach debdiff against the package in testing
> 
> unblock cod-tools/3.1.0+dfsg-3
> 
> Best,
> Andrius

> diff -Nru cod-tools-3.1.0+dfsg/debian/changelog cod-tools-3.1.0+dfsg/debian/changelog
> --- cod-tools-3.1.0+dfsg/debian/changelog	2021-03-05 11:44:59.000000000 -0500
> +++ cod-tools-3.1.0+dfsg/debian/changelog	2021-05-12 06:21:45.000000000 -0400
> @@ -1,3 +1,9 @@
> +cod-tools (3.1.0+dfsg-3) unstable; urgency=medium
> +
> +  * Patching buffer overflow in code responsible for composing error messages.
> +
> + -- Andrius Merkys <merkys@debian.org>  Wed, 12 May 2021 06:21:45 -0400
> +
>  cod-tools (3.1.0+dfsg-2) unstable; urgency=medium
>  
>    * Adding missing Breaks+Replaces: cod-tools (<< 3) for libcod-tools-perl
> diff -Nru cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff
> --- cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff	1969-12-31 19:00:00.000000000 -0500
> +++ cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff	2021-05-12 06:18:47.000000000 -0400
> @@ -0,0 +1,21 @@
> +Description: Fixes buffer overflow.
> +Author: Andrius Merkys <merkys@debian.org>
> +Forwarded: mailto:cod-bugs@ibt.lt
> +--- a/src/externals/cexceptions/cxprintf.c
> ++++ b/src/externals/cexceptions/cxprintf.c
> +@@ -27,11 +27,11 @@
> + 
> + const char* vcxprintf( const char * format, va_list args )
> + {
> +-    static char error_message[200] = "";
> ++    static char error_message[1024] = "";
> ++
> + 
> +-    /*
> +     vsnprintf( error_message, sizeof(error_message), format, args );
> +-    */
> +-    vsprintf( error_message, format, args );
> ++
> ++    // vsprintf( error_message, format, args );
> +     return error_message;
> + }
> diff -Nru cod-tools-3.1.0+dfsg/debian/patches/series cod-tools-3.1.0+dfsg/debian/patches/series
> --- cod-tools-3.1.0+dfsg/debian/patches/series	2021-03-05 11:44:59.000000000 -0500
> +++ cod-tools-3.1.0+dfsg/debian/patches/series	2021-05-12 03:46:26.000000000 -0400
> @@ -2,3 +2,4 @@
>  hardening.diff
>  disable-test-network-access.diff
>  spglib.diff
> +fix-buffer-overflow.diff


-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature

Reply to: