Bug#988437: marked as done (unblock: cod-tools/3.1.0+dfsg-3)

To: Sebastian Ramacher <sramacher@debian.org>
Subject: Bug#988437: marked as done (unblock: cod-tools/3.1.0+dfsg-3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 15 May 2021 11:57:11 +0000
Message-id: <[🔎] handler.988437.D988437.162107968222673.ackdone@bugs.debian.org>
Reply-to: 988437@bugs.debian.org
References: <YJ+2e7WChPw6DpEK@ramacher.at> <[🔎] 243bb317-82b8-1ae0-9f49-2f847704b4fe@debian.org>

Your message dated Sat, 15 May 2021 13:54:35 +0200
with message-id <YJ+2e7WChPw6DpEK@ramacher.at>
and subject line Re: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
has caused the Debian Bug report #988437,
regarding unblock: cod-tools/3.1.0+dfsg-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988437
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: unblock: cod-tools/3.1.0+dfsg-3
From: Andrius Merkys <merkys@debian.org>
Date: Thu, 13 May 2021 08:52:30 +0300
Message-id: <[🔎] 243bb317-82b8-1ae0-9f49-2f847704b4fe@debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release-team,

I am seeking pre-approval to upload cod-tools/3.1.0+dfsg-3.

[ Reason ]
cod-tools/3.1.0+dfsg-2 is susceptible to buffer overrun due to a single
occurrence of unchecked C buffer boundary (an upstream bug, forwarded).
cod-tools/3.1.0+dfsg-3 fixes this bug via patch by using C function
which writes no more bytes than the length of the current buffer.

[ Impact ]
Without the fix, buffer overrun may occur in specific circumstances.

[ Tests ]
* Built on clean sid chroot;
* Upstream test suite and autopkgtest pass.

[ Risks ]
Most likely none. All binary packages built from source:cod-tools are
leaf packages.

[ Checklist ]
  [*] all changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in testing

unblock cod-tools/3.1.0+dfsg-3

Best,
Andrius

diff -Nru cod-tools-3.1.0+dfsg/debian/changelog cod-tools-3.1.0+dfsg/debian/changelog
--- cod-tools-3.1.0+dfsg/debian/changelog	2021-03-05 11:44:59.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/changelog	2021-05-12 06:21:45.000000000 -0400
@@ -1,3 +1,9 @@
+cod-tools (3.1.0+dfsg-3) unstable; urgency=medium
+
+  * Patching buffer overflow in code responsible for composing error messages.
+
+ -- Andrius Merkys <merkys@debian.org>  Wed, 12 May 2021 06:21:45 -0400
+
 cod-tools (3.1.0+dfsg-2) unstable; urgency=medium
 
   * Adding missing Breaks+Replaces: cod-tools (<< 3) for libcod-tools-perl
diff -Nru cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff
--- cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff	1969-12-31 19:00:00.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff	2021-05-12 06:18:47.000000000 -0400
@@ -0,0 +1,21 @@
+Description: Fixes buffer overflow.
+Author: Andrius Merkys <merkys@debian.org>
+Forwarded: mailto:cod-bugs@ibt.lt
+--- a/src/externals/cexceptions/cxprintf.c
++++ b/src/externals/cexceptions/cxprintf.c
+@@ -27,11 +27,11 @@
+ 
+ const char* vcxprintf( const char * format, va_list args )
+ {
+-    static char error_message[200] = "";
++    static char error_message[1024] = "";
++
+ 
+-    /*
+     vsnprintf( error_message, sizeof(error_message), format, args );
+-    */
+-    vsprintf( error_message, format, args );
++
++    // vsprintf( error_message, format, args );
+     return error_message;
+ }
diff -Nru cod-tools-3.1.0+dfsg/debian/patches/series cod-tools-3.1.0+dfsg/debian/patches/series
--- cod-tools-3.1.0+dfsg/debian/patches/series	2021-03-05 11:44:59.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/patches/series	2021-05-12 03:46:26.000000000 -0400
@@ -2,3 +2,4 @@
 hardening.diff
 disable-test-network-access.diff
 spglib.diff
+fix-buffer-overflow.diff

--- End Message ---

--- Begin Message ---

To: Andrius Merkys <merkys@debian.org>

Cc: 988437-done@bugs.debian.org

Subject: Re: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3

From: Sebastian Ramacher <sramacher@debian.org>

Date: Sat, 15 May 2021 13:54:35 +0200

Message-id: <YJ+2e7WChPw6DpEK@ramacher.at>

In-reply-to: <[🔎] f3736fb9-252e-01f9-749a-a9866b96c68d@debian.org>

References: <[🔎] 243bb317-82b8-1ae0-9f49-2f847704b4fe@debian.org> <[🔎] YJzzhkjlGF0zA1fR@ramacher.at> <[🔎] f3736fb9-252e-01f9-749a-a9866b96c68d@debian.org>
On 2021-05-14 08:11:45, Andrius Merkys wrote:
> Control: tags -1 - moreinfo
> 
> On 2021-05-13 12:38, Sebastian Ramacher wrote:
> > ACK, please remove the moreinfo tag once the new version is available in
> > unstable.
> 
> Thanks, uploaded.

The package has autopkgtest and isn't a key package, so it will migrate
without an unblock. Closing.

Cheers
-- 
Sebastian Ramacher
Attachment: signature.asc
Description: PGP signature

--- End Message ---

Reply to:

References:
- Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
  - From: Andrius Merkys <merkys@debian.org>

Prev by Date: Bug#988545: unblock: nextcloud-desktop/3.1.1-2
Next by Date: Bug#988473: marked as done (unblock: gnome-sound-recorder/3.38.1-1)
Previous by thread: Processed: Re: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
Next by thread: Bug#988442: unblock: linux/5.10.37-1 (pre-approval checking)
Index(es):
- Date
- Thread