Your message dated Sat, 15 May 2021 13:54:35 +0200 with message-id <YJ+2e7WChPw6DpEK@ramacher.at> and subject line Re: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3 has caused the Debian Bug report #988437, regarding unblock: cod-tools/3.1.0+dfsg-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 988437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988437 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: cod-tools/3.1.0+dfsg-3
- From: Andrius Merkys <merkys@debian.org>
- Date: Thu, 13 May 2021 08:52:30 +0300
- Message-id: <[🔎] 243bb317-82b8-1ae0-9f49-2f847704b4fe@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear release-team, I am seeking pre-approval to upload cod-tools/3.1.0+dfsg-3. [ Reason ] cod-tools/3.1.0+dfsg-2 is susceptible to buffer overrun due to a single occurrence of unchecked C buffer boundary (an upstream bug, forwarded). cod-tools/3.1.0+dfsg-3 fixes this bug via patch by using C function which writes no more bytes than the length of the current buffer. [ Impact ] Without the fix, buffer overrun may occur in specific circumstances. [ Tests ] * Built on clean sid chroot; * Upstream test suite and autopkgtest pass. [ Risks ] Most likely none. All binary packages built from source:cod-tools are leaf packages. [ Checklist ] [*] all changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in testing unblock cod-tools/3.1.0+dfsg-3 Best, Andriusdiff -Nru cod-tools-3.1.0+dfsg/debian/changelog cod-tools-3.1.0+dfsg/debian/changelog --- cod-tools-3.1.0+dfsg/debian/changelog 2021-03-05 11:44:59.000000000 -0500 +++ cod-tools-3.1.0+dfsg/debian/changelog 2021-05-12 06:21:45.000000000 -0400 @@ -1,3 +1,9 @@ +cod-tools (3.1.0+dfsg-3) unstable; urgency=medium + + * Patching buffer overflow in code responsible for composing error messages. + + -- Andrius Merkys <merkys@debian.org> Wed, 12 May 2021 06:21:45 -0400 + cod-tools (3.1.0+dfsg-2) unstable; urgency=medium * Adding missing Breaks+Replaces: cod-tools (<< 3) for libcod-tools-perl diff -Nru cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff --- cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff 1969-12-31 19:00:00.000000000 -0500 +++ cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff 2021-05-12 06:18:47.000000000 -0400 @@ -0,0 +1,21 @@ +Description: Fixes buffer overflow. +Author: Andrius Merkys <merkys@debian.org> +Forwarded: mailto:cod-bugs@ibt.lt +--- a/src/externals/cexceptions/cxprintf.c ++++ b/src/externals/cexceptions/cxprintf.c +@@ -27,11 +27,11 @@ + + const char* vcxprintf( const char * format, va_list args ) + { +- static char error_message[200] = ""; ++ static char error_message[1024] = ""; ++ + +- /* + vsnprintf( error_message, sizeof(error_message), format, args ); +- */ +- vsprintf( error_message, format, args ); ++ ++ // vsprintf( error_message, format, args ); + return error_message; + } diff -Nru cod-tools-3.1.0+dfsg/debian/patches/series cod-tools-3.1.0+dfsg/debian/patches/series --- cod-tools-3.1.0+dfsg/debian/patches/series 2021-03-05 11:44:59.000000000 -0500 +++ cod-tools-3.1.0+dfsg/debian/patches/series 2021-05-12 03:46:26.000000000 -0400 @@ -2,3 +2,4 @@ hardening.diff disable-test-network-access.diff spglib.diff +fix-buffer-overflow.diff
--- End Message ---
--- Begin Message ---
- To: Andrius Merkys <merkys@debian.org>
- Cc: 988437-done@bugs.debian.org
- Subject: Re: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Sat, 15 May 2021 13:54:35 +0200
- Message-id: <YJ+2e7WChPw6DpEK@ramacher.at>
- In-reply-to: <[🔎] f3736fb9-252e-01f9-749a-a9866b96c68d@debian.org>
- References: <[🔎] 243bb317-82b8-1ae0-9f49-2f847704b4fe@debian.org> <[🔎] YJzzhkjlGF0zA1fR@ramacher.at> <[🔎] f3736fb9-252e-01f9-749a-a9866b96c68d@debian.org>
On 2021-05-14 08:11:45, Andrius Merkys wrote: > Control: tags -1 - moreinfo > > On 2021-05-13 12:38, Sebastian Ramacher wrote: > > ACK, please remove the moreinfo tag once the new version is available in > > unstable. > > Thanks, uploaded. The package has autopkgtest and isn't a key package, so it will migrate without an unblock. Closing. Cheers -- Sebastian RamacherAttachment: signature.asc
Description: PGP signature
--- End Message ---