Bug#993792: bullseye-pu: package iotop-c/1.17-1
On Tue, 2021-09-07 at 20:14 +0100, Jonathan Wiltshire wrote:
> On Tue, Sep 07, 2021 at 08:38:58PM +0300, Boian Bonev wrote:
>
> This is behaviour change or enhancement, it is generally not OK in a
> stable
> update unless you can convince us it has a really good case e.g. the
> only
> way to fix a security issue.
I see no point in doing that - those two fixes were improving user
experience, i.e. enhancements. Thanks for your advise.
> While you are doing that please also ensure the changelog refers to
> appropriate bugs in the BTS so that the changes are easily traced
> back.
Can not do that - there was no bug filed for the problem initially; I
have discovered it by browsing test cases that cause problems for a
similar package and using them as test cases for this one. Somehow I do
not see a point in filing a bug myself, assign it to myself and close
it immediately afterwards. If required, I will do.
PFA the updated debdiff.
Thanks,
diff -Nru iotop-c-1.17/debian/changelog iotop-c-1.17/debian/changelog
--- iotop-c-1.17/debian/changelog 2021-02-06 03:02:03.000000000 +0200
+++ iotop-c-1.17/debian/changelog 2021-09-06 04:54:40.000000000 +0300
@@ -1,3 +1,10 @@
+iotop-c (1.17-1+deb11u1) bullseye; urgency=medium
+
+ * Backport bugfix from 1.18
+ - fix OOB access caused by UTF8 process names
+
+ -- Boian Bonev <bbonev@ipacct.com> Mon, 06 Sep 2021 01:54:40 +0000
+
iotop-c (1.17-1) unstable; urgency=medium
* Update to new upstream release of 1.17
diff -Nru iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch
--- iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch 1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch 2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1,20 @@
+Description: Fix OOB access on some UTF input
+ On architectures with signed char type and input that is >=128 there is
+ an out-of-bounds access causing SIGSEGV. It is most probably not exploitable
+ but degrades user experience.
+---
+Origin: upstream, https://github.com/Tomas-M/iotop/commit/8aaa4fce743cf14a5a727c6cb24c63450d317a28
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/iotop/+bug/1932523
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/src/utils.c
++++ iotop-c-1.17/src/utils.c
+@@ -171,7 +171,7 @@ inline const char *esc_low_ascii1(char c
+ static char ehex[0x20][6];
+ static int initialized=0;
+
+- if (c>=0x20) // no escaping needed
++ if (c<0||c>=0x20) // no escaping needed
+ return NULL;
+ if (!initialized) {
+ int i;
diff -Nru iotop-c-1.17/debian/patches/series iotop-c-1.17/debian/patches/series
--- iotop-c-1.17/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/series 2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1 @@
+fix-OOB-on-utf.patch
Reply to: