[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#993792: bullseye-pu: package iotop-c/1.17-1

On Tue, 2021-09-07 at 20:14 +0100, Jonathan Wiltshire wrote:
> On Tue, Sep 07, 2021 at 08:38:58PM +0300, Boian Bonev wrote:

> 
> This is behaviour change or enhancement, it is generally not OK in a
> stable
> update unless you can convince us it has a really good case e.g. the
> only
> way to fix a security issue.

I see no point in doing that - those two fixes were improving user
experience, i.e. enhancements. Thanks for your advise.

> While you are doing that please also ensure the changelog refers to
> appropriate bugs in the BTS so that the changes are easily traced
> back.

Can not do that - there was no bug filed for the problem initially; I
have discovered it by browsing test cases that cause problems for a
similar package and using them as test cases for this one. Somehow I do
not see a point in filing a bug myself, assign it to myself and close
it immediately afterwards. If required, I will do.

PFA the updated debdiff.

Thanks,

diff -Nru iotop-c-1.17/debian/changelog iotop-c-1.17/debian/changelog
--- iotop-c-1.17/debian/changelog	2021-02-06 03:02:03.000000000 +0200
+++ iotop-c-1.17/debian/changelog	2021-09-06 04:54:40.000000000 +0300
@@ -1,3 +1,10 @@
+iotop-c (1.17-1+deb11u1) bullseye; urgency=medium
+
+  * Backport bugfix from 1.18
+    - fix OOB access caused by UTF8 process names
+
+ -- Boian Bonev <bbonev@ipacct.com>  Mon, 06 Sep 2021 01:54:40 +0000
+
 iotop-c (1.17-1) unstable; urgency=medium
 
   * Update to new upstream release of 1.17
diff -Nru iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch
--- iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch	1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch	2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1,20 @@
+Description: Fix OOB access on some UTF input
+ On architectures with signed char type and input that is >=128 there is
+ an out-of-bounds access causing SIGSEGV. It is most probably not exploitable
+ but degrades user experience.
+---
+Origin: upstream, https://github.com/Tomas-M/iotop/commit/8aaa4fce743cf14a5a727c6cb24c63450d317a28
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/iotop/+bug/1932523
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/src/utils.c
++++ iotop-c-1.17/src/utils.c
+@@ -171,7 +171,7 @@ inline const char *esc_low_ascii1(char c
+ 	static char ehex[0x20][6];
+ 	static int initialized=0;
+ 
+-	if (c>=0x20) // no escaping needed
++	if (c<0||c>=0x20) // no escaping needed
+ 		return NULL;
+ 	if (!initialized) {
+ 		int i;
diff -Nru iotop-c-1.17/debian/patches/series iotop-c-1.17/debian/patches/series
--- iotop-c-1.17/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/series	2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1 @@
+fix-OOB-on-utf.patch
Reply to: