Argh! Here's a new deb diff file. I guess I will open a bug for dch to have a --oldstable flag :D Best -- Salvo Tomaselli "Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno." -- Galileo Galilei https://ltworf.codeberg.page/
diff -Nru weborf-0.17/debian/changelog weborf-0.17/debian/changelog --- weborf-0.17/debian/changelog 2020-12-31 15:13:19.000000000 +0100 +++ weborf-0.17/debian/changelog 2023-10-24 09:54:15.000000000 +0200 @@ -1,3 +1,9 @@ +weborf (0.17-3+deb11u1) bullseye; urgency=medium + + * Backport patch from upstream to fix denial of service (Closes: 1054417) + + -- Salvo 'LtWorf' Tomaselli <tiposchi@tiscali.it> Tue, 24 Oct 2023 09:54:15 +0200 + weborf (0.17-3) unstable; urgency=medium * Disable most of the test suite (flaky on debian builders) diff -Nru weborf-0.17/debian/patches/cgi_buffer_fix.patch weborf-0.17/debian/patches/cgi_buffer_fix.patch --- weborf-0.17/debian/patches/cgi_buffer_fix.patch 1970-01-01 01:00:00.000000000 +0100 +++ weborf-0.17/debian/patches/cgi_buffer_fix.patch 2023-10-24 09:54:15.000000000 +0200 @@ -0,0 +1,25 @@ +Description: Fix incorrect memory operation + The original code failed to take into account the space needed for the + null terminator. + . + The patch just avoids the copy altogether, because it was not needed. +Author: Salvo "LtWorf" Tomaselli <tiposchi@tiscali.it> +Origin: upstream +Bug: <upstream-bugtracker-url> +Bug-Debian: https://bugs.debian.org/1054417 +Forwarded: not-needed +Applied-Upstream: 1.0 +Last-Update: 2023-10-23 + +--- weborf-0.19.orig/cgi.c ++++ weborf-0.19/cgi.c +@@ -228,8 +228,7 @@ static inline void cgi_execute_child(con + environ = NULL; //Clear env vars + + if (strlen(executor) == 0) { +- executor = malloc(connection_prop->strfile_len + 1); +- strncpy(executor, connection_prop->strfile, connection_prop->strfile_len); ++ executor = connection_prop->strfile; + } + + cgi_set_http_env_vars(connection_prop->http_param); diff -Nru weborf-0.17/debian/patches/series weborf-0.17/debian/patches/series --- weborf-0.17/debian/patches/series 2020-12-31 15:13:19.000000000 +0100 +++ weborf-0.17/debian/patches/series 2023-10-24 09:54:15.000000000 +0200 @@ -1,2 +1,3 @@ 0001-sleep_in_http 002-disable_tests +cgi_buffer_fix.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.