--- Begin Message ---
- To: Debian BTS <submit@bugs.debian.org>
- Subject: bullseye-pu: package indent/2.2.12-1+deb11u1
- From: Santiago Vila <sanvila@debian.org>
- Date: Sun, 23 Jun 2024 19:02:12 +0200
- Message-id: <770babfc-f549-4369-8be9-d86630aa2222@debian.org>
- In-reply-to: <3e8ff350-a8bd-4785-8827-af676fbd582a@debian.org>
- References: <3e8ff350-a8bd-4785-8827-af676fbd582a@debian.org>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: indent@packages.debian.org, sanvila@debian.org
Control: affects -1 + src:indent
[ Reason ]
Fix several memory handling bugs, already fixed in stable.
[ Impact ]
Without those fixes, indent crashes with several real-life inputs.
[ Tests ]
I've tested the resulting package and it fixes the reported problems.
[ Risks ]
Quite low, the fixes have been in stable and testing for a long time.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
This release is essentially the same as 2.2.12-1 currently in bullseye,
but adding the following patches taken verbatim from 2.2.12-4+deb12u3
currently in bookworm:
02-restore-round-up-macro-and-adjust-initial-buffer-size.patch
03-fix-an-out-of-buffer-read.patch
04-fix-a-heap-buffer-overwrite.patch
05-fix-a-heap-buffer-underread-in-set-buf-break.patch
Therefore, this upload will make the bullseye version to be functionally
equivalent to the bookworm version.
[ Other info ]
I've already made the upload.
diff -Nru indent-2.2.12/debian/changelog indent-2.2.12/debian/changelog
--- indent-2.2.12/debian/changelog 2019-01-27 22:35:20.000000000 +0100
+++ indent-2.2.12/debian/changelog 2024-06-23 18:25:00.000000000 +0200
@@ -1,3 +1,19 @@
+indent (2.2.12-1+deb11u1) bullseye; urgency=low
+
+ * Restore the ROUND_UP macro and adjust the initial buffer size.
+ Patch from the author, backported from 2.2.13.
+ Fix memory handling problem. Closes: #1036851.
+ * Apply two patches by Petr Písař <ppisar@redhat.com>.
+ - Fix an out-of-buffer read in search_brace()/lexi() on an condition
+ without parentheses followed with an overlong comment.
+ - Fix a heap buffer overwrite in search_brace(). Closes: #1049366.
+ This one is CVE-2023-40305.
+ * Fix a heap buffer underread in set_buf_break(). Closes: #1061543.
+ Patch by Petr Písař <ppisar@redhat.com>.
+ This is CVE-2024-0911.
+
+ -- Santiago Vila <sanvila@debian.org> Sun, 23 Jun 2024 18:25:00 +0200
+
indent (2.2.12-1) unstable; urgency=low
* New upstream release. Closes: #916199.
diff -Nru indent-2.2.12/debian/patches/02-restore-round-up-macro-and-adjust-initial-buffer-size.patch indent-2.2.12/debian/patches/02-restore-round-up-macro-and-adjust-initial-buffer-size.patch
--- indent-2.2.12/debian/patches/02-restore-round-up-macro-and-adjust-initial-buffer-size.patch 1970-01-01 01:00:00.000000000 +0100
+++ indent-2.2.12/debian/patches/02-restore-round-up-macro-and-adjust-initial-buffer-size.patch 2024-06-23 17:01:00.000000000 +0200
@@ -0,0 +1,59 @@
+From: Andrej Shadura <andrew@shadura.me>
+Subject: Restore the ROUND_UP macro and adjust the initial buffer size.
+Bug-Debian: https://bugs.debian.org/1036851
+
+When need_chars was moved from "handletoken.h" to "handletoken.c",
+the ROUND_UP macro was removed, but the replacement was incorrect.
+
+This caused the program to exit with a "Virtual memory exhausted"
+error when it tried to reallocate 0 bytes (thus freeing the memory).
+It reallocated to 0 bytes because the initial buffer size was less
+than 1024, and the size calculation rounds down instead of up.
+
+Bug: #56644
+Fixes: c89d32a
+---
+ src/handletoken.c | 2 +-
+ src/indent.h | 8 ++++++++
+ src/parse.c | 2 +-
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/src/handletoken.c
++++ b/src/handletoken.c
+@@ -85,7 +85,7 @@
+
+ if (current_size + needed >= (size_t)bp->size)
+ {
+- bp->size = ((current_size + needed) & (size_t)~1023);
++ bp->size = ROUND_UP (current_size + needed, 1024);
+ bp->ptr = xrealloc(bp->ptr, bp->size);
+ if (bp->ptr == NULL)
+ {
+--- a/src/indent.h
++++ b/src/indent.h
+@@ -66,6 +66,14 @@
+
+ #include "lexi.h"
+
++/**
++ * Round up P to be a multiple of SIZE.
++ */
++
++#ifndef ROUND_UP
++#define ROUND_UP(p, size) (((unsigned long) (p) + (size) - 1) & ~((size) - 1))
++#endif
++
+ /** Values that `indent' can return for exit status.
+ *
+ * `total_success' means no errors or warnings were found during a successful
+--- a/src/parse.c
++++ b/src/parse.c
+@@ -53,7 +53,7 @@
+
+ parser_state_ty *parser_state_tos = NULL;
+
+-#define INITIAL_BUFFER_SIZE 1000
++#define INITIAL_BUFFER_SIZE 1024
+ #define INITIAL_STACK_SIZE 2
+
+ /**
diff -Nru indent-2.2.12/debian/patches/03-fix-an-out-of-buffer-read.patch indent-2.2.12/debian/patches/03-fix-an-out-of-buffer-read.patch
--- indent-2.2.12/debian/patches/03-fix-an-out-of-buffer-read.patch 1970-01-01 01:00:00.000000000 +0100
+++ indent-2.2.12/debian/patches/03-fix-an-out-of-buffer-read.patch 2024-06-23 17:02:00.000000000 +0200
@@ -0,0 +1,17 @@
+From: Petr Písař <ppisar@redhat.com>
+Subject: Fix an out-of-buffer read in search_brace()/lexi()
+Bug-Debian: https://bugs.debian.org/1049366
+Forwarded: https://savannah.gnu.org/bugs/index.php?64503
+
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -145,8 +145,8 @@
+ parser_state_tos->search_brace = false;
+ bp_save = buf_ptr;
+ be_save = buf_end;
+- buf_ptr = save_com.ptr;
+ need_chars (&save_com, 1);
++ buf_ptr = save_com.ptr;
+ buf_end = save_com.end;
+ save_com.end = save_com.ptr; /* make save_com empty */
+ }
diff -Nru indent-2.2.12/debian/patches/04-fix-a-heap-buffer-overwrite.patch indent-2.2.12/debian/patches/04-fix-a-heap-buffer-overwrite.patch
--- indent-2.2.12/debian/patches/04-fix-a-heap-buffer-overwrite.patch 1970-01-01 01:00:00.000000000 +0100
+++ indent-2.2.12/debian/patches/04-fix-a-heap-buffer-overwrite.patch 2024-06-23 17:03:00.000000000 +0200
@@ -0,0 +1,15 @@
+From: Petr Písař <ppisar@redhat.com>
+Subject: Fix a heap buffer overwrite in search_brace() (CVE-2023-40305)
+Bug-Debian: https://bugs.debian.org/1049366
+Forwarded: https://savannah.gnu.org/bugs/index.php?64503
+
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -228,6 +228,7 @@
+ * a `dump_line' call, thus ensuring that the brace
+ * will go into the right column. */
+
++ need_chars (&save_com, 2);
+ *save_com.end++ = EOL;
+ *save_com.end++ = '{';
+ save_com.len += 2;
diff -Nru indent-2.2.12/debian/patches/05-fix-a-heap-buffer-underread-in-set-buf-break.patch indent-2.2.12/debian/patches/05-fix-a-heap-buffer-underread-in-set-buf-break.patch
--- indent-2.2.12/debian/patches/05-fix-a-heap-buffer-underread-in-set-buf-break.patch 1970-01-01 01:00:00.000000000 +0100
+++ indent-2.2.12/debian/patches/05-fix-a-heap-buffer-underread-in-set-buf-break.patch 2024-06-23 17:04:00.000000000 +0200
@@ -0,0 +1,16 @@
+From: Petr Písař <ppisar@redhat.com>
+Subject: Fix a heap buffer underread in set_buf_break()
+Bug-Debian: https://bugs.debian.org/1061543
+Forwarded: https://lists.gnu.org/archive/html/bug-indent/2024-01/msg00001.html
+
+--- a/src/output.c
++++ b/src/output.c
+@@ -290,7 +290,7 @@
+ /* Did we just parse a bracket that will be put on the next line
+ * by this line break? */
+
+- if ((*token == '(') || (*token == '['))
++ if (level > 0 && ((*token == '(') || (*token == '[')))
+ {
+ --level; /* then don't take it into account */
+ }
diff -Nru indent-2.2.12/debian/patches/series indent-2.2.12/debian/patches/series
--- indent-2.2.12/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ indent-2.2.12/debian/patches/series 2024-06-23 17:00:00.000000000 +0200
@@ -0,0 +1,4 @@
+02-restore-round-up-macro-and-adjust-initial-buffer-size.patch
+03-fix-an-out-of-buffer-read.patch
+04-fix-a-heap-buffer-overwrite.patch
+05-fix-a-heap-buffer-underread-in-set-buf-break.patch
--- End Message ---