Your message dated Sat, 09 Nov 2024 10:51:02 +0000 with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk> and subject line Closing bugs released with 12.8 has caused the Debian Bug report #1085430, regarding bookworm-pu: package xfpt/0.11-1+deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1085430: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085430 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package xfpt/0.11-1+deb12u1
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Sat, 19 Oct 2024 14:11:18 +0200
- Message-id: <ZxOh5ryH1ElWek4H@argenau.bebt.de>
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: xfpt@packages.debian.org Control: affects -1 + src:xfpt User: release.debian.org@packages.debian.org Usertags: pu Hello, I would like to fix a minor security issue (#1080219 CVE-2024-43700) in stable, no DSA is planned. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable This is pretty straightforward cherry-pick of the upstream change, just dropping some noise (copyright year and version bump.) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'diff -Nru xfpt-0.11/debian/changelog xfpt-0.11/debian/changelog --- xfpt-0.11/debian/changelog 2020-09-18 11:13:36.000000000 +0200 +++ xfpt-0.11/debian/changelog 2024-10-19 13:32:57.000000000 +0200 @@ -1,3 +1,11 @@ +xfpt (0.11-1+deb12u1) bookworm; urgency=medium + + * Cherry-pick 30-Diagnose-error-if-macro-expansion-makes-a-line-too-l.patch + from upstream GIT master to fix buffer overflow CVE-2024-43700. + Closes: #1080219 + + -- Andreas Metzler <ametzler@debian.org> Sat, 19 Oct 2024 13:32:57 +0200 + xfpt (0.11-1) unstable; urgency=low * Fix watchfile (report functionality). diff -Nru xfpt-0.11/debian/patches/30-Diagnose-error-if-macro-expansion-makes-a-line-too-l.patch xfpt-0.11/debian/patches/30-Diagnose-error-if-macro-expansion-makes-a-line-too-l.patch --- xfpt-0.11/debian/patches/30-Diagnose-error-if-macro-expansion-makes-a-line-too-l.patch 1970-01-01 01:00:00.000000000 +0100 +++ xfpt-0.11/debian/patches/30-Diagnose-error-if-macro-expansion-makes-a-line-too-l.patch 2024-10-19 13:32:57.000000000 +0200 @@ -0,0 +1,280 @@ +From a690304bbd3fd19e9dfdad50dcc87ad829f744e4 Mon Sep 17 00:00:00 2001 +From: Philip Hazel <Philip.Hazel@gmail.com> +Date: Sun, 11 Aug 2024 17:43:41 +0100 +Subject: [PATCH] Diagnose error if macro expansion makes a line too long for + its buffer + +--- + ChangeLog | 7 +++++++ + src/dot.c | 9 +++++++-- + src/error.c | 7 ++++--- + src/functions.h | 4 ++-- + src/globals.c | 4 ++-- + src/para.c | 5 +++-- + src/read.c | 27 +++++++++++++++++++++------ + src/structs.h | 3 ++- + testing/infiles/07 | 5 +++++ + testing/outfiles/07 | 1 + + testing/outfiles/07.err | 4 ++++ + testing/outfiles/cmd.err | 2 +- + 12 files changed, 59 insertions(+), 19 deletions(-) + create mode 100644 testing/infiles/07 + create mode 100644 testing/outfiles/07 + create mode 100644 testing/outfiles/07.err + +--- a/src/dot.c ++++ b/src/dot.c +@@ -467,10 +467,11 @@ while (*p != 0) + argstr *as = misc_malloc(sizeof(argstr)); + as->next = NULL; + *pp = as; + pp = &(as->next); + as->string = misc_readitem(p, NULL, &length, NULL, 0); ++ as->length = length; + p += length; + } + + pp = &(md->lines); + for (;;) +@@ -488,21 +489,24 @@ for (;;) + + as = misc_malloc(sizeof(argstr)); + as->next = NULL; + *pp = as; + pp = &(as->next); +- as->string = misc_copystring(line, Ustrlen(line)); ++ length = Ustrlen(line); ++ as->string = misc_copystring(line, length); ++ as->length = length; + } + + /* If there aren't any replacement lines, fake up a comment so that there's + always something for a macro to generate. */ + + if (md->lines == NULL) + { + md->lines = misc_malloc(sizeof(argstr)); + md->lines->next = NULL; + md->lines->string = misc_copystring(US". Dummy line\n", 13); ++ md->lines->length = 13; + } + } + + + +@@ -900,10 +904,11 @@ while (*p != 0) + argstr *as = misc_malloc(sizeof(argstr)); + as->next = NULL; + *pp = as; + pp = &(as->next); + as->string = misc_readitem(p, NULL, &length, NULL, 0); ++ as->length = length; + p += length; + } + } + + /* End of dot.c */ +--- a/src/error.c ++++ b/src/error.c +@@ -78,11 +78,12 @@ static error_struct error_data[] = { + { ec_serious, "\".nest end\" incorrectly nested" }, + { ec_serious, "missing delimiter after $=%d at end of line" }, + /* 30-34 */ + { ec_serious, "bad macro argument substitution: %s follows \"%s\"" }, + { ec_serious, "binary zero in input ignored" }, +-{ ec_disaster, "input sources too deeply nested" } ++{ ec_disaster, "input sources too deeply nested" }, ++{ ec_disaster, "maximum line length exceeded during macro substitution" } + }; + + #define error_maxerror (int)(sizeof(error_data)/sizeof(error_struct)) + + +--- a/src/functions.h ++++ b/src/functions.h +@@ -20,11 +20,11 @@ extern uschar *misc_readstring(uscha + + extern void para_process(uschar *); + + extern uschar *read_nextline(void); + extern uschar *read_paragraph(uschar *, int *); +-extern void read_process_macroline(uschar *, uschar *); ++extern void read_process_macroline(uschar *, uschar *, int); + + extern int tree_insertnode(tree_node **, tree_node *); + extern tree_node *tree_search(tree_node *, uschar *); + + /* End of functions.h */ +--- a/src/para.c ++++ b/src/para.c +@@ -66,10 +66,11 @@ while (*q != 0 && *q != ')') + argstr *as = misc_malloc(sizeof(argstr)); + as->next = NULL; + *pp = as; + pp = &(as->next); + as->string = misc_readitem(q, US",)", &length, NULL, 0); ++ as->length = length; + q += length; + if (*q == ',') while (isspace(*(++q))); + } + + if (*q != ')') +@@ -88,11 +89,11 @@ para_inline_macro++; + + for (;;) + { + uschar buffer[INBUFFSIZE]; + +- read_process_macroline(macrocurrent->nextline->string, buffer); ++ read_process_macroline(macrocurrent->nextline->string, buffer, INBUFFSIZE); + + /* A directive such as .eacharg can skip to the end of the macro if there + is no .endeach. Detect this by looking for a change of macrocurrent value, + because there may be an enclosing macro. */ + +--- a/src/read.c ++++ b/src/read.c +@@ -29,11 +29,11 @@ Arguments: + + Returns: nothing + */ + + void +-read_process_macroline(uschar *p, uschar *b) ++read_process_macroline(uschar *p, uschar *b, int blen) + { + int optend = 0; + + while (*p != 0) + { +@@ -49,21 +49,27 @@ while (*p != 0) + optend = 0; + p++; + continue; + } + ++ /* Ensure at least 3 bytes left in the buffer because all cases except an ++ argument substitution (which does its own test) add no more than two bytes, ++ and the third is for the terminating zero. */ ++ ++ if (blen < 3) error(33); /* Hard error; does not return. */ ++ + /* Until we hit a dollar, just copy verbatim */ + +- if (*p != '$') { *b++ = *p++; continue; } ++ if (*p != '$') { *b++ = *p++; blen--; continue; } + + /* If dollar is at the end of the string, treat as literal. */ + + if (p[1] == 0) { *b++ = '$'; break; } + + /* If the character after $ is another $, insert a literal $. */ + +- if (p[1] == '$') { p++; *b++ = *p++; continue; } ++ if (p[1] == '$') { p++; *b++ = *p++; blen--; continue; } + + /* If the character after $ is +, we are dealing with arguments + relative to macro_arg0 in a ".eacharg" section. Otherwise, we are dealing + with an absolute argument number. */ + +@@ -73,10 +79,11 @@ while (*p != 0) + if (macro_argbase == NULL) /* Not in a .eacharg section */ + { + error(18); + *b++ = '$'; + *b++ = *p++; ++ blen -= 2; + continue; + } + argbase = macro_argbase; + } + else argbase = macrocurrent->args; +@@ -90,10 +97,11 @@ while (*p != 0) + { + if (p[1] == 0 || p[1] == '\n') error(30, "end of line", "$="); + else error(17, p[1], "$="); + *b++ = '$'; + *b++ = *p++; ++ blen -= 2; + continue; + } + while (isdigit(*(++p))) argn = argn * 10 + *p - '0'; + + if (*p == 0 || *p == '\n') +@@ -126,10 +134,11 @@ while (*p != 0) + if (!isdigit(p[1])) + { + if (*p == 0 || *p == '\n') error(30, "end of line", "$"); + else error(17, p[1], "$"); + *b++ = *p++; ++ blen--; + continue; + } + while (isdigit(*(++p))) argn = argn * 10 + *p - '0'; + + /* Handle $0 - currently no meaning */ +@@ -161,11 +170,16 @@ while (*p != 0) + } + } + + /* If we have found an argument, substitute it. */ + +- if (arg != NULL) b += sprintf(CS b, "%s", arg->string); ++ if (arg != NULL) ++ { ++ blen -= arg->length; ++ if (blen < 1) error(33); /* Hard; does not return */ ++ b += sprintf(CS b, "%s", arg->string); ++ } + } + + *b = 0; + } + +@@ -294,11 +308,12 @@ for (;;) + macrocurrent = macrocurrent->prev; + macro_free(temp); + } + else + { +- read_process_macroline(macrocurrent->nextline->string, inbuffer); ++ read_process_macroline(macrocurrent->nextline->string, inbuffer, ++ INBUFFSIZE); + macrocurrent->nextline = macrocurrent->nextline->next; + break; + } + } + +--- a/src/structs.h ++++ b/src/structs.h +@@ -42,10 +42,11 @@ typedef struct pushstr { + /* Macro content and argument item */ + + typedef struct argstr { + struct argstr *next; + uschar *string; ++ int length; + } argstr; + + /* Macro definition item */ + + typedef struct macrodef { +--- /dev/null ++++ b/testing/infiles/07 +@@ -0,0 +1,5 @@ ++.macro m1 one ++$1 ++.endmacro ++&m1(111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111) ++ +--- /dev/null ++++ b/testing/outfiles/07 +@@ -0,0 +1 @@ ++<para> +--- /dev/null ++++ b/testing/outfiles/07.err +@@ -0,0 +1,4 @@ ++** Error: maximum line length exceeded during macro substitution ++ Processing macro m1 ++ Detected near line 6 of infiles/07 ++** xfpt abandoned diff -Nru xfpt-0.11/debian/patches/series xfpt-0.11/debian/patches/series --- xfpt-0.11/debian/patches/series 2014-09-28 08:12:44.000000000 +0200 +++ xfpt-0.11/debian/patches/series 2024-10-19 13:32:57.000000000 +0200 @@ -1,2 +1,3 @@ 10_destdirsupport.diff 20_ld_and_cppflags.diff +30-Diagnose-error-if-macro-expansion-makes-a-line-too-l.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1074088-done@bugs.debian.org, 1074126-done@bugs.debian.org, 1076473-done@bugs.debian.org, 1077668-done@bugs.debian.org, 1079689-done@bugs.debian.org, 1079733-done@bugs.debian.org, 1080363-done@bugs.debian.org, 1080402-done@bugs.debian.org, 1080968-done@bugs.debian.org, 1081034-done@bugs.debian.org, 1081035-done@bugs.debian.org, 1081169-done@bugs.debian.org, 1081317-done@bugs.debian.org, 1081343-done@bugs.debian.org, 1081388-done@bugs.debian.org, 1081389-done@bugs.debian.org, 1081394-done@bugs.debian.org, 1081399-done@bugs.debian.org, 1081410-done@bugs.debian.org, 1081413-done@bugs.debian.org, 1081418-done@bugs.debian.org, 1081750-done@bugs.debian.org, 1082024-done@bugs.debian.org, 1082153-done@bugs.debian.org, 1082155-done@bugs.debian.org, 1082322-done@bugs.debian.org, 1082701-done@bugs.debian.org, 1082710-done@bugs.debian.org, 1082746-done@bugs.debian.org, 1082783-done@bugs.debian.org, 1082902-done@bugs.debian.org, 1082935-done@bugs.debian.org, 1083026-done@bugs.debian.org, 1083090-done@bugs.debian.org, 1083162-done@bugs.debian.org, 1083223-done@bugs.debian.org, 1084171-done@bugs.debian.org, 1084845-done@bugs.debian.org, 1084907-done@bugs.debian.org, 1085026-done@bugs.debian.org, 1085176-done@bugs.debian.org, 1085227-done@bugs.debian.org, 1085281-done@bugs.debian.org, 1085430-done@bugs.debian.org, 1085591-done@bugs.debian.org, 1085708-done@bugs.debian.org, 1085711-done@bugs.debian.org, 1085965-done@bugs.debian.org, 1086116-done@bugs.debian.org, 1086149-done@bugs.debian.org, 1086151-done@bugs.debian.org, 1086154-done@bugs.debian.org, 1086157-done@bugs.debian.org, 1086163-done@bugs.debian.org, 1086164-done@bugs.debian.org, 1086193-done@bugs.debian.org, 1086207-done@bugs.debian.org, 1086601-done@bugs.debian.org, 1086611-done@bugs.debian.org, 1086613-done@bugs.debian.org, 1086632-done@bugs.debian.org, 1081535-done@bugs.debian.org
- Subject: Closing bugs released with 12.8
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 Nov 2024 10:51:02 +0000
- Message-id: <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk>
Source: release.debian.org Version: 12.8 Hi, Each of the updates tracked by these bugs was included in today's 12.8 bookworm point release. Regards, Adam
--- End Message ---