Bug#1111621: trixie-pu: package remind/05.03.07-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1111621: trixie-pu: package remind/05.03.07-1
From: Jochen Sprickerhof <jspricke@debian.org>
Date: Wed, 20 Aug 2025 10:04:54 +0200
Message-id: <[🔎] 175567709435.23443.8275660169043685011.reportbug@fenchel>
Reply-to: Jochen Sprickerhof <jspricke@debian.org>, 1111621@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: remind@packages.debian.org
Control: affects -1 + src:remind
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]

Potential buffer overflow leading to a segfault.

[ Impact ]

remind crashes in some configuration.

[ Tests ]

remind has an extensive test suite which by chance found the bug and
passes now. I also ran some manual tests on my data.

[ Risks ]

low. remind is not widely used and this is rather a corner case, also
the patch is rather simple.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]

The variable is truncated to the buffer length before printing.

diff --git a/debian/changelog b/debian/changelog
index cc75c03..aef3024 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+remind (05.03.07-1+deb13u1) trixie; urgency=medium
+
+  * fixes buffer overflow in DUMPVARS (Closes: #1111581)
+
+ -- Jochen Sprickerhof <jspricke@debian.org>  Wed, 20 Aug 2025 09:58:01 +0200
+
 remind (05.03.07-1) unstable; urgency=medium
 
   * New upstream version 05.03.07
diff --git a/debian/patches/0002-Fix-buffer-overflow-in-DUMPVARS.patch b/debian/patches/0002-Fix-buffer-overflow-in-DUMPVARS.patch
new file mode 100644
index 0000000..1bdf9e2
--- /dev/null
+++ b/debian/patches/0002-Fix-buffer-overflow-in-DUMPVARS.patch
@@ -0,0 +1,29 @@
+From: Jochen Sprickerhof <jspricke@debian.org>
+Date: Wed, 20 Aug 2025 09:56:39 +0200
+Subject: Fix buffer overflow in DUMPVARS
+
+---
+ src/var.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/var.c b/src/var.c
+index 7989cd5..c81d8f3 100644
+--- a/src/var.c
++++ b/src/var.c
+@@ -711,9 +711,14 @@ int DoDump(ParsePtr p)
+             DumpSysVarByName(DBufValue(&buf)+1);
+         } else {
+             v = FindVar(DBufValue(&buf), 0);
+-            DBufValue(&buf)[VAR_NAME_LEN] = 0;
+-            if (!v) fprintf(ErrFp, "%s  %s\n",
++            if (!v) {
++                if (DBufLen(&buf) > VAR_NAME_LEN) {
++                    /* Truncate over-long variable name */
++                    DBufValue(&buf)[VAR_NAME_LEN] = 0;
++                }
++                fprintf(ErrFp, "%s  %s\n",
+                             DBufValue(&buf), UNDEF);
++            }
+             else {
+                 fprintf(ErrFp, "%s  ", v->name);
+                 PrintValue(&(v->v), ErrFp);
diff --git a/debian/patches/series b/debian/patches/series
index 73c5c9f..19d789e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 use-system-libjsonparser.diff
+0002-Fix-buffer-overflow-in-DUMPVARS.patch

Reply to:

Follow-Ups:
- Processed: trixie-pu: package remind/05.03.07-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1111621: remind 05.03.07-1+deb13u1 flagged for acceptance
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: Bug#1109532: unblock: kicad/9.0.3+dfsg-1
Next by Date: Processed: trixie-pu: package remind/05.03.07-1
Previous by thread: Re: Backporting wsdd to trixie-backports from sid
Next by thread: Processed: trixie-pu: package remind/05.03.07-1
Index(es):
- Date
- Thread