Bug#1059804: bullseye-pu: package exuberant-ctags/1:5.9~svn20110310-14+deb11u1

2024-02-01 Thread Colin Watson 
On Thu, Feb 01, 2024 at 06:39:29AM +, Adam D. Barratt wrote:
> On Mon, 2024-01-01 at 17:20 +, Colin Watson wrote:
> > I'd like to belatedly fix CVE-2022-4515 in bullseye.
> 
> Please go ahead.

Uploaded, thanks.

-- 
Colin Watson (he/him)  [cjwat...@debian.org]

Bug#1059804: bullseye-pu: package exuberant-ctags/1:5.9~svn20110310-14+deb11u1

2024-01-31 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Mon, 2024-01-01 at 17:20 +, Colin Watson wrote:
> I'd like to belatedly fix CVE-2022-4515 in bullseye.

Please go ahead.

Regards,

Adam

Bug#1059804: bullseye-pu: package exuberant-ctags/1:5.9~svn20110310-14+deb11u1

2024-01-01 Thread Colin Watson 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: exuberant-ct...@packages.debian.org
Control: affects -1 + src:exuberant-ctags

[ Reason ]
I'd like to belatedly fix CVE-2022-4515 in bullseye.

[ Impact ]
Security vulnerability as described in
https://security-tracker.debian.org/tracker/CVE-2022-4515, though the
security team has marked it no-dsa and asked that any fix go via a point
release instead.

[ Tests ]
I tested this manually by calling ctags with various -o options, e.g.
"ctags -o 'a b' -R", and checking that it produces the requested output
file names.

[ Risks ]
The fix is just a straight cherry-pick from bookworm (which in turn was
backported as closely as possible from universal-ctags upstream), and
while I hate the continued use of system(3) here it's probably better
than introducing a novel rewrite for a security update.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
As attached.  git-dpm has introduced a small amount of additional noise;
I didn't think it was worth the effort to persuade it to avoid that in
this case.

Thanks,

-- 
Colin Watson (he/him)  [cjwat...@debian.org]
diff --git a/debian/.git-dpm b/debian/.git-dpm
index be86f1e84..e26b5ab8c 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-ed1d00e4c005ecc20f298630cce7635d88f5b669
-ed1d00e4c005ecc20f298630cce7635d88f5b669
+5c9ca1167f9eebf78bf28763e3604b1af79c967d
+5c9ca1167f9eebf78bf28763e3604b1af79c967d
 4b0ebb9d344fd369c889291478986c65a5a36ea8
 4b0ebb9d344fd369c889291478986c65a5a36ea8
 exuberant-ctags_5.9~svn20110310.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 62ccf7654..75c7d8e08 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+exuberant-ctags (1:5.9~svn20110310-14+deb11u1) UNRELEASED; urgency=medium
+
+  * Backport from universal-ctags:
+- CVE-2022-4515: main: quote output file name before passing it to
+  system(3) function (closes: #1026995).
+
+ -- Colin Watson   Sun, 24 Dec 2023 12:41:53 +
+
 exuberant-ctags (1:5.9~svn20110310-14) unstable; urgency=low
 
   [ Debian Janitor ]
diff --git a/debian/patches/gcc-no-common.patch 
b/debian/patches/gcc-no-common.patch
index 024422c9e..308f7d9c9 100644
--- a/debian/patches/gcc-no-common.patch
+++ b/debian/patches/gcc-no-common.patch
@@ -14,7 +14,7 @@ Patch-Name: gcc-no-common.patch
  2 files changed, 11 insertions(+), 11 deletions(-)
 
 diff --git a/objc.c b/objc.c
-index 2a5de58..a5811ec 100644
+index 2a5de58ab..a5811ec59 100644
 --- a/objc.c
 +++ b/objc.c
 @@ -432,16 +432,16 @@ typedef void (*parseNext) (vString * const ident, 
objcToken what);
@@ -38,7 +38,7 @@ index 2a5de58..a5811ec 100644
  
  /** Grammar */
 diff --git a/ocaml.c b/ocaml.c
-index 104a777..235862f 100644
+index 104a77706..235862fd3 100644
 --- a/ocaml.c
 +++ b/ocaml.c
 @@ -514,26 +514,26 @@ typedef void (*parseNext) (vString * const ident, 
ocaToken what);
diff --git a/debian/patches/go.patch b/debian/patches/go.patch
index 760f47bd0..bce44fd73 100644
--- a/debian/patches/go.patch
+++ b/debian/patches/go.patch
@@ -17,7 +17,7 @@ Patch-Name: go.patch
 
 diff --git a/go.c b/go.c
 new file mode 100644
-index 000..6bd3a36
+index 0..6bd3a369a
 --- /dev/null
 +++ b/go.c
 @@ -0,0 +1,670 @@
@@ -692,7 +692,7 @@ index 000..6bd3a36
 +  return def;
 +}
 diff --git a/parsers.h b/parsers.h
-index 600f636..3a24d6e 100644
+index 600f63614..3a24d6e09 100644
 --- a/parsers.h
 +++ b/parsers.h
 @@ -31,6 +31,7 @@
@@ -704,7 +704,7 @@ index 600f636..3a24d6e 100644
JavaParser, \
JavaScriptParser, \
 diff --git a/source.mak b/source.mak
-index c97617f..985d56c 100644
+index c97617f34..985d56cfc 100644
 --- a/source.mak
 +++ b/source.mak
 @@ -24,6 +24,7 @@ SOURCES = \
diff --git a/debian/patches/jscript-set-tag-scope.patch 
b/debian/patches/jscript-set-tag-scope.patch
index baf036ffc..a0958b573 100644
--- a/debian/patches/jscript-set-tag-scope.patch
+++ b/debian/patches/jscript-set-tag-scope.patch
@@ -17,7 +17,7 @@ Patch-Name: jscript-set-tag-scope.patch
  1 file changed, 51 insertions(+), 3 deletions(-)
 
 diff --git a/jscript.c b/jscript.c
-index 5de3367..a790355 100644
+index 5de3367f9..a790355b8 100644
 --- a/jscript.c
 +++ b/jscript.c
 @@ -215,6 +215,7 @@ static void deleteToken (tokenInfo *const token)
diff --git a/debian/patches/memmove.patch b/debian/patches/memmove.patch
index d23551a4b..b3e0ad9e1 100644
--- a/debian/patches/memmove.patch
+++ b/debian/patches/memmove.patch
@@ -16,7 +16,7 @@ Patch-Name: memmove.patch
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/routines.c b/routines.c
-index 83bcdcc..8ebe2e0 100644
+index 83bcdccda..8ebe2e0ad 100644
 ---