Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
swath has got a trivial security fix, addressing Bug #698189, which the security team considers trivial enough to upload to stable-proposed-updates. (See the quoted conversation below.) The prepared upload can be found here: http://linux.thai.net/~thep/debs/swath-squeeze/swath_0.4.0-4+squeeze1.dsc The debdiff is also attached for your review. On Mon, Jan 21, 2013 at 4:14 PM, Yves-Alexis Perez <cor...@debian.org> wrote: > On lun., 2013-01-21 at 15:56 +0700, Theppitak Karoonboonyanan wrote: >> Dear security team, >> >> I have been reported a potential buffer overflow vulnerability in >> swath, >> which allows shell injection via long command-line argument: >> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698189 >> >> The exploit is not known yet, but the report is already public >> (in the bug log). >> >> Both stable (0.4.0-4) and testing/unstable (0.4.3-2) versions are >> affected. >> >> For testing/unstable, the fix has been uploaded (0.4.3-3). >> For stable, I have prepared the deb for your review here: >> >> http://linux.thai.net/~thep/debs/swath-squeeze/swath_0.4.0-4 >> +squeeze1.dsc >> >> The debdiff is also attached. > > Thanks for the report. It doesn't look bad enough to warrant a DSA imho. > Can you please ask release team for a stable upload? I'll contact > oss-sec to have a CVE assigned. > > Regards, > -- > Yves-Alexis -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=th_TH.utf8, LC_CTYPE=th_TH.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru swath-0.4.0/debian/changelog swath-0.4.0/debian/changelog --- swath-0.4.0/debian/changelog 2010-01-14 15:24:18.000000000 +0700 +++ swath-0.4.0/debian/changelog 2013-01-21 16:26:19.000000000 +0700 @@ -1,3 +1,11 @@ +swath (0.4.0-4+squeeze1) stable; urgency=high + + * debian/patches/01_buffer-overflow.patch: backport patch from upstream + to fix potential buffer overflow in Mule mode. + Thanks Dominik Maier for the report. (Closes: #698189) + + -- Theppitak Karoonboonyanan <t...@debian.org> Mon, 21 Jan 2013 15:03:30 +0700 + swath (0.4.0-4) unstable; urgency=low * debian/rules: Fix failure to build twice in a row: diff -Nru swath-0.4.0/debian/patches/01_buffer-overflow.patch swath-0.4.0/debian/patches/01_buffer-overflow.patch --- swath-0.4.0/debian/patches/01_buffer-overflow.patch 1970-01-01 07:00:00.000000000 +0700 +++ swath-0.4.0/debian/patches/01_buffer-overflow.patch 2013-01-21 16:26:19.000000000 +0700 @@ -0,0 +1,22 @@ +Author: Theppitak Karoonboonyanan <t...@linux.thai.net> +Description: Fix potential buffer overflow +Origin: backport, http://linux.thai.net/websvn/wsvn/software.swath/trunk?op=revision&rev=238&peg=238 +Bug-Debian: http://bugs.debian.org/698189 + +Index: swath/src/wordseg.cpp +=================================================================== +--- swath.orig/src/wordseg.cpp 2013-01-21 13:19:24.261886743 +0700 ++++ swath/src/wordseg.cpp 2013-01-21 13:20:31.693890376 +0700 +@@ -253,11 +253,7 @@ + } + delete FltX; + }else{ +- char stopstr[20]; +- if (muleMode) +- strcpy(stopstr,wbr); +- else +- stopstr[0]='\0'; ++ const char *stopstr = muleMode ? wbr : ""; + for (;;) { // read until end of file. + if (mode == 0) printf("Input : "); + for (i = 0; ((c = fgetc(tmpin)) != '\n') diff -Nru swath-0.4.0/debian/patches/series swath-0.4.0/debian/patches/series --- swath-0.4.0/debian/patches/series 1970-01-01 07:00:00.000000000 +0700 +++ swath-0.4.0/debian/patches/series 2013-01-21 16:26:19.000000000 +0700 @@ -0,0 +1 @@ +01_buffer-overflow.patch