Package: release.debian.org Severity: normal Tags: bulleye User: release.debian....@packages.debian.org Usertags: pu
The attached debdiff for libzen fixes CVE-2020-36646 in Bullseye. It has been already uploaded to all releases from Jessie to Buster. This CVE has been marked as no-dsa by the security team. Thorsten
diff -Nru libzen-0.4.38/debian/changelog libzen-0.4.38/debian/changelog --- libzen-0.4.38/debian/changelog 2020-04-10 17:32:09.000000000 +0200 +++ libzen-0.4.38/debian/changelog 2023-01-28 13:03:02.000000000 +0100 @@ -1,3 +1,11 @@ +libzen (0.4.38-1+deb11u1) bullseye; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2020-36646 + fix for possible null pointer dereference + + -- Thorsten Alteholz <deb...@alteholz.de> Sat, 28 Jan 2023 13:03:02 +0100 + libzen (0.4.38-1) unstable; urgency=medium * [7cc8350] New upstream version 0.4.38 diff -Nru libzen-0.4.38/debian/patches/CVE-2020-36646.patch libzen-0.4.38/debian/patches/CVE-2020-36646.patch --- libzen-0.4.38/debian/patches/CVE-2020-36646.patch 1970-01-01 01:00:00.000000000 +0100 +++ libzen-0.4.38/debian/patches/CVE-2020-36646.patch 2023-01-28 13:03:02.000000000 +0100 @@ -0,0 +1,27 @@ +commit 6475fcccd37c9cf17e0cfe263b5fe0e2e47a8408 +Author: Pave Pimenov <pavel.pime...@gmail.com> +Date: Sat Sep 12 07:46:47 2020 +0300 + + fix V522 [CWE-690] There might be dereferencing of a potential null pointer 'Gmt'. + +diff --git a/Source/ZenLib/Ztring.cpp b/Source/ZenLib/Ztring.cpp +index bc38fe4..21bbc58 100644 +--- a/Source/ZenLib/Ztring.cpp ++++ b/Source/ZenLib/Ztring.cpp +@@ -1364,6 +1364,8 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const int32u Value) + #endif + Ztring DateT; + Ztring Date; ++ if (Gmt) ++ { + Date+=Ztring::ToZtring((Gmt->tm_year+1900)); + Date+=__T("-"); + DateT.From_Number(Gmt->tm_mon+1); if (DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_mon+1);} +@@ -1381,6 +1383,7 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const int32u Value) + DateT.From_Number(Gmt->tm_sec); if (DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_sec);} + Date+=DateT; + assign (Date.c_str()); ++ } + return *this; + } + diff -Nru libzen-0.4.38/debian/patches/series libzen-0.4.38/debian/patches/series --- libzen-0.4.38/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libzen-0.4.38/debian/patches/series 2023-01-28 13:03:02.000000000 +0100 @@ -0,0 +1 @@ +CVE-2020-36646.patch