Bug#1029976: bullseye-pu: libzen/0.4.38-1+deb11u1

Sun, 29 Jan 2023 11:06:21 -0800 

Package: release.debian.org
Severity: normal
Tags: bulleye
User: release.debian....@packages.debian.org
Usertags: pu


The attached debdiff for libzen fixes CVE-2020-36646 in Bullseye.
It has been already uploaded to all releases from Jessie to Buster.

This CVE has been marked as no-dsa by the security team.

  Thorsten

diff -Nru libzen-0.4.38/debian/changelog libzen-0.4.38/debian/changelog
--- libzen-0.4.38/debian/changelog      2020-04-10 17:32:09.000000000 +0200
+++ libzen-0.4.38/debian/changelog      2023-01-28 13:03:02.000000000 +0100
@@ -1,3 +1,11 @@
+libzen (0.4.38-1+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2020-36646
+    fix for possible null pointer dereference
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Sat, 28 Jan 2023 13:03:02 +0100
+
 libzen (0.4.38-1) unstable; urgency=medium
 
   * [7cc8350] New upstream version 0.4.38
diff -Nru libzen-0.4.38/debian/patches/CVE-2020-36646.patch 
libzen-0.4.38/debian/patches/CVE-2020-36646.patch
--- libzen-0.4.38/debian/patches/CVE-2020-36646.patch   1970-01-01 
01:00:00.000000000 +0100
+++ libzen-0.4.38/debian/patches/CVE-2020-36646.patch   2023-01-28 
13:03:02.000000000 +0100
@@ -0,0 +1,27 @@
+commit 6475fcccd37c9cf17e0cfe263b5fe0e2e47a8408
+Author: Pave Pimenov <pavel.pime...@gmail.com>
+Date:   Sat Sep 12 07:46:47 2020 +0300
+
+    fix V522 [CWE-690] There might be dereferencing of a potential null 
pointer 'Gmt'.
+
+diff --git a/Source/ZenLib/Ztring.cpp b/Source/ZenLib/Ztring.cpp
+index bc38fe4..21bbc58 100644
+--- a/Source/ZenLib/Ztring.cpp
++++ b/Source/ZenLib/Ztring.cpp
+@@ -1364,6 +1364,8 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const 
int32u Value)
+     #endif
+     Ztring DateT;
+     Ztring Date;
++    if (Gmt)
++    {
+     Date+=Ztring::ToZtring((Gmt->tm_year+1900));
+     Date+=__T("-");
+     DateT.From_Number(Gmt->tm_mon+1); if 
(DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_mon+1);}
+@@ -1381,6 +1383,7 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const 
int32u Value)
+     DateT.From_Number(Gmt->tm_sec); if 
(DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_sec);}
+     Date+=DateT;
+     assign (Date.c_str());
++    }
+     return *this;
+ }
+ 
diff -Nru libzen-0.4.38/debian/patches/series 
libzen-0.4.38/debian/patches/series
--- libzen-0.4.38/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libzen-0.4.38/debian/patches/series 2023-01-28 13:03:02.000000000 +0100
@@ -0,0 +1 @@
+CVE-2020-36646.patch

Reply via email to