Hi Colin, At 2026-01-10T21:07:49+0000, Colin Watson wrote: > On Sat, Jan 10, 2026 at 05:01:12AM -0600, G. Branden Robinson wrote: > > Between glibc malloc's and Debian's hardening flags, this problem > > appears to be pre-mitigated, at least as far back as groff 1.22.4-6. > [...] > > $ ~/groff-1.23.0/bin/groff -p /tmp/bigger-crasher.groff > > *** stack smashing detected ***: terminated > > /home/branden/groff-1.23.0/bin/groff: error: pic: Aborted (core dumped) > > $ /usr/bin/groff -p /tmp/bigger-crasher.groff > > *** stack smashing detected ***: terminated > > /usr/bin/groff: pic: Signal 6 (core dumped) > > > > Perhaps these findings put a ceiling on the potential severity of this > > bug report. > > Given your output I'm inclined to agree. In this case I think it > would be fine to just pick this fix up when you release 1.24.0, and > not worry about backporting it to stable releases?
I don't object. This episode brought an unfortunate case of my own ignorance to light. I logged into salsa (after updating my expired SSH key), and could not see how to cherry-pick anything from groff upstream. Salsa's idea of groff upstream seems to halt with the '1.23.0' tag, yet you've cherry-picked stuff from groff's post-1.23.0 master branch more than once. How do you do it? Feel free to point me to an exiting document for n00bs. > CCing team@security to double-check. (I haven't included the whole > history; see https://bugs.debian.org/1125162.) My thanks in advance to the security team for the consult. Regards, Branden
signature.asc
Description: PGP signature
