Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Dear stable team, I would like to do an update of the confuse package in stretch to fix a security issue, CVE-2018-14447 / #904159. The patch to fix the issue is from upstream and is a one-liner. It's already present in testing/sid. You'll find the full diff below. Given the change looks trivial, I have just uploaded the package. Thanks, Aurelien diff -Nru confuse-3.0+dfsg/debian/changelog confuse-3.0+dfsg/debian/changelog --- confuse-3.0+dfsg/debian/changelog 2016-06-06 21:41:37.000000000 +0200 +++ confuse-3.0+dfsg/debian/changelog 2018-08-15 10:46:39.000000000 +0200 @@ -1,3 +1,11 @@ +confuse (3.0+dfsg-2+deb9u1) stretch; urgency=medium + + * Add debian/patches/CVE-2018-14447.patch from upstream to fix + an out of bound read in trim_whitespace (CVE-2018-14447). Closes: + #904159. + + -- Aurelien Jarno <aure...@debian.org> Wed, 15 Aug 2018 10:46:39 +0200 + confuse (3.0+dfsg-2) unstable; urgency=medium * Upload to unstable. diff -Nru confuse-3.0+dfsg/debian/patches/CVE-2018-14447.patch confuse-3.0+dfsg/debian/patches/CVE-2018-14447.patch --- confuse-3.0+dfsg/debian/patches/CVE-2018-14447.patch 1970-01-01 01:00:00.000000000 +0100 +++ confuse-3.0+dfsg/debian/patches/CVE-2018-14447.patch 2018-08-15 00:14:16.000000000 +0200 @@ -0,0 +1,17 @@ +commit f2bfb905f2b8c1e8f20a608768ebf49d3a5a6d0b +Author: Sebastian Roland <serolan...@gmail.com> +Date: Sun Aug 12 09:56:36 2018 +0200 + + Fixes #109 + +--- a/src/lexer.l ++++ b/src/lexer.l +@@ -337,7 +337,7 @@ static void qputc(char ch) + { + if(qstring_index >= qstring_len) { + qstring_len += CFG_QSTRING_BUFSIZ; +- cfg_qstring = (char *)realloc(cfg_qstring, qstring_len); ++ cfg_qstring = (char *)realloc(cfg_qstring, qstring_len + 1); + assert(cfg_qstring); + memset(cfg_qstring + qstring_index, 0, CFG_QSTRING_BUFSIZ); + } diff -Nru confuse-3.0+dfsg/debian/patches/series confuse-3.0+dfsg/debian/patches/series --- confuse-3.0+dfsg/debian/patches/series 2016-05-29 18:14:41.000000000 +0200 +++ confuse-3.0+dfsg/debian/patches/series 2018-08-15 00:10:19.000000000 +0200 @@ -0,0 +1 @@ +CVE-2018-14447.patch -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled