Package: release.debian.org User: [email protected] Usertags: pu Tags: stretch Severity: normal
Hi, a buffer underrun has been fixed in zutils 1.7-3 (sid), here's an updated package for stretch: https://people.debian.org/~daniel/packages/zutils/1.5-5+deb9u1/zutils_1.5-5+deb9u1.dsc The debdiff is attached. Regards, Daniel
diff -Nru zutils-1.5/debian/changelog zutils-1.5/debian/changelog --- zutils-1.5/debian/changelog 2017-01-26 16:41:26.000000000 +0000 +++ zutils-1.5/debian/changelog 2018-09-10 08:55:58.000000000 +0000 @@ -1,3 +1,11 @@ +zutils (1.5-5+deb9u1) stretch; urgency=medium + + * Uploading to stretch. + * Adding patch from upstream to fix a buffer overrun in zcat + [CVE-2018-1000637] (Closes: #902936). + + -- Daniel Baumann <[email protected]> Mon, 10 Sep 2018 10:55:58 +0200 + zutils (1.5-5) unstable; urgency=low * Uploading to sid. diff -Nru zutils-1.5/debian/patches/series zutils-1.5/debian/patches/series --- zutils-1.5/debian/patches/series 2017-01-26 16:41:26.000000000 +0000 +++ zutils-1.5/debian/patches/series 2018-09-10 08:55:15.000000000 +0000 @@ -1,2 +1,3 @@ debian/0001-build.patch debian/0002-zupdate.patch +upstream/0001-zcat-buffer-overrun.patch diff -Nru zutils-1.5/debian/patches/upstream/0001-zcat-buffer-overrun.patch zutils-1.5/debian/patches/upstream/0001-zcat-buffer-overrun.patch --- zutils-1.5/debian/patches/upstream/0001-zcat-buffer-overrun.patch 1970-01-01 00:00:00.000000000 +0000 +++ zutils-1.5/debian/patches/upstream/0001-zcat-buffer-overrun.patch 2018-09-10 08:55:58.000000000 +0000 @@ -0,0 +1,18 @@ +Author: Antonio Diaz-Diaz <[email protected]> +Description: zcat.cc: Fixed a buffer overrun on outbuf when '-v' is used [CVE-2018-1000637] (Closes: #902936). + +diff -Naurp zutils.orig/zcat.cc zutils/zcat.cc +--- zutils.orig/zcat.cc ++++ zutils/zcat.cc +@@ -229,8 +229,9 @@ int cat( int infd, const int format_inde + enum { buffer_size = 4096 }; + // buffer with space for sentinel newline at the end + uint8_t * const inbuf = new uint8_t[buffer_size+1]; +- // buffer with space for character quoting and 255-digit line number +- uint8_t * const outbuf = new uint8_t[(4*buffer_size)+256]; ++ // buffer with space for character quoting, 255-digit line number and ++ // worst case flushing respect to inbuf. ++ uint8_t * const outbuf = new uint8_t[(5*buffer_size)+256]; + int retval = 0; + Children children; + if( !set_data_feeder( &infd, children, format_index ) ) retval = 1;
