Your message dated Sat, 15 May 2021 13:54:35 +0200
with message-id <[email protected]>
and subject line Re: Bug#988437: unblock: cod-tools/3.1.0+dfsg-3
has caused the Debian Bug report #988437,
regarding unblock: cod-tools/3.1.0+dfsg-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
988437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988437
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear release-team,
I am seeking pre-approval to upload cod-tools/3.1.0+dfsg-3.
[ Reason ]
cod-tools/3.1.0+dfsg-2 is susceptible to buffer overrun due to a single
occurrence of unchecked C buffer boundary (an upstream bug, forwarded).
cod-tools/3.1.0+dfsg-3 fixes this bug via patch by using C function
which writes no more bytes than the length of the current buffer.
[ Impact ]
Without the fix, buffer overrun may occur in specific circumstances.
[ Tests ]
* Built on clean sid chroot;
* Upstream test suite and autopkgtest pass.
[ Risks ]
Most likely none. All binary packages built from source:cod-tools are
leaf packages.
[ Checklist ]
[*] all changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in testing
unblock cod-tools/3.1.0+dfsg-3
Best,
Andrius
diff -Nru cod-tools-3.1.0+dfsg/debian/changelog
cod-tools-3.1.0+dfsg/debian/changelog
--- cod-tools-3.1.0+dfsg/debian/changelog 2021-03-05 11:44:59.000000000
-0500
+++ cod-tools-3.1.0+dfsg/debian/changelog 2021-05-12 06:21:45.000000000
-0400
@@ -1,3 +1,9 @@
+cod-tools (3.1.0+dfsg-3) unstable; urgency=medium
+
+ * Patching buffer overflow in code responsible for composing error messages.
+
+ -- Andrius Merkys <[email protected]> Wed, 12 May 2021 06:21:45 -0400
+
cod-tools (3.1.0+dfsg-2) unstable; urgency=medium
* Adding missing Breaks+Replaces: cod-tools (<< 3) for libcod-tools-perl
diff -Nru cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff
cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff
--- cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff
1969-12-31 19:00:00.000000000 -0500
+++ cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff
2021-05-12 06:18:47.000000000 -0400
@@ -0,0 +1,21 @@
+Description: Fixes buffer overflow.
+Author: Andrius Merkys <[email protected]>
+Forwarded: mailto:[email protected]
+--- a/src/externals/cexceptions/cxprintf.c
++++ b/src/externals/cexceptions/cxprintf.c
+@@ -27,11 +27,11 @@
+
+ const char* vcxprintf( const char * format, va_list args )
+ {
+- static char error_message[200] = "";
++ static char error_message[1024] = "";
++
+
+- /*
+ vsnprintf( error_message, sizeof(error_message), format, args );
+- */
+- vsprintf( error_message, format, args );
++
++ // vsprintf( error_message, format, args );
+ return error_message;
+ }
diff -Nru cod-tools-3.1.0+dfsg/debian/patches/series
cod-tools-3.1.0+dfsg/debian/patches/series
--- cod-tools-3.1.0+dfsg/debian/patches/series 2021-03-05 11:44:59.000000000
-0500
+++ cod-tools-3.1.0+dfsg/debian/patches/series 2021-05-12 03:46:26.000000000
-0400
@@ -2,3 +2,4 @@
hardening.diff
disable-test-network-access.diff
spglib.diff
+fix-buffer-overflow.diff
--- End Message ---
--- Begin Message ---
On 2021-05-14 08:11:45, Andrius Merkys wrote:
> Control: tags -1 - moreinfo
>
> On 2021-05-13 12:38, Sebastian Ramacher wrote:
> > ACK, please remove the moreinfo tag once the new version is available in
> > unstable.
>
> Thanks, uploaded.
The package has autopkgtest and isn't a key package, so it will migrate
without an unblock. Closing.
Cheers
--
Sebastian Ramacher
signature.asc
Description: PGP signature
--- End Message ---
