Bug#993792: marked as done (bullseye-pu: package iotop-c/1.17-1)

Sat, 09 Oct 2021 04:16:58 -0700 

Your message dated Sat, 09 Oct 2021 12:09:40 +0100
with message-id 
<81741a2f4e370c14a3bec08b7fe6e2b10c32267b.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 11.1
has caused the Debian Bug report #993792,
regarding bullseye-pu: package iotop-c/1.17-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
993792: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993792
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu

(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)

[ Reason ]
There is bug in processing unicode process names in iotop-c 1.17
that leads to out of bounds access and crash. Because the access is
of a static array with negative index, it is highly unlikely that
to cause a security problem, it only affects user experience.

Architectures where char is unsigned are not affected.

The test case to reproduce is the same as in
https://bugs.launchpad.net/ubuntu/+source/iotop/+bug/1932523

[ Impact ]
The program will crash when there are processes with name that
contain bytes between 128 and 255.

[ Tests ]
Manual tests confirm the bug and also confirm that the proposed
fix is a proper one.

[ Risks ]
The proposed fixes are trivial and risk level should be low.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
This update includes backported fixed from version 1.18 (already
in unstable). There are 4 patches, two of which are related, and
the other two are independent.

diff -Nru iotop-c-1.17/debian/changelog iotop-c-1.17/debian/changelog
--- iotop-c-1.17/debian/changelog       2021-02-06 03:02:03.000000000 +0200
+++ iotop-c-1.17/debian/changelog       2021-09-06 04:54:40.000000000 +0300
@@ -1,3 +1,12 @@
+iotop-c (1.17-1+deb11u1) bullseye; urgency=medium
+
+  * Backport bugfixes from 1.18
+    - fix OOB access caused by UTF8 process names
+    - fix screen flicker during refresh with visible help
+    - allow ESC to close the help window
+
+ -- Boian Bonev <[email protected]>  Mon, 06 Sep 2021 01:54:40 +0000
+
 iotop-c (1.17-1) unstable; urgency=medium
 
   * Update to new upstream release of 1.17
diff -Nru iotop-c-1.17/debian/patches/document-esc-key.patch 
iotop-c-1.17/debian/patches/document-esc-key.patch
--- iotop-c-1.17/debian/patches/document-esc-key.patch  1970-01-01 
02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/document-esc-key.patch  2021-09-06 
04:54:40.000000000 +0300
@@ -0,0 +1,20 @@
+Description: Document that ESC key closing the help window
+ Users were expecting that pressing ESC should close the help window
+
+---
+Origin: upstream, 
https://github.com/Tomas-M/iotop/commit/383443d650bb29bfb7187cae98e21faa40cbf977
+Forwarded: not-needed
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/iotop.8
++++ iotop-c-1.17/iotop.8
+@@ -196,6 +196,9 @@ Sort by next column
+ \fB<left>\fR
+ Sort by previous column
+ .TP
++\fB<esc>\fR
++Cancel ionice or filter selection. In case only the help window is open then 
close it
++.TP
+ \fBo\fR, \fBO\fR
+ Toggle showing only processes with IO activity
+ .TP
diff -Nru iotop-c-1.17/debian/patches/esc-closes-help.patch 
iotop-c-1.17/debian/patches/esc-closes-help.patch
--- iotop-c-1.17/debian/patches/esc-closes-help.patch   1970-01-01 
02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/esc-closes-help.patch   2021-09-06 
04:54:40.000000000 +0300
@@ -0,0 +1,20 @@
+Description: Let ESC close the help
+ It was suggested by users that it is desired for ESC to close the help
+ window.
+---
+Origin: upstream, 
https://github.com/Tomas-M/iotop/commit/8ea414c53ca3b5986191d06a8f99f96282975e02
 
https://github.com/Tomas-M/iotop/commit/0d48498cc593d3b72d56fb5a5519b2b8612fbc31
+Forwarded: not-needed
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/src/view_curses.c
++++ iotop-c-1.17/src/view_curses.c
+@@ -1092,6 +1092,9 @@ static inline int curses_key(int ch) {
+                       config.f.deadx=!config.f.deadx;
+                       break;
+               case 27: // ESC
++                      if (showhelp&&!in_ionice&&!in_filter)
++                              showhelp=0;
++                      // unlike help window these cannot happen at the same 
time
+                       if (in_ionice)
+                               in_ionice=0;
+                       if (in_filter)
diff -Nru iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch 
iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch
--- iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch    1970-01-01 
02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch    2021-09-06 
04:54:40.000000000 +0300
@@ -0,0 +1,21 @@
+Description: Fix OOB access on some UTF input
+ On architectures with signed char type and input that is >=128 there is
+ an out-of-bounds access causing SIGSEGV. It is most probably not exploitable
+ but degrades user experience.
+---
+Origin: upstream, 
https://github.com/Tomas-M/iotop/commit/8aaa4fce743cf14a5a727c6cb24c63450d317a28
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/iotop/+bug/1932523
+Forwarded: not-needed
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/src/utils.c
++++ iotop-c-1.17/src/utils.c
+@@ -171,7 +171,7 @@ inline const char *esc_low_ascii1(char c
+       static char ehex[0x20][6];
+       static int initialized=0;
+ 
+-      if (c>=0x20) // no escaping needed
++      if (c<0||c>=0x20) // no escaping needed
+               return NULL;
+       if (!initialized) {
+               int i;
diff -Nru iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch 
iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch
--- iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch       
1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch       
2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1,29 @@
+Description: Fix flicker with help shown
+ Change the refresh sequence to avoid flicker
+---
+Origin: upstream, 
https://github.com/Tomas-M/iotop/commit/1b36b51c72088f9e346dc5dc473653487d97cfed
+Forwarded: not-needed
+Last-Update: 2021-09-06
+
+--- iotop-c-1.17.orig/src/view_curses.c
++++ iotop-c-1.17/src/view_curses.c
+@@ -841,7 +841,7 @@ donedraw:
+               move(promptx,prompty);
+       curs_set(show);
+       draw_vscroll(maxx-1,head1row?2:3,maxy-1,dispcount,saveskip);
+-      refresh();
++      wnoutrefresh(stdscr);
+       if (showhelp) {
+               int rhh,rhw;
+ 
+@@ -874,8 +874,9 @@ donedraw:
+               wresize(whelp,rhh,rhw);
+               mvwin(whelp,hy,hx);
+               view_help();
+-              wrefresh(whelp);
++              wnoutrefresh(whelp);
+       }
++      doupdate();
+ }
+ 
+ static inline int curses_key(int ch) {
diff -Nru iotop-c-1.17/debian/patches/series iotop-c-1.17/debian/patches/series
--- iotop-c-1.17/debian/patches/series  1970-01-01 02:00:00.000000000 +0200
+++ iotop-c-1.17/debian/patches/series  2021-09-06 04:54:40.000000000 +0300
@@ -0,0 +1,4 @@
+document-esc-key.patch
+fix-OOB-on-utf.patch
+fix-flicker-with-help-shown.patch
+esc-closes-help.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.1

Hi,

The updates relating to these bugs were included in this morning's 11.1
point release for bullseye.

Regards,

Adam

--- End Message ---

Reply via email to