Processed: Re: Bug#771610: pu: package iucode-tool/0.8.3-2

2014-12-08 Thread Debian Bug Tracking System 
Processing control commands:

 tags -1 + pending
Bug #771610 [release.debian.org] pu: package iucode-tool/0.8.3-2
Added tag(s) pending.

-- 
771610: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771610
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.b771610.141804962328095.transcr...@bugs.debian.org

Bug#771610: pu: package iucode-tool/0.8.3-2

2014-12-08 Thread Adam D. Barratt 
Control: tags -1 + pending

On Mon, 2014-12-01 at 15:08 -0200, Henrique de Moraes Holschuh wrote:
 On Mon, 01 Dec 2014, Adam D. Barratt wrote:
  On 2014-11-30 23:49, Henrique de Moraes Holschuh wrote:
  I'd like to update the iucode-tool package in Debian stable with
  cherry-picked fixes from upstrean iucode-tool v1.1.1.
  
  These changes fix issues found by Coverity scan, including a
  buffer overrun
  which causes an out-of-bounds dword write to an array, and some
  issues on
  error paths.
  
  Please go ahead, thanks.
 
 Thank you, uploaded.

Flagged for acceptance, thanks.

Regards,

Adam


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1418049614.5790.21.ca...@adam-barratt.org.uk

Bug#771610: pu: package iucode-tool/0.8.3-2

2014-12-01 Thread Adam D. Barratt 

Control: tags -1 + wheezy confirmed

On 2014-11-30 23:49, Henrique de Moraes Holschuh wrote:

I'd like to update the iucode-tool package in Debian stable with
cherry-picked fixes from upstrean iucode-tool v1.1.1.

These changes fix issues found by Coverity scan, including a buffer 
overrun
which causes an out-of-bounds dword write to an array, and some issues 
on

error paths.


Please go ahead, thanks.

Regards,

Adam


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/21b23ac97aff3f584ad67fc20a409...@mail.adsl.funky-badger.org

Processed: Re: Bug#771610: pu: package iucode-tool/0.8.3-2

2014-12-01 Thread Debian Bug Tracking System 
Processing control commands:

 tags -1 + wheezy confirmed
Bug #771610 [release.debian.org] pu: package iucode-tool/0.8.3-2
Added tag(s) wheezy and confirmed.

-- 
771610: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771610
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/handler.s.b771610.141744030726758.transcr...@bugs.debian.org

Bug#771610: pu: package iucode-tool/0.8.3-2

2014-12-01 Thread Henrique de Moraes Holschuh 
On Mon, 01 Dec 2014, Adam D. Barratt wrote:
 On 2014-11-30 23:49, Henrique de Moraes Holschuh wrote:
 I'd like to update the iucode-tool package in Debian stable with
 cherry-picked fixes from upstrean iucode-tool v1.1.1.
 
 These changes fix issues found by Coverity scan, including a
 buffer overrun
 which causes an out-of-bounds dword write to an array, and some
 issues on
 error paths.
 
 Please go ahead, thanks.

Thank you, uploaded.

-- 
  One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie. -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141201170800.ga4...@khazad-dum.debian.net

Bug#771610: pu: package iucode-tool/0.8.3-2

2014-11-30 Thread Henrique de Moraes Holschuh 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

I'd like to update the iucode-tool package in Debian stable with
cherry-picked fixes from upstrean iucode-tool v1.1.1.

These changes fix issues found by Coverity scan, including a buffer overrun
which causes an out-of-bounds dword write to an array, and some issues on
error paths.

debdiff diffstat:
 debian/changelog   
|   17 ++
 debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch   
|   29 +
 debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch   
|   25 
 debian/patches/0003-iucode_tool-avoid-closing-already-closed-file-handle.patch 
|   29 +
 debian/patches/0004-iucode_tool-simplify-fd-tracking-in-scan_system_proc.patch 
|   57 ++
 debian/patches/0005-iucode_tool-cosmetic-fix-for-CID-72164.patch   
|   25 
 debian/patches/0006-iucode_tool-fix-memory-leak-in-load_intel_microcode_.patch 
|   39 ++
 debian/patches/0007-iucode_tool-rework-error-path-of-load_intel_microcod.patch 
|   38 ++
 debian/patches/0008-iucode_tool-fix-out-of-bounds-array-access-in-load_i.patch 
|   31 +
 debian/patches/series  
|8 +
 10 files changed, 298 insertions(+)

I've attached the full debdiff output.

-- 
  One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie. -- The Silicon Valley Tarot
  Henrique Holschuh
diff -Nru iucode-tool-0.8.3/debian/changelog iucode-tool-0.8.3/debian/changelog
--- iucode-tool-0.8.3/debian/changelog	2012-08-27 21:29:36.0 -0300
+++ iucode-tool-0.8.3/debian/changelog	2014-11-30 16:32:41.0 -0200
@@ -1,3 +1,20 @@
+iucode-tool (0.8.3-2) stable; urgency=medium
+
+  * cherry-pick fixes from upstream v1.1.1
+* Add eight new patches cherry-picked from upstream iucode-tool
+  version 1.1.1, fixing several issues found by Coverity scan,
+  including one for an out-of-bounds array write to the heap:
+  + 0001-iucode_tool-cosmetic-fix-for-CID-72168.patch
+  + 0002-iucode_tool-cosmetic-fix-for-CID-72166.patch
+  + 0003-iucode_tool-avoid-closing-already-closed-file-handle.patch
+  + 0004-iucode_tool-simplify-fd-tracking-in-scan_system_proc.patch
+  + 0005-iucode_tool-cosmetic-fix-for-CID-72164.patch
+  + 0006-iucode_tool-fix-memory-leak-in-load_intel_microcode_.patch
+  + 0007-iucode_tool-rework-error-path-of-load_intel_microcod.patch
+  + 0008-iucode_tool-fix-out-of-bounds-array-access-in-load_i.patch
+
+ -- Henrique de Moraes Holschuh h...@debian.org  Sun, 30 Nov 2014 16:28:33 -0200
+
 iucode-tool (0.8.3-1) unstable; urgency=low
 
   * New upstream release
diff -Nru iucode-tool-0.8.3/debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch iucode-tool-0.8.3/debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch
--- iucode-tool-0.8.3/debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch	1969-12-31 21:00:00.0 -0300
+++ iucode-tool-0.8.3/debian/patches/0001-iucode_tool-cosmetic-fix-for-CID-72168.patch	2014-11-30 16:21:33.0 -0200
@@ -0,0 +1,29 @@
+From: Henrique de Moraes Holschuh h...@hmh.eng.br
+Date: Tue, 28 Oct 2014 11:07:14 -0200
+Subject: iucode_tool: cosmetic fix for CID 72168
+
+Remove test for !arg.  The argument to -t is not optional and argp will
+abort before we reach that branch, so the test is not going to trigger.
+
+Alternatively, we could keep the defensive programming, but we'd have to
+add a bug guard arg in argp_error with a (arg)? arg:none;
+
+Fixes: Coverity CID 72168
+(cherry picked from commit a3919ad8a238ba2453770dd6681ac757854461f7)
+---
+ iucode_tool.c |2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iucode_tool.c b/iucode_tool.c
+index d40e3a2..4bfa167 100644
+--- a/iucode_tool.c
 b/iucode_tool.c
+@@ -1917,7 +1917,7 @@ static error_t cmdline_do_parse_arg(int key, char *arg,
+ 		break;
+ 
+ 	case 't':
+-		if (!arg || strlen(arg)  1)
++		if (strlen(arg)  1)
+ 			argp_error(state, unknown file type: %s\n, arg);
+ 		switch (*arg) {
+ 		case 'd': /* .dat */
diff -Nru iucode-tool-0.8.3/debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch iucode-tool-0.8.3/debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch
--- iucode-tool-0.8.3/debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch	1969-12-31 21:00:00.0 -0300
+++ iucode-tool-0.8.3/debian/patches/0002-iucode_tool-cosmetic-fix-for-CID-72166.patch	2014-11-30 16:21:33.0 -0200
@@ -0,0 +1,25 @@
+From: Henrique de Moraes Holschuh h...@hmh.eng.br
+Date: Tue, 28 Oct 2014 11:11:57 -0200
+Subject: iucode_tool: cosmetic fix for CID 72166
+
+argp_state_help() will not return, as we do NOT use ARGP_NO_EXIT,
+still, add a break after it to keep Coverity