Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Please unblock package notmuch We've recently fixed a use-after-free bug upstream. As this error is in the library, it does at least potentially impact a large number of users. We've not seen any problems in the wild because of it (or detected a bad memory access with valgrind). On the other hand I think the fix is low risk, it mimics things we've done before. diff -Nru notmuch-0.23.7/debian/changelog notmuch-0.23.7/debian/changelog - --- notmuch-0.23.7/debian/changelog 2017-02-28 20:39:30.000000000 -0400 +++ notmuch-0.23.7/debian/changelog 2017-03-19 09:38:17.000000000 -0300 @@ -1,3 +1,9 @@ +notmuch (0.23.7-2) unstable; urgency=medium + + * Cherry pick 06adc276, fix use after free in libnotmuch4 + + -- David Bremner <brem...@debian.org> Sun, 19 Mar 2017 09:38:17 -0300 + notmuch (0.23.7-1) unstable; urgency=medium * Move test suite $GNUPGHOME to /tmp to avoid problems with long build paths. diff -Nru notmuch-0.23.7/debian/patches/0001-debcherry-fixup-patch.patch notmuch-0.23.7/debian/patches/0001-debcherry-fixup-patch.patch - --- notmuch-0.23.7/debian/patches/0001-debcherry-fixup-patch.patch 1969-12-31 20:00:00.000000000 -0400 +++ notmuch-0.23.7/debian/patches/0001-debcherry-fixup-patch.patch 2017-03-19 09:38:17.000000000 -0300 @@ -0,0 +1,27 @@ +From 0fa0d9586e63d44e53aa7cf6cde5d1bd88bdbf35 Mon Sep 17 00:00:00 2001 +From: David Bremner <da...@tethera.net> +Date: Sun, 19 Mar 2017 09:48:03 -0300 +Subject: [PATCH] debcherry fixup patch + +aa0bccba lib/message.cc: fix Coverity finding (use after free) + - extra changes or conflicts +--- + lib/message.cc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/message.cc b/lib/message.cc +index 9d3e8071..a91e69e0 100644 +--- a/lib/message.cc ++++ b/lib/message.cc +@@ -849,9 +849,9 @@ _notmuch_message_ensure_filename_list (notmuch_message_t *message) + * + * It would be nice to do the upgrade of the document directly + * here, but the database is likely open in read-only mode. */ +- const char *data; + +- data = message->doc.get_data ().c_str (); ++ std::string datastr = message->doc.get_data (); ++ const char *data = datastr.c_str (); + + if (data == NULL) + INTERNAL_ERROR ("message with no filename"); diff -Nru notmuch-0.23.7/debian/patches/series notmuch-0.23.7/debian/patches/series - --- notmuch-0.23.7/debian/patches/series 1969-12-31 20:00:00.000000000 -0400 +++ notmuch-0.23.7/debian/patches/series 2017-03-19 09:38:17.000000000 -0300 @@ -0,0 +1,2 @@ +# exported from git by git-debcherry +0001-debcherry-fixup-patch.patch unblock notmuch/0.23.7-2 - -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEE3VS2dnyDRXKVCQCp8gKXHaSnniwFAljOnAsACgkQ8gKXHaSn niwVVQv9FPjOrf9lA+2gfftBiPBjNRBX6akl01H+WysWsSeMg8rcb3lMPEI4JjIl QtemhZgRdVbe7wvyE1sBVhJY6Byj4P+0JQsGu+ldWZMGqqIp9/Dc9uLn/B8qpqXE WLce8TJwV2Kf20bxPGt2S3Var967ZoAR4fccaOpVSs+rPs1njdHMOcvO5zSZJeaR 5ri/33fAunkvrElnS6eO3SzHkdg5onfi8IUGUA7JIWgPD7+RQATGn4pab+mBl4lv AUlB54sNI/opn6P9JLV1dso2wGIiJEbRuLSx2GIbWH4vhIw9z3PnzMRoQ2iMkNPL yJETZjfLNj7qFZWPjKIIMRZSu4cDRuZa3E2r9oJEC5eaXYAAnGcgV9nLDKMxALO/ bVcCnx5fKjUoum73Vm+C0tTUeoS+h6xdjlQV24ilQwU3Lc5aC5MoRkC6f4MBAzKX JU87YRzpPBC7IexPrl/jymN8eUq+9xYT4GE517/QHJaxLSqgmTn0BkE3+JQ7sAIY YteBO+Ev =LEXU -----END PGP SIGNATURE-----