Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Please unblock package notmuch
We've recently fixed a use-after-free bug upstream. As this error is
in the library, it does at least potentially impact a large number of
users. We've not seen any problems in the wild because of it (or
detected a bad memory access with valgrind). On the other hand I think
the fix is low risk, it mimics things we've done before.
diff -Nru notmuch-0.23.7/debian/changelog notmuch-0.23.7/debian/changelog
- --- notmuch-0.23.7/debian/changelog 2017-02-28 20:39:30.000000000 -0400
+++ notmuch-0.23.7/debian/changelog 2017-03-19 09:38:17.000000000 -0300
@@ -1,3 +1,9 @@
+notmuch (0.23.7-2) unstable; urgency=medium
+
+ * Cherry pick 06adc276, fix use after free in libnotmuch4
+
+ -- David Bremner <brem...@debian.org> Sun, 19 Mar 2017 09:38:17 -0300
+
notmuch (0.23.7-1) unstable; urgency=medium
* Move test suite $GNUPGHOME to /tmp to avoid problems with long build paths.
diff -Nru notmuch-0.23.7/debian/patches/0001-debcherry-fixup-patch.patch
notmuch-0.23.7/debian/patches/0001-debcherry-fixup-patch.patch
- --- notmuch-0.23.7/debian/patches/0001-debcherry-fixup-patch.patch
1969-12-31 20:00:00.000000000 -0400
+++ notmuch-0.23.7/debian/patches/0001-debcherry-fixup-patch.patch
2017-03-19 09:38:17.000000000 -0300
@@ -0,0 +1,27 @@
+From 0fa0d9586e63d44e53aa7cf6cde5d1bd88bdbf35 Mon Sep 17 00:00:00 2001
+From: David Bremner <da...@tethera.net>
+Date: Sun, 19 Mar 2017 09:48:03 -0300
+Subject: [PATCH] debcherry fixup patch
+
+aa0bccba lib/message.cc: fix Coverity finding (use after free)
+ - extra changes or conflicts
+---
+ lib/message.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/message.cc b/lib/message.cc
+index 9d3e8071..a91e69e0 100644
+--- a/lib/message.cc
++++ b/lib/message.cc
+@@ -849,9 +849,9 @@ _notmuch_message_ensure_filename_list (notmuch_message_t
*message)
+ *
+ * It would be nice to do the upgrade of the document directly
+ * here, but the database is likely open in read-only mode. */
+- const char *data;
+
+- data = message->doc.get_data ().c_str ();
++ std::string datastr = message->doc.get_data ();
++ const char *data = datastr.c_str ();
+
+ if (data == NULL)
+ INTERNAL_ERROR ("message with no filename");
diff -Nru notmuch-0.23.7/debian/patches/series
notmuch-0.23.7/debian/patches/series
- --- notmuch-0.23.7/debian/patches/series 1969-12-31 20:00:00.000000000
-0400
+++ notmuch-0.23.7/debian/patches/series 2017-03-19 09:38:17.000000000
-0300
@@ -0,0 +1,2 @@
+# exported from git by git-debcherry
+0001-debcherry-fixup-patch.patch
unblock notmuch/0.23.7-2
- -- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCAAdFiEE3VS2dnyDRXKVCQCp8gKXHaSnniwFAljOnAsACgkQ8gKXHaSn
niwVVQv9FPjOrf9lA+2gfftBiPBjNRBX6akl01H+WysWsSeMg8rcb3lMPEI4JjIl
QtemhZgRdVbe7wvyE1sBVhJY6Byj4P+0JQsGu+ldWZMGqqIp9/Dc9uLn/B8qpqXE
WLce8TJwV2Kf20bxPGt2S3Var967ZoAR4fccaOpVSs+rPs1njdHMOcvO5zSZJeaR
5ri/33fAunkvrElnS6eO3SzHkdg5onfi8IUGUA7JIWgPD7+RQATGn4pab+mBl4lv
AUlB54sNI/opn6P9JLV1dso2wGIiJEbRuLSx2GIbWH4vhIw9z3PnzMRoQ2iMkNPL
yJETZjfLNj7qFZWPjKIIMRZSu4cDRuZa3E2r9oJEC5eaXYAAnGcgV9nLDKMxALO/
bVcCnx5fKjUoum73Vm+C0tTUeoS+h6xdjlQV24ilQwU3Lc5aC5MoRkC6f4MBAzKX
JU87YRzpPBC7IexPrl/jymN8eUq+9xYT4GE517/QHJaxLSqgmTn0BkE3+JQ7sAIY
YteBO+Ev
=LEXU
-----END PGP SIGNATURE-----
