Your message dated Fri, 12 May 2017 09:18:33 +0000 with message-id <e1d96ix-0008qw...@fasolo.debian.org> and subject line Bug#858389: fixed in docbook-to-man 1:2.0.0-36 has caused the Debian Bug report #858389, regarding Memcpy parameter overlap in docbook-to-man to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 858389: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858389 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: docbook-to-man Version: 1:2.0.0-34 Hi, ReadESIS function in Instant/main.c triggers undefined behavior via memcpy's source and destination buffers overlap: memcpy(&buf[1], &buf[2], strlen(buf)-1); As far as I can see, the issue is still present in 1:2.0.0-35. The simplest fix is probly to replace with memmove. The issue was found by Valgrind when testing flac package in debian_pkg_test framework (https://github.com/yugr/debian_pkg_test). Valgrind report: ==7111== Memcheck, a memory error detector ==7111== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==7111== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==7111== Command: /usr/bin/instant -croff.cmap -sroff.sdata -tdocbook-to-man.ts -d ==7111== Parent PID: 7109 ==7111== ==7111== Source and destination overlap in memcpy_chk(0x586f051, 0x586f052, 5) ==7111== at 0x4C353D7: __memcpy_chk (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==7111== by 0x10B2EF: ??? (in /usr/bin/instant) ==7111== by 0x10B157: ??? (in /usr/bin/instant) ==7111== by 0x10B157: ??? (in /usr/bin/instant) ==7111== by 0x10A796: ??? (in /usr/bin/instant) ==7111== by 0x526C82F: (below main) (/build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291) -Yuri
--- End Message ---
--- Begin Message ---Source: docbook-to-man Source-Version: 1:2.0.0-36 We believe that the bug you reported is fixed in the latest version of docbook-to-man, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 858...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lamb <la...@debian.org> (supplier of updated docbook-to-man package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 12 May 2017 11:02:11 +0200 Source: docbook-to-man Binary: docbook-to-man Architecture: source Version: 1:2.0.0-36 Distribution: unstable Urgency: medium Maintainer: Chris Lamb <la...@debian.org> Changed-By: Chris Lamb <la...@debian.org> Description: docbook-to-man - converter from DocBook SGML into roff man macros Closes: 842635 858389 Changes: docbook-to-man (1:2.0.0-36) unstable; urgency=medium . * Adopt package. * Prevent undefined behaviour in memcpy parameter overlap; docbook-to-man can insert random characters into the output. e.g. it will sometimes generate an "I" instead of a literal tab. Thanks to Chris West <solo-debianb...@goeswhere.com> and Yuri Gribov <tetra2...@gmail.com> (Closes: #842635, #858389) * Update Vcs-{Git,Browser}. * Tidy debian/rules. * Bump Standards-Version to 3.9.8> * Bump Debhelper compatibility level to 10. * Refresh all patches with `pq import` -> `pq export`. * Add myself to debian/copyright. . Debian-Bugs: #842635 #858389 Checksums-Sha1: 253c76894c124ffb1fb585a09356b76633c52ca6 1890 docbook-to-man_2.0.0-36.dsc 46e477ec1dad712153728e594807ff32ffcd025b 21828 docbook-to-man_2.0.0-36.debian.tar.xz f9aecde2b4d5cda86de357beba6259b5bab3938b 5644 docbook-to-man_2.0.0-36_amd64.buildinfo Checksums-Sha256: 1ff6e5c22512e75bb9d51b527bab5df23d955491d23cc221ff22d3bbed315041 1890 docbook-to-man_2.0.0-36.dsc 6ea7a4ce491c6629090c2e3d6f19cfd88d66ea63c74601e754b21cb45596a5b5 21828 docbook-to-man_2.0.0-36.debian.tar.xz f6017c6b1f37ee73854cc19ab8fd07593b617cbb64d496d547e485ecd38a44d0 5644 docbook-to-man_2.0.0-36_amd64.buildinfo Files: 12bfa07458262fe9c22a655e93c44ac5 1890 text optional docbook-to-man_2.0.0-36.dsc 83d41cf01ad8a79baff03963396a0490 21828 text optional docbook-to-man_2.0.0-36.debian.tar.xz f559c7f664fc2bb86fdfc876400d66aa 5644 text optional docbook-to-man_2.0.0-36_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlkVejEACgkQHpU+J9Qx HliLxg//an01IIb7RW+gbGwlN+USf/S3+TsCziFB1B9B/YzqiBo28LLiOTssmYnA LPnapkJMtBoGFQYhc82Jvh4Xi63IW3AQQDSa03fdzdpBqLgFK1ymUC5X5Io4GJ/d ucHNRjAjxMnzf609TVfdIgkgWME+S9uwGCUxFzkhbuyx/RMIRGoQHyDhLNXw+ZM5 v0yX7AFRYFEV32+loiRQnYetKjJdeT0LvwXjMjUv8C/TOBTWsbiHrxVmmleYlqAl OzCLYivOTilK06wfqR+I2XcuQFbrPNGJ/GVSq1SYPcXqlXjwReRGo0ELrqaDiWu9 V5EMsq8MpqnexoLSWBUkqxV1LJi7s9C2MruSLSJ+UAep21RVIMlub0FEoLfgEhOI 5RM6qj7cQol4cUG4KpzSrSzoI5WRRld48JHaFEYZeHI+4D+FoykBmraQl1SmR4JJ 6ppl9aryLtLeNIMk4LmX3+ZvPzJQ+94OxIoeID1iiKIAfQoM7u0wH5cxnmM2ERiD cdDBIlCL63XeZ6QWF1wbZPJk1wJtG61cuyPOq7cC0ack6KWR4pohw5uZH3YfzodG OUEH4MsyhqvAG9x+jQ+OJgDfEZ7BVgLOh4EMUzUDkeiDCXbQTXwHdfZI+UvxdN+9 QqUK91ZmLQgpKY2HWggbatclE5rIeonYj0hdKbzRUWVORUFhd50= =ctA6 -----END PGP SIGNATURE-----
--- End Message ---
