Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package alttab to fix a buffer overflow RC bug. It is marked for autoremoval on June 29, so I realize that it might be a bit too late, but I still thought I'd try. [ Reason ] Upstream version 1.5.0 contains some strncpy() calls to incorrectly sized arrays; see #964357 for more information. [ Impact ] In many cases, the alttab program crashes on startup, making it practically unusable for some users. [ Tests ] The alttab package has an upstream test suite that is not yet run in the Debian package; I adopted it recently and I will try to introduce that in a future upload. [ Risks ] Leaf package, not widely used; pretty straightforward fix for a classic C programming security problem, so hopefully low risk. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock alttab/1.5.0-2
diff -Nru alttab-1.5.0/debian/changelog alttab-1.5.0/debian/changelog
--- alttab-1.5.0/debian/changelog 2020-07-23 12:19:05.000000000 +0300
+++ alttab-1.5.0/debian/changelog 2021-06-27 16:57:21.000000000 +0300
@@ -1,3 +1,11 @@
+alttab (1.5.0-2) unstable; urgency=medium
+
+ * New maintainer. Closes: #989842
+ * Point Vcs-Git and Vcs-Browser to the new salsa/debian repository.
+ * Add the strncpy patch to fix some buffer overflows. Closes: #964357
+
+ -- Peter Pentchev <r...@debian.org> Sun, 27 Jun 2021 16:57:21 +0300
+
alttab (1.5.0-1) unstable; urgency=medium
* New upstream release
diff -Nru alttab-1.5.0/debian/control alttab-1.5.0/debian/control
--- alttab-1.5.0/debian/control 2020-07-23 12:19:05.000000000 +0300
+++ alttab-1.5.0/debian/control 2021-06-27 16:56:42.000000000 +0300
@@ -1,7 +1,7 @@
Source: alttab
Section: x11
Priority: optional
-Maintainer: Alexander Kulak <sa-dev@odd.systems>
+Maintainer: Peter Pentchev <r...@debian.org>
Build-Depends: debhelper-compat (= 13),
libx11-dev,
libxmu-dev,
@@ -14,8 +14,8 @@
autoconf,
automake
Standards-Version: 4.5.0
-Vcs-Git: https://github.com/sagb/alttab.git -b debian/unstable
-Vcs-Browser: https://github.com/sagb/alttab/tree/debian/unstable
+Vcs-Git: https://salsa.debian.org/debian/alttab.git
+Vcs-Browser: https://salsa.debian.org/debian/alttab
Homepage: https://sagb.github.io/alttab
Rules-Requires-Root: no
diff -Nru alttab-1.5.0/debian/patches/series alttab-1.5.0/debian/patches/series
--- alttab-1.5.0/debian/patches/series 1970-01-01 02:00:00.000000000 +0200
+++ alttab-1.5.0/debian/patches/series 2021-06-27 16:56:42.000000000 +0300
@@ -0,0 +1 @@
+strncpy.patch
diff -Nru alttab-1.5.0/debian/patches/strncpy.patch
alttab-1.5.0/debian/patches/strncpy.patch
--- alttab-1.5.0/debian/patches/strncpy.patch 1970-01-01 02:00:00.000000000
+0200
+++ alttab-1.5.0/debian/patches/strncpy.patch 2021-06-27 16:56:42.000000000
+0300
@@ -0,0 +1,85 @@
+Description: fix possible strncpy overflows
+Origin: upstream;
https://github.com/sagb/alttab/commit/5cb60252e58646a6dd45d55e9373d27fe9f520a1
+Author: Alexander Kulak <sa-dev@odd.systems>
+Bug-Debian: https://bugs.debian.org/964357
+Last-Update: 2021-06-27
+
+--- a/src/icon.c
++++ b/src/icon.c
+@@ -260,8 +260,9 @@
+ char *endptr;
+ char *dim;
+ int dimlen;
+- char sx[5];
+- char sy[5];
++ char sx[MAXICONDIMLEN];
++ char sy[MAXICONDIMLEN];
++ int sx_size, sy_size;
+ int ix, iy;
+ icon_t *ic;
+ char *suff;
+@@ -309,11 +310,17 @@
+ xchar = strchr(dim, 'x');
+ if (xchar == NULL)
+ return 0; // unknown dimensions
+- strncpy(sx, dim, (xchar - dim));
+- sx[xchar - dim] = '\0';
++ sx_size = xchar - dim;
++ if (sx_size > MAXICONDIMLEN - 1)
++ return 0;
++ strncpy(sx, dim, sx_size);
++ sx[sx_size] = '\0';
+ ix = atoi(sx);
+- strncpy(sy, xchar + 1, dim + dimlen - xchar);
+- sy[dim + dimlen - xchar - 1] = '\0';
++ sy_size = dim + dimlen - xchar;
++ if (sy_size > MAXICONDIMLEN - 1)
++ return 0;
++ strncpy(sy, xchar + 1, sy_size);
++ sy[sy_size] = '\0';
+ iy = atoi(sy);
+ } else {
+ // icon other than a priory known dimensions has lowest priority
+@@ -335,16 +342,28 @@
+ uchar = strrchr(app, '_');
+ xchar = strrchr(app, 'x');
+ if (xchar != NULL && uchar != NULL && xchar > uchar) {
+- strncpy(sx, uchar+1, (xchar - uchar - 1));
+- sx[xchar - uchar - 1] = '\0';
++ sx_size = xchar - uchar - 1;
++ if (sx_size > MAXICONDIMLEN - 1) {
++ msg (0, special_fail_1, app, "WW");
++ ix = 0;
++ goto end_special_1;
++ }
++ strncpy(sx, uchar+1, sx_size);
++ sx[sx_size] = '\0';
+ ix = strtol(sx, &endptr, 10);
+ if (!(*sx != '\0' && *endptr == '\0')) {
+ msg (0, special_fail_1, app, "WW");
+ ix = 0;
+ goto end_special_1;
+ }
+- strncpy(sy, xchar + 1, app + strlen(app) - xchar);
+- sy[app + strlen(app) - xchar] = '\0';
++ sy_size = app + strlen(app) - xchar;
++ if (sy_size > MAXICONDIMLEN - 1) {
++ msg (0, special_fail_1, app, "HH");
++ iy = 0;
++ goto end_special_1;
++ }
++ strncpy(sy, xchar + 1, sy_size);
++ sy[sy_size] = '\0';
+ iy = strtol(sy, &endptr, 10);
+ if (!(*sy != '\0' && *endptr == '\0')) {
+ msg (0, special_fail_1, app, "HH");
+--- a/src/icon.h
++++ b/src/icon.h
+@@ -38,6 +38,7 @@
+ #define MAXICONDIRS 64
+ #define MAXAPPLEN 64
+ #define MAXICONPATHLEN 1024
++#define MAXICONDIMLEN 5
+
+ typedef struct {
+ char app[MAXAPPLEN]; // application name; uthash key
signature.asc
Description: PGP signature
