Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:remind User: [email protected] Usertags: pu
[ Reason ] Potential buffer overflow leading to a segfault. [ Impact ] remind crashes in some configuration. [ Tests ] remind has an extensive test suite which by chance found the bug and passes now. I also ran some manual tests on my data. [ Risks ] low. remind is not widely used and this is rather a corner case, also the patch is rather simple. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] The variable is truncated to the buffer length before printing.
diff --git a/debian/changelog b/debian/changelog index cc75c03..aef3024 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +remind (05.03.07-1+deb13u1) trixie; urgency=medium + + * fixes buffer overflow in DUMPVARS (Closes: #1111581) + + -- Jochen Sprickerhof <[email protected]> Wed, 20 Aug 2025 09:58:01 +0200 + remind (05.03.07-1) unstable; urgency=medium * New upstream version 05.03.07 diff --git a/debian/patches/0002-Fix-buffer-overflow-in-DUMPVARS.patch b/debian/patches/0002-Fix-buffer-overflow-in-DUMPVARS.patch new file mode 100644 index 0000000..1bdf9e2 --- /dev/null +++ b/debian/patches/0002-Fix-buffer-overflow-in-DUMPVARS.patch @@ -0,0 +1,29 @@ +From: Jochen Sprickerhof <[email protected]> +Date: Wed, 20 Aug 2025 09:56:39 +0200 +Subject: Fix buffer overflow in DUMPVARS + +--- + src/var.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/var.c b/src/var.c +index 7989cd5..c81d8f3 100644 +--- a/src/var.c ++++ b/src/var.c +@@ -711,9 +711,14 @@ int DoDump(ParsePtr p) + DumpSysVarByName(DBufValue(&buf)+1); + } else { + v = FindVar(DBufValue(&buf), 0); +- DBufValue(&buf)[VAR_NAME_LEN] = 0; +- if (!v) fprintf(ErrFp, "%s %s\n", ++ if (!v) { ++ if (DBufLen(&buf) > VAR_NAME_LEN) { ++ /* Truncate over-long variable name */ ++ DBufValue(&buf)[VAR_NAME_LEN] = 0; ++ } ++ fprintf(ErrFp, "%s %s\n", + DBufValue(&buf), UNDEF); ++ } + else { + fprintf(ErrFp, "%s ", v->name); + PrintValue(&(v->v), ErrFp); diff --git a/debian/patches/series b/debian/patches/series index 73c5c9f..19d789e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ use-system-libjsonparser.diff +0002-Fix-buffer-overflow-in-DUMPVARS.patch
