Bug#1131134: marked as done (units segfault on arm64)

Wed, 18 Mar 2026 04:53:44 -0700 

Your message dated Wed, 18 Mar 2026 11:48:32 +0000
with message-id <[email protected]>
and subject line Bug#1131134: fixed in units 2.26-2
has caused the Debian Bug report #1131134,
regarding units segfault on arm64
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1131134: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131134
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: units
Version: 2.25-2
Severity: serious
Tags: patch
User: [email protected]
Usertags: origin-ubuntu resolute ubuntu-patch

Dear Maintainer,

units fail due to accessing memory out of array bounds:

$ units
Currency exchange rates from exchangerate-api.com (USD base) on 2026-01-17
Consumer price index data from US BLS, 2026-01-13
Segmentation fault units

The root cause units.c:1489 - outer loop variable i is reused when parsing
domain segments units.c:1529, units.c:1539 causing the memory access beyond
keyword array.

In Ubuntu, the attached patch was applied to achieve the following:

Use different variable to parse intervals to resolve the segmentation fault.

  * d/p/do-not-use-loop-variable: resolve segmentation fault (LP:
    #2144689).


Thanks for considering the patch.


-- System Information:
Debian Release: forky/sid
  APT prefers questing-updates
  APT policy: (500, 'questing-updates'), (500, 'questing-security'), (500, 
'questing'), (100, 'questing-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.17.0-19-generic (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru units-2.25/debian/patches/do-not-use-loop-variable.patch 
units-2.25/debian/patches/do-not-use-loop-variable.patch
--- units-2.25/debian/patches/do-not-use-loop-variable.patch    1970-01-01 
12:00:00.000000000 +1200
+++ units-2.25/debian/patches/do-not-use-loop-variable.patch    2026-03-18 
10:06:19.000000000 +1300
@@ -0,0 +1,44 @@
+Description: Do not increment the loop variable
+ When parsing FN_DOMAIN intervals, newfunction reuses 
+ the loop variable i, causing the segmentation fault
+ due to arrays out of bounds access.
+ This patch introduces a separate variable for the
+ interval parsing.
+Author: Vladimir Petko <[email protected]>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/2144689
+Forwarded: no
+Last-Update: 2026-03-18
+
+--- a/units.c
++++ b/units.c
+@@ -1377,7 +1377,7 @@
+   char *params[MAX_FUNC_PARAMS];
+   char *forward_dim[MAX_FUNC_PARAMS];
+   int param_count, extrachars;
+-  int looking_for_keywords,i;
++  int looking_for_keywords,i,param_index;
+   struct interval domain[MAX_FUNC_PARAMS];
+   struct interval range; 
+   int noerror = 0;
+@@ -1526,17 +1526,17 @@
+         if (i==FN_DOMAIN){
+           char *x=unitdef;
+           unitdef = parseinterval(unitdef, domain, unitname, linenum, file, 
errfile, &errors, "domain=");
+-          i=1;
++          param_index=1;
+           while(*unitdef && strchr(",[(",*unitdef)){
+           if (*unitdef==',') unitdef++;
+-            if (i>=param_count){
++            if (param_index>=param_count){
+               if (errfile) fprintf(errfile,
+                      "%s: definition of function '%s' has too many intervals 
in domain in '%s' line %d\n",
+                      progname,unitname,file,linenum);
+               BADFILE;
+             }
+-            unitdef = parseinterval(unitdef, domain+i, unitname, linenum, 
file, errfile, &errors, "domain=");
+-            i++;
++            unitdef = parseinterval(unitdef, domain+param_index, unitname, 
linenum, file, errfile, &errors, "domain=");
++            param_index++;
+           }
+         }
+         if (*unitdef!=' '){
diff -Nru units-2.25/debian/patches/series units-2.25/debian/patches/series
--- units-2.25/debian/patches/series    2026-02-20 06:30:49.000000000 +1300
+++ units-2.25/debian/patches/series    2026-03-18 10:06:19.000000000 +1300
@@ -1,2 +1,3 @@
 no-currency-update-during-build.patch
 packetizer.patch
+do-not-use-loop-variable.patch

--- End Message ---
--- Begin Message --- 
Source: units
Source-Version: 2.26-2
Done: Stephen Kitt <[email protected]>

We believe that the bug you reported is fixed in the latest version of
units, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Kitt <[email protected]> (supplier of updated units package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 18 Mar 2026 12:30:30 +0100
Source: units
Architecture: source
Version: 2.26-2
Distribution: unstable
Urgency: medium
Maintainer: Stephen Kitt <[email protected]>
Changed-By: Stephen Kitt <[email protected]>
Closes: 1131134
Changes:
 units (2.26-2) unstable; urgency=medium
 .
   * Apply the Ubuntu patch to fix a segfault on arm64. Thanks Vladimir
     Petko! Closes: #1131134.
Checksums-Sha1:
 7f03bb048f9d1e439969d3ac3e69099de21b1899 2064 units_2.26-2.dsc
 ce74e3d5ffcdc720d365bcb5c2c162eaaec78369 10288 units_2.26-2.debian.tar.xz
 d5464012463dabe44d3c5ae816b14642dadc601d 7426 units_2.26-2_source.buildinfo
Checksums-Sha256:
 ecc07edf0a94966f8e784695985ca52226ccaa1c085c01ccbcac8b669089bb88 2064 
units_2.26-2.dsc
 498ea2a53b27f78d9adf2b04d2f2aa43bed876eb6d4cd05e45852b785adcad29 10288 
units_2.26-2.debian.tar.xz
 fa0572ac6083e09b597c865db1e0894810f7418c7c5d190135b41b06557e204c 7426 
units_2.26-2_source.buildinfo
Files:
 1ec0aa076314636be2d313231f1a21a8 2064 utils optional units_2.26-2.dsc
 e957107bc17d1e4e55bd9b560e3cf3cc 10288 utils optional 
units_2.26-2.debian.tar.xz
 2d5c5a6b2dde081dbab74ec3e0623721 7426 utils optional 
units_2.26-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnPVX/hPLkMoq7x0ggNMC9Yhtg5wFAmm6jSEACgkQgNMC9Yht
g5w1hA//T90Aq3o6SfVCOTfrisukemSg+ew8jHY4+eWC8QyyWPWSeGloCvamoaIo
8nnkLVr+rOpkyF7nO7GZhboYvyu0dxI2JFXubf3Ewt2o+r1Zxc4IVaROqzdS2S5U
0/OxTqhN2K5iMDmLcYxKtlG+P7NzsA6ETrbpUiawUwLGyCub2pZbnm5cK774Y67p
6AXe1U+v5xbGLGKbHduPEBDgTHuNRnYpNZST69QIVbAMjQXdHLOzog1XTdJ9fGfB
XapuICwNfqkrWvRBs1iO4bHXdtg2oj45N1EGwzQQlHm8XbvhJDg663vWUO8dVOwE
cc8ocauKJZCyxqElN3O9y6NZeF7FyUUIYpavFM8sdt+Apmj69DrqzOtOjZ4FJvPE
zUM/+MIDGfJJ+0TZ2rsaFzyrTXmwQrQH4piou8AQjd2uNMjbIzU7LOuvqhbADNBZ
etEGuaXnMDi9iJjk5Psx/yc+//1vsysH8NvNtpSK+Jc6maf+ydLRQkFRi3Elz3M8
jLx2NGOHgTWVIcg0Y2CTHPowty88XWXLiQ2wVKUjYNtR56bHCm81wLiIksqoSvDS
PxnLdywkY7l9IEsBEp6QCy0YPZvRzE5SkUmazL6PZnY4L3cddQH7sYdeTF5D9cM5
vSuIHV6ZtcCp3KHBOlaZ0uuxUr6yO/YXo5t/ow1CfDAbGndeTk8=
=O6zX
-----END PGP SIGNATURE-----

Attachment: pgprNbfWHoAgc.pgp
Description: PGP signature


--- End Message ---

Reply via email to