Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: libpan...@packages.debian.org
Hello, I would like to fix 985249 for buster. It is a straightforward format string issue, as documented in the respective report. The issue is fixed in unstable (2.9.20~rc3+dfsg-1) but not yet in testing. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
diff -Nru libpano13-2.9.19+dfsg/debian/changelog
libpano13-2.9.19+dfsg/debian/changelog
--- libpano13-2.9.19+dfsg/debian/changelog 2017-09-10 14:39:18.000000000
+0200
+++ libpano13-2.9.19+dfsg/debian/changelog 2021-03-18 14:12:08.000000000
+0100
@@ -1,3 +1,12 @@
+libpano13 (2.9.19+dfsg-3+deb10u1) buster; urgency=medium
+
+ * 850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff
+ cherry-picked from 2.9.20 rc3: Fixes format string bug, pasing along
+ format strings in user specified output filename to printf.
+ Closes: #985249
+
+ -- Andreas Metzler <ametz...@debian.org> Thu, 18 Mar 2021 14:12:08 +0100
+
libpano13 (2.9.19+dfsg-3) unstable; urgency=medium
* Move Vcs-* from git/http to https.
diff -Nru
libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff
libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff
---
libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff
1970-01-01 01:00:00.000000000 +0100
+++
libpano13-2.9.19+dfsg/debian/patches/850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff
2021-03-18 14:12:08.000000000 +0100
@@ -0,0 +1,40 @@
+# HG changeset patch
+# User tmodes
+# Date 1615911819 -3600
+# Tue Mar 16 17:23:39 2021 +0100
+# Node ID f02459498cb44c0087900616a7e61563d614c05f
+# Parent 2e9ee0a5e32f2ca6e1a5b3f9c2d5c393a41903c3
+Prevent string vulnerability by refusing prefix strings with percentage sign
+
+diff -r 2e9ee0a5e32f -r f02459498cb4 file.c
+--- a/file.c Sun Dec 13 15:37:56 2020 +0100
++++ b/file.c Tue Mar 16 17:23:39 2021 +0100
+@@ -2910,6 +2910,16 @@
+ }
+ strcat(outputPrefix, DEFAULT_PREFIX_NUMBER_FORMAT);
+ }
++ else {
++ // TODO: sanitize outputPrefix, only a single format specifier %??d
or %??i
++ // is allowed, all other should be escaped
++ // until this is implemented refuse to process further if prefix
string
++ // contains a percentage sign to prevent string vulnerability in
++ // sprintf(outputFilename, outputPrefix ...) below
++ PrintError("Output prefix must not contain a percentage sign");
++ return 0;
++ }
++
+
+ for (i =0; i< filesCount ; i++) {
+ sprintf( outputFilename, outputPrefix, i );
+diff -r 2e9ee0a5e32f -r f02459498cb4 tools/PTcrop.c
+--- a/tools/PTcrop.c Sun Dec 13 15:37:56 2020 +0100
++++ b/tools/PTcrop.c Tue Mar 16 17:23:39 2021 +0100
+@@ -36,7 +36,7 @@
+
+ #define PT_CROP_USAGE "PTuncrop [options] <inputFiles+>\n\n" \
+ "Options:\n" \
+- "\t-p <prefix>\tPrefix for output files (defaults to " DEFAULT_PREFIX
"%%4d)\n" \
++ "\t-p <prefix>\tPrefix for output files (defaults to " DEFAULT_PREFIX
")\n" \
+ "\t-f\t\tForce processing: Overwrite output files if they exists (use
with care)\n" \
+ "\t-x\t\tDelete source files (use with care)\n"\
+ "\t-q\t\tQuiet run\n"\
diff -Nru libpano13-2.9.19+dfsg/debian/patches/series
libpano13-2.9.19+dfsg/debian/patches/series
--- libpano13-2.9.19+dfsg/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ libpano13-2.9.19+dfsg/debian/patches/series 2021-03-18 14:12:08.000000000
+0100
@@ -0,0 +1 @@
+850_f02459498cb4_Prevent_string_vulnerability_by_refusing.diff
signature.asc
Description: PGP signature
