Control: tags -1 moreinfo confirmed On 2021-05-13 08:52:30 +0300, Andrius Merkys wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Dear release-team, > > I am seeking pre-approval to upload cod-tools/3.1.0+dfsg-3.
ACK, please remove the moreinfo tag once the new version is available in unstable. Cheers > > [ Reason ] > cod-tools/3.1.0+dfsg-2 is susceptible to buffer overrun due to a single > occurrence of unchecked C buffer boundary (an upstream bug, forwarded). > cod-tools/3.1.0+dfsg-3 fixes this bug via patch by using C function > which writes no more bytes than the length of the current buffer. > > [ Impact ] > Without the fix, buffer overrun may occur in specific circumstances. > > [ Tests ] > * Built on clean sid chroot; > * Upstream test suite and autopkgtest pass. > > [ Risks ] > Most likely none. All binary packages built from source:cod-tools are > leaf packages. > > [ Checklist ] > [*] all changes are documented in the d/changelog > [*] I reviewed all changes and I approve them > [*] attach debdiff against the package in testing > > unblock cod-tools/3.1.0+dfsg-3 > > Best, > Andrius > diff -Nru cod-tools-3.1.0+dfsg/debian/changelog > cod-tools-3.1.0+dfsg/debian/changelog > --- cod-tools-3.1.0+dfsg/debian/changelog 2021-03-05 11:44:59.000000000 > -0500 > +++ cod-tools-3.1.0+dfsg/debian/changelog 2021-05-12 06:21:45.000000000 > -0400 > @@ -1,3 +1,9 @@ > +cod-tools (3.1.0+dfsg-3) unstable; urgency=medium > + > + * Patching buffer overflow in code responsible for composing error > messages. > + > + -- Andrius Merkys <mer...@debian.org> Wed, 12 May 2021 06:21:45 -0400 > + > cod-tools (3.1.0+dfsg-2) unstable; urgency=medium > > * Adding missing Breaks+Replaces: cod-tools (<< 3) for libcod-tools-perl > diff -Nru cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff > cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff > --- cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff > 1969-12-31 19:00:00.000000000 -0500 > +++ cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff > 2021-05-12 06:18:47.000000000 -0400 > @@ -0,0 +1,21 @@ > +Description: Fixes buffer overflow. > +Author: Andrius Merkys <mer...@debian.org> > +Forwarded: mailto:cod-b...@ibt.lt > +--- a/src/externals/cexceptions/cxprintf.c > ++++ b/src/externals/cexceptions/cxprintf.c > +@@ -27,11 +27,11 @@ > + > + const char* vcxprintf( const char * format, va_list args ) > + { > +- static char error_message[200] = ""; > ++ static char error_message[1024] = ""; > ++ > + > +- /* > + vsnprintf( error_message, sizeof(error_message), format, args ); > +- */ > +- vsprintf( error_message, format, args ); > ++ > ++ // vsprintf( error_message, format, args ); > + return error_message; > + } > diff -Nru cod-tools-3.1.0+dfsg/debian/patches/series > cod-tools-3.1.0+dfsg/debian/patches/series > --- cod-tools-3.1.0+dfsg/debian/patches/series 2021-03-05 > 11:44:59.000000000 -0500 > +++ cod-tools-3.1.0+dfsg/debian/patches/series 2021-05-12 > 03:46:26.000000000 -0400 > @@ -2,3 +2,4 @@ > hardening.diff > disable-test-network-access.diff > spglib.diff > +fix-buffer-overflow.diff -- Sebastian Ramacher
signature.asc
Description: PGP signature
