Your message dated Sat, 02 Apr 2016 14:20:04 +0100
with message-id <1459603204.2441.216.ca...@adam-barratt.org.uk>
and subject line Fix included in stable
has caused the Debian Bug report #817992,
regarding jessie-pu: package apt/1.0.9.8.3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
817992: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817992
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
I'd like to update APT in jessie from 1.0.9.8.2 to 1.0.9.8.3 to
fix a stack buffer overflow the the dependency resolver, backported
from apt 1.2.6.
A compressed complete diff is attached. The relevant part is reproduced
below, it consists of the commits:
[1]
https://anonscm.debian.org/cgit/apt/apt.git/commit/?h=debian/jessie&id=2f34b45174906024fa87ee0d51d2e13d4770f465
[2]
https://anonscm.debian.org/cgit/apt/apt.git/commit/?h=debian/jessie&id=950f68a3459f47aa7215ce2bd493ca9354194300
[1] being the original commit cherry-picked, [2] being the changes needed to
make
that run in jessie with a pre-C++11 APT.
diff -Nru apt-1.0.9.8.2/apt-pkg/algorithms.cc
apt-1.0.9.8.3/apt-pkg/algorithms.cc
--- apt-1.0.9.8.2/apt-pkg/algorithms.cc 2015-09-15 17:08:27.000000000 +0200
+++ apt-1.0.9.8.3/apt-pkg/algorithms.cc 2016-03-12 14:14:29.000000000 +0100
@@ -735,6 +735,7 @@
changing a breaks c) */
bool Change = true;
bool const TryFixByInstall =
_config->FindB("pkgProblemResolver::FixByInstall", true);
+ std::vector<PackageKill> KillList;
for (int Counter = 0; Counter != 10 && Change == true; Counter++)
{
Change = false;
@@ -777,12 +778,12 @@
clog << "Investigating (" << Counter << ") " << I << endl;
// Isolate the problem dependency
- PackageKill KillList[100];
- PackageKill *LEnd = KillList;
bool InOr = false;
pkgCache::DepIterator Start;
pkgCache::DepIterator End;
- PackageKill *OldEnd = LEnd;
+ size_t OldSize = 0;
+
+ KillList.resize(0);
enum {OrRemove,OrKeep} OrOp = OrRemove;
for (pkgCache::DepIterator D =
Cache[I].InstVerIter(Cache).DependsList();
@@ -792,7 +793,7 @@
if (Start == End)
{
// Decide what to do
- if (InOr == true && OldEnd == LEnd)
+ if (InOr == true && OldSize == KillList.size())
{
if (OrOp == OrRemove)
{
@@ -826,7 +827,7 @@
continue;
InOr = Start != End;
- OldEnd = LEnd;
+ OldSize = KillList.size();
}
else
{
@@ -989,10 +990,8 @@
if (Debug == true)
clog << " Added " << Pkg.FullName(false) << " to the
remove list" << endl;
-
- LEnd->Pkg = Pkg;
- LEnd->Dep = End;
- LEnd++;
+
+ KillList.push_back((PackageKill) {Pkg, End});
if (Start.IsNegative() == false)
break;
@@ -1042,7 +1041,7 @@
// Apply the kill list now
if (Cache[I].InstallVer != 0)
{
- for (PackageKill *J = KillList; J != LEnd; J++)
+ for (std::vector<PackageKill>::const_iterator J = KillList.begin();
J != KillList.end(); J++)
{
Change = true;
if ((Cache[J->Dep] & pkgDepCache::DepGNow) == 0)
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (900, 'unstable'), (500, 'unstable-debug'), (500, 'testing'),
(100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.
apt_1.0.9.8.2_1.0.9.8.3.diff.gz
Description: application/gzip
--- End Message ---
--- Begin Message ---
Version: 8.4
Hi,
The packages referenced by these bugs were included in today's stable
point release.
Regards,
Adam
--- End Message ---
