Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package indent for openSUSE:Factory checked in at 2024-02-20 21:13:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/indent (Old) and /work/SRC/openSUSE:Factory/.indent.new.1706 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "indent" Tue Feb 20 21:13:14 2024 rev:25 rq:1147530 version:2.2.13 Changes: -------- --- /work/SRC/openSUSE:Factory/indent/indent.changes 2023-08-23 14:59:05.990149501 +0200 +++ /work/SRC/openSUSE:Factory/.indent.new.1706/indent.changes 2024-02-20 21:13:15.599467100 +0100 @@ -1,0 +2,8 @@ +Fri Feb 16 09:57:02 UTC 2024 - pgaj...@suse.com + +- security update +- added patches + fix CVE-2024-0911 [bsc#1219210], heap-based buffer overflow in set_buf_break() + + indent-CVE-2024-0911.patch + +------------------------------------------------------------------- New: ---- indent-CVE-2024-0911.patch BETA DEBUG BEGIN: New: fix CVE-2024-0911 [bsc#1219210], heap-based buffer overflow in set_buf_break() + indent-CVE-2024-0911.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ indent.spec ++++++ --- /var/tmp/diff_new_pack.9uL2vZ/_old 2024-02-20 21:13:16.187488438 +0100 +++ /var/tmp/diff_new_pack.9uL2vZ/_new 2024-02-20 21:13:16.187488438 +0100 @@ -1,7 +1,7 @@ # # spec file for package indent # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,8 @@ # PATCH-FIX-SECURITY fix-out-of-buffer-read-CVE-2023-40305.patch fix-heap-buffer-overwrite-search_brace-CVE-2023-40305 bsc#1214243 CVE-2023-40305 antonio.teixe...@suse.com -- indent: heap-based buffer overflow in search_brace() in indent.c via a crafted file Patch0: fix-out-of-buffer-read-CVE-2023-40305.patch Patch1: fix-heap-buffer-overwrite-search_brace-CVE-2023-40305.patch +# CVE-2024-0911 [bsc#1219210], heap-based buffer overflow in set_buf_break() +Patch2: indent-CVE-2024-0911.patch BuildRequires: makeinfo BuildRequires: texi2html ++++++ indent-CVE-2024-0911.patch ++++++ diff --git a/src/output.c b/src/output.c index ee01bcc..17eee6e 100644 --- a/src/output.c +++ b/src/output.c @@ -290,7 +290,7 @@ void set_buf_break ( /* Did we just parse a bracket that will be put on the next line * by this line break? */ - if ((*token == '(') || (*token == '[')) + if (level > 0 && ((*token == '(') || (*token == '['))) { --level; /* then don't take it into account */ } -- 2.43.0