Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear release-team, I am seeking pre-approval to upload cod-tools/3.1.0+dfsg-3. [ Reason ] cod-tools/3.1.0+dfsg-2 is susceptible to buffer overrun due to a single occurrence of unchecked C buffer boundary (an upstream bug, forwarded). cod-tools/3.1.0+dfsg-3 fixes this bug via patch by using C function which writes no more bytes than the length of the current buffer. [ Impact ] Without the fix, buffer overrun may occur in specific circumstances. [ Tests ] * Built on clean sid chroot; * Upstream test suite and autopkgtest pass. [ Risks ] Most likely none. All binary packages built from source:cod-tools are leaf packages. [ Checklist ] [*] all changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in testing unblock cod-tools/3.1.0+dfsg-3 Best, Andrius
diff -Nru cod-tools-3.1.0+dfsg/debian/changelog cod-tools-3.1.0+dfsg/debian/changelog --- cod-tools-3.1.0+dfsg/debian/changelog 2021-03-05 11:44:59.000000000 -0500 +++ cod-tools-3.1.0+dfsg/debian/changelog 2021-05-12 06:21:45.000000000 -0400 @@ -1,3 +1,9 @@ +cod-tools (3.1.0+dfsg-3) unstable; urgency=medium + + * Patching buffer overflow in code responsible for composing error messages. + + -- Andrius Merkys <mer...@debian.org> Wed, 12 May 2021 06:21:45 -0400 + cod-tools (3.1.0+dfsg-2) unstable; urgency=medium * Adding missing Breaks+Replaces: cod-tools (<< 3) for libcod-tools-perl diff -Nru cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff --- cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff 1969-12-31 19:00:00.000000000 -0500 +++ cod-tools-3.1.0+dfsg/debian/patches/fix-buffer-overflow.diff 2021-05-12 06:18:47.000000000 -0400 @@ -0,0 +1,21 @@ +Description: Fixes buffer overflow. +Author: Andrius Merkys <mer...@debian.org> +Forwarded: mailto:cod-b...@ibt.lt +--- a/src/externals/cexceptions/cxprintf.c ++++ b/src/externals/cexceptions/cxprintf.c +@@ -27,11 +27,11 @@ + + const char* vcxprintf( const char * format, va_list args ) + { +- static char error_message[200] = ""; ++ static char error_message[1024] = ""; ++ + +- /* + vsnprintf( error_message, sizeof(error_message), format, args ); +- */ +- vsprintf( error_message, format, args ); ++ ++ // vsprintf( error_message, format, args ); + return error_message; + } diff -Nru cod-tools-3.1.0+dfsg/debian/patches/series cod-tools-3.1.0+dfsg/debian/patches/series --- cod-tools-3.1.0+dfsg/debian/patches/series 2021-03-05 11:44:59.000000000 -0500 +++ cod-tools-3.1.0+dfsg/debian/patches/series 2021-05-12 03:46:26.000000000 -0400 @@ -2,3 +2,4 @@ hardening.diff disable-test-network-access.diff spglib.diff +fix-buffer-overflow.diff