Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ind...@packages.debian.org, sanv...@debian.org
Control: affects -1 + src:indent
[ Reason ]
These are two related memory-handling bugs, one of them having a CVE number.
According to Salvatore, from the security team, there will be no DSA for this,
so we have to update the package using proposed-updates.
[ Impact ]
Without this update the package in stable would remain vulnerable.
[ Tests ]
I've checked that valgrind does no longer complain on the test cases provided
by the patch author.
[ Risks ]
Very low chance of breaking anything, as the patches are very simple.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Explained in the changelog.
[ Other info ]
I've already made the upload.
diff -Nru indent-2.2.12/debian/changelog indent-2.2.12/debian/changelog
--- indent-2.2.12/debian/changelog 2023-07-14 13:40:00.000000000 +0200
+++ indent-2.2.12/debian/changelog 2023-08-28 12:55:00.000000000 +0200
@@ -1,3 +1,13 @@
+indent (2.2.12-4+deb12u2) bookworm; urgency=medium
+
+ * Apply two patches by Petr Písař <ppi...@redhat.com>.
+ - Fix an out-of-buffer read in search_brace()/lexi() on an condition
+ without parentheses followed with an overlong comment.
+ - Fix a heap buffer overwrite in search_brace(). Closes: #1049366.
+ This one is CVE-2023-40305.
+
+ -- Santiago Vila <sanv...@debian.org> Mon, 28 Aug 2023 12:55:00 +0200
+
indent (2.2.12-4+deb12u1) bookworm; urgency=medium
* Restore the ROUND_UP macro and adjust the initial buffer size.
diff -Nru indent-2.2.12/debian/patches/03-fix-an-out-of-buffer-read.patch
indent-2.2.12/debian/patches/03-fix-an-out-of-buffer-read.patch
--- indent-2.2.12/debian/patches/03-fix-an-out-of-buffer-read.patch
1970-01-01 01:00:00.000000000 +0100
+++ indent-2.2.12/debian/patches/03-fix-an-out-of-buffer-read.patch
2023-08-28 11:03:00.000000000 +0200
@@ -0,0 +1,17 @@
+From: Petr Písař <ppi...@redhat.com>
+Subject: Fix an out-of-buffer read in search_brace()/lexi()
+Bug-Debian: https://bugs.debian.org/1049366
+Forwarded: https://savannah.gnu.org/bugs/index.php?64503
+
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -145,8 +145,8 @@
+ parser_state_tos->search_brace = false;
+ bp_save = buf_ptr;
+ be_save = buf_end;
+- buf_ptr = save_com.ptr;
+ need_chars (&save_com, 1);
++ buf_ptr = save_com.ptr;
+ buf_end = save_com.end;
+ save_com.end = save_com.ptr; /* make save_com empty */
+ }
diff -Nru indent-2.2.12/debian/patches/04-fix-a-heap-buffer-overwrite.patch
indent-2.2.12/debian/patches/04-fix-a-heap-buffer-overwrite.patch
--- indent-2.2.12/debian/patches/04-fix-a-heap-buffer-overwrite.patch
1970-01-01 01:00:00.000000000 +0100
+++ indent-2.2.12/debian/patches/04-fix-a-heap-buffer-overwrite.patch
2023-08-28 11:04:00.000000000 +0200
@@ -0,0 +1,15 @@
+From: Petr Písař <ppi...@redhat.com>
+Subject: Fix a heap buffer overwrite in search_brace() (CVE-2023-40305)
+Bug-Debian: https://bugs.debian.org/1049366
+Forwarded: https://savannah.gnu.org/bugs/index.php?64503
+
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -228,6 +228,7 @@
+ * a `dump_line' call, thus ensuring that the brace
+ * will go into the right column. */
+
++ need_chars (&save_com, 2);
+ *save_com.end++ = EOL;
+ *save_com.end++ = '{';
+ save_com.len += 2;
diff -Nru indent-2.2.12/debian/patches/series
indent-2.2.12/debian/patches/series
--- indent-2.2.12/debian/patches/series 2023-07-14 12:00:00.000000000 +0200
+++ indent-2.2.12/debian/patches/series 2023-08-28 11:00:00.000000000 +0200
@@ -1,2 +1,4 @@
01-add-missing-shebang.patch
02-restore-round-up-macro-and-adjust-initial-buffer-size.patch
+03-fix-an-out-of-buffer-read.patch
+04-fix-a-heap-buffer-overwrite.patch
