Bug#906042: stretch-pu: package libxcursor/1:1.1.14-1+deb9u2

[Cyril Brulebois]

Control: tag -1 - moreinfo

Hi Adam,

Adam D. Barratt  (2018-08-17):
> I managed to miss that the package produces a udeb, so this needs a
> KiBi-ack before acceptance; tagging and CCing accordingly.

No objections here, thanks for checking.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#906042: stretch-pu: package libxcursor/1:1.1.14-1+deb9u2

[Adam D. Barratt]

Control: tags -1 + moreinfo d-i

Hi,

On Thu, 2018-08-16 at 20:06 +0100, Chris Lamb wrote:
> Dear Adam,
> 
> > > >  libxcursor (1:1.1.14-1+deb9u2) stretch; urgency=high
> > > >  
> > > >    * Fix a denial of service or potentially code execution via
> > > >  a one-byte heap overflow. (CVE-2015-9262) Closes: #906012)
> > > 
> > > Would it be possible to get a "yay/nay" on this s-p-u request?
> > 
> > Please go ahead.
> 
> Thanks; uploaded.

I managed to miss that the package produces a udeb, so this needs a
KiBi-ack before acceptance; tagging and CCing accordingly.

> > > I wouldn't normally press for a response but this is somewhat
> > > affecting what my next moves are for oldstable and oldoldstable. 
> > 
> > Isn't oldoldstable an ex-release now?
> 
> Not in ELTS:
> 
>   https://wiki.debian.org/LTS/Extended

Ah, I see.

> > FWIW, CCing both a p-u bug and debian-release is a little
> > redundant.
> 
> Mea culpa…  I wasn't sure and my apologies for any duplicates or
> implications that involved.

It looks like only the copy to the list showed up, so no real harm
done. It was a little confusing though. :-)

Regards,

Adam

Bug#906042: stretch-pu: package libxcursor/1:1.1.14-1+deb9u2

[Chris Lamb]

Dear Adam,

> > >  libxcursor (1:1.1.14-1+deb9u2) stretch; urgency=high
> > >  
> > >    * Fix a denial of service or potentially code execution via
> > >  a one-byte heap overflow. (CVE-2015-9262) Closes: #906012)
> > 
> > Would it be possible to get a "yay/nay" on this s-p-u request?
> 
> Please go ahead.

Thanks; uploaded.

> > I wouldn't normally press for a response but this is somewhat
> > affecting what my next moves are for oldstable and oldoldstable. 
> 
> Isn't oldoldstable an ex-release now?

Not in ELTS:

  https://wiki.debian.org/LTS/Extended

> FWIW, CCing both a p-u bug and debian-release is a little redundant.

Mea culpa…  I wasn't sure and my apologies for any duplicates or
implications that involved.

Thank you for your work on stable.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#906042: stretch-pu: package libxcursor/1:1.1.14-1+deb9u2

[Adam D. Barratt]

Control: tags -1 + confirmed

FWIW, CCing both a p-u bug and debian-release is a little redundant.

On Thu, 2018-08-16 at 09:44 +0100, Chris Lamb wrote:
> Chris Lamb wrote:
> 
> >  libxcursor (1:1.1.14-1+deb9u2) stretch; urgency=high
> >  
> >    * Fix a denial of service or potentially code execution via
> >  a one-byte heap overflow. (CVE-2015-9262) Closes: #906012)
> 
> Would it be possible to get a "yay/nay" on this s-p-u request?

Please go ahead.

> I wouldn't normally press for a response but this is somewhat
> affecting what my next moves are for oldstable and oldoldstable. 

Isn't oldoldstable an ex-release now?

Regards,

Adam

Bug#906042: stretch-pu: package libxcursor/1:1.1.14-1+deb9u2

[Chris Lamb]

Chris Lamb wrote:

>  libxcursor (1:1.1.14-1+deb9u2) stretch; urgency=high
>  
>* Fix a denial of service or potentially code execution via
>  a one-byte heap overflow. (CVE-2015-9262) Closes: #906012)

Would it be possible to get a "yay/nay" on this s-p-u request?

I wouldn't normally press for a response but this is somewhat affecting
what my next moves are for oldstable and oldoldstable. 


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#906042: stretch-pu: package libxcursor/1:1.1.14-1+deb9u2

[Chris Lamb]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release manager,

Please consider libxcursor (1:1.1.14-1+deb9u2) for stretch:
  
  libxcursor (1:1.1.14-1+deb9u2) stretch; urgency=high
  
* Fix a denial of service or potentially code execution via
  a one-byte heap overflow. (CVE-2015-9262) Closes: #906012)


The full diff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diff --git a/debian/changelog b/debian/changelog
index a0673f8..ac26e16 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libxcursor (1:1.1.14-1+deb9u2) stretch; urgency=high
+
+  * Fix a denial of service or potentially code execution via
+a one-byte heap overflow. (CVE-2015-9262) Closes: #906012)
+
+ -- Chris Lamb   Mon, 13 Aug 2018 09:09:13 +0200
+
 libxcursor (1:1.1.14-1+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/patches/CVE-2015-9262.patch 
b/debian/patches/CVE-2015-9262.patch
new file mode 100644
index 000..1191b93
--- /dev/null
+++ b/debian/patches/CVE-2015-9262.patch
@@ -0,0 +1,23 @@
+commit 897213f36baf6926daf6d192c709cf627aa5fd05
+Author: shubham shrivastav 
+Date:   Fri Jun 5 13:36:22 2015 -0700
+
+Insufficient memory for terminating null of string in _XcursorThemeInherits
+
+Fix does one byte of memory allocation for null termination of string.
+https://bugs.freedesktop.org/show_bug.cgi?id=90857
+
+Reviewed-by: Keith Packard 
+Signed-off-by: Alan Coopersmith 
+
+--- libxcursor-1.1.14.orig/src/library.c
 libxcursor-1.1.14/src/library.c
+@@ -180,7 +180,7 @@ _XcursorThemeInherits (const char *full)
+   if (*l != '=') continue;
+   l++;
+   while (*l == ' ') l++;
+-  result = malloc (strlen (l));
++  result = malloc (strlen (l) + 1);
+   if (result)
+   {
+   r = result;
diff --git a/debian/patches/series b/debian/patches/series
index b5ab2b3..6570382 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
+CVE-2015-9262.patch
 Fix-heap-overflows-when-parsing-malicious-files.-CVE.patch