diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2018-09-10 08:55:40 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2018-09-10 09:06:04 +0000 |
| commit | 26869b6df1d9b3492a19b4c5879c6e154633680b (patch) | |
| tree | ebe1d81d8af2c192cbf66c274324f83803f9fe6f | |
| parent | Releasing debian version 1.5-5. (diff) | |
| download | zutils-26869b6df1d9b3492a19b4c5879c6e154633680b.tar.xz zutils-26869b6df1d9b3492a19b4c5879c6e154633680b.zip | |
Adding patch from upstream to fix a buffer overrun in zcat [CVE-2018-1000637] (Closes: #902936).
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
| -rw-r--r-- | debian/patches/series | 1 | ||||
| -rw-r--r-- | debian/patches/upstream/0001-zcat-buffer-overrun.patch | 18 |
2 files changed, 19 insertions, 0 deletions
diff --git a/debian/patches/series b/debian/patches/series index a353e88..fdb9b2d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ debian/0001-build.patch debian/0002-zupdate.patch +upstream/0001-zcat-buffer-overrun.patch diff --git a/debian/patches/upstream/0001-zcat-buffer-overrun.patch b/debian/patches/upstream/0001-zcat-buffer-overrun.patch new file mode 100644 index 0000000..230987f --- /dev/null +++ b/debian/patches/upstream/0001-zcat-buffer-overrun.patch @@ -0,0 +1,18 @@ +Author: Antonio Diaz-Diaz <antonio@gnu.org> +Description: zcat.cc: Fixed a buffer overrun on outbuf when '-v' is used [CVE-2018-1000637] (Closes: #902936). + +diff -Naurp zutils.orig/zcat.cc zutils/zcat.cc +--- zutils.orig/zcat.cc ++++ zutils/zcat.cc +@@ -229,8 +229,9 @@ int cat( int infd, const int format_inde + enum { buffer_size = 4096 }; + // buffer with space for sentinel newline at the end + uint8_t * const inbuf = new uint8_t[buffer_size+1]; +- // buffer with space for character quoting and 255-digit line number +- uint8_t * const outbuf = new uint8_t[(4*buffer_size)+256]; ++ // buffer with space for character quoting, 255-digit line number and ++ // worst case flushing respect to inbuf. ++ uint8_t * const outbuf = new uint8_t[(5*buffer_size)+256]; + int retval = 0; + Children children; + if( !set_data_feeder( &infd, children, format_index ) ) retval = 1; |