Package: libeantic0 Version: 0.1.3+ds-3 Severity: normal Tags: patch The attached patch fixes a crash caused by a buffer overflow: a sprintf call in the code uses a fixed size buffer without checking if the string will actually fit inside it.
I discovered it because an application I am writing crashed over it. The attached patch should fix the problem. I can NMU if you're ok with it. Thanks, Giovanni. --- System information. --- Architecture: Kernel: Linux 5.2.0-3-amd64 Debian Release: bullseye/sid 500 xenial updates.signal.org 500 unstable-debug debug.mirrors.debian.org 500 unstable deb.debian.org 500 testing deb.debian.org 500 stable repo.skype.com 500 stable dl.google.com 1 experimental deb.debian.org --- Package information. --- Depends (Version) | Installed ================================-+-============== libc6 (>= 2.4) | libflint-2.5.2 | libflint-arb2 (>= 1:2.17.0) | libgcc1 (>= 1:3.0) | libgmp10 | libgomp1 (>= 4.2.1) | libstdc++6 (>= 4.1.1) | Package's Recommends field is empty. Package's Suggests field is empty. -- Giovanni Mascellani <g.mascell...@gmail.com> Postdoc researcher - Université Libre de Bruxelles
diff -Nru e-antic-0.1.3+ds/debian/changelog e-antic-0.1.3+ds/debian/changelog
--- e-antic-0.1.3+ds/debian/changelog 2019-09-27 18:18:49.000000000 +0200
+++ e-antic-0.1.3+ds/debian/changelog 2019-10-30 12:37:40.000000000 +0100
@@ -1,3 +1,10 @@
+e-antic (0.1.3+ds-3.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Add patch to fix buffer overflow on sprintf call.
+
+ -- Giovanni Mascellani <g...@debian.org> Wed, 30 Oct 2019 12:37:40 +0100
+
e-antic (0.1.3+ds-3) unstable; urgency=medium
* FTBFS fix release (Closes: #941259), see below.
diff -Nru e-antic-0.1.3+ds/debian/patches/fix_sprintf_buffer_overflow.patch e-antic-0.1.3+ds/debian/patches/fix_sprintf_buffer_overflow.patch
--- e-antic-0.1.3+ds/debian/patches/fix_sprintf_buffer_overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ e-antic-0.1.3+ds/debian/patches/fix_sprintf_buffer_overflow.patch 2019-10-30 12:37:35.000000000 +0100
@@ -0,0 +1,24 @@
+From: Giovanni Mascellani <g...@debian.org>
+Subject: Fix buffer overflow caused by sprintf
+
+sprintf() is called on a fixed-size buffer, overflowing it
+on some inputs and triggering undefined behaviour. This patch
+ensure that the buffer is sufficiently large.
+
+Index: e-antic-0.1.3+ds/renf_elem/get_str_pretty.c
+===================================================================
+--- e-antic-0.1.3+ds.orig/renf_elem/get_str_pretty.c
++++ e-antic-0.1.3+ds/renf_elem/get_str_pretty.c
+@@ -42,8 +42,10 @@ char * renf_elem_get_str_pretty(renf_ele
+ if (flag & EANTIC_STR_D)
+ {
+ // output of get_d
+- s = flint_malloc(20 * sizeof(char));
+- sprintf(s, "%lf", renf_elem_get_d(a, nf, ARF_RND_NEAR));
++ double d = renf_elem_get_d(a, nf, ARF_RND_NEAR);
++ int len = snprintf(NULL, 0, "%lf", d);
++ s = flint_malloc((len+1) * sizeof(char));
++ snprintf(s, len+1, "%lf", d);
+ t = flint_realloc(t, strlen(t) + strlen(s) + 1);
+ strcat(t, s);
+ flint_free(s);
diff -Nru e-antic-0.1.3+ds/debian/patches/series e-antic-0.1.3+ds/debian/patches/series
--- e-antic-0.1.3+ds/debian/patches/series 2019-06-20 19:24:48.000000000 +0200
+++ e-antic-0.1.3+ds/debian/patches/series 2019-10-30 12:33:26.000000000 +0100
@@ -1,3 +1,4 @@
upstream-libtool-versioning.patch
upstream-libtool-version_script.patch
debianization.patch
+fix_sprintf_buffer_overflow.patch
signature.asc
Description: OpenPGP digital signature
