Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] There is bug in processing unicode process names in iotop-c 1.17 that leads to out of bounds access and crash. Because the access is of a static array with negative index, it is highly unlikely that to cause a security problem, it only affects user experience. Architectures where char is unsigned are not affected. The test case to reproduce is the same as in https://bugs.launchpad.net/ubuntu/+source/iotop/+bug/1932523 [ Impact ] The program will crash when there are processes with name that contain bytes between 128 and 255. [ Tests ] Manual tests confirm the bug and also confirm that the proposed fix is a proper one. [ Risks ] The proposed fixes are trivial and risk level should be low. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] This update includes backported fixed from version 1.18 (already in unstable). There are 4 patches, two of which are related, and the other two are independent.
diff -Nru iotop-c-1.17/debian/changelog iotop-c-1.17/debian/changelog --- iotop-c-1.17/debian/changelog 2021-02-06 03:02:03.000000000 +0200 +++ iotop-c-1.17/debian/changelog 2021-09-06 04:54:40.000000000 +0300 @@ -1,3 +1,12 @@ +iotop-c (1.17-1+deb11u1) bullseye; urgency=medium + + * Backport bugfixes from 1.18 + - fix OOB access caused by UTF8 process names + - fix screen flicker during refresh with visible help + - allow ESC to close the help window + + -- Boian Bonev <bbo...@ipacct.com> Mon, 06 Sep 2021 01:54:40 +0000 + iotop-c (1.17-1) unstable; urgency=medium * Update to new upstream release of 1.17 diff -Nru iotop-c-1.17/debian/patches/document-esc-key.patch iotop-c-1.17/debian/patches/document-esc-key.patch --- iotop-c-1.17/debian/patches/document-esc-key.patch 1970-01-01 02:00:00.000000000 +0200 +++ iotop-c-1.17/debian/patches/document-esc-key.patch 2021-09-06 04:54:40.000000000 +0300 @@ -0,0 +1,20 @@ +Description: Document that ESC key closing the help window + Users were expecting that pressing ESC should close the help window + +--- +Origin: upstream, https://github.com/Tomas-M/iotop/commit/383443d650bb29bfb7187cae98e21faa40cbf977 +Forwarded: not-needed +Last-Update: 2021-09-06 + +--- iotop-c-1.17.orig/iotop.8 ++++ iotop-c-1.17/iotop.8 +@@ -196,6 +196,9 @@ Sort by next column + \fB<left>\fR + Sort by previous column + .TP ++\fB<esc>\fR ++Cancel ionice or filter selection. In case only the help window is open then close it ++.TP + \fBo\fR, \fBO\fR + Toggle showing only processes with IO activity + .TP diff -Nru iotop-c-1.17/debian/patches/esc-closes-help.patch iotop-c-1.17/debian/patches/esc-closes-help.patch --- iotop-c-1.17/debian/patches/esc-closes-help.patch 1970-01-01 02:00:00.000000000 +0200 +++ iotop-c-1.17/debian/patches/esc-closes-help.patch 2021-09-06 04:54:40.000000000 +0300 @@ -0,0 +1,20 @@ +Description: Let ESC close the help + It was suggested by users that it is desired for ESC to close the help + window. +--- +Origin: upstream, https://github.com/Tomas-M/iotop/commit/8ea414c53ca3b5986191d06a8f99f96282975e02 https://github.com/Tomas-M/iotop/commit/0d48498cc593d3b72d56fb5a5519b2b8612fbc31 +Forwarded: not-needed +Last-Update: 2021-09-06 + +--- iotop-c-1.17.orig/src/view_curses.c ++++ iotop-c-1.17/src/view_curses.c +@@ -1092,6 +1092,9 @@ static inline int curses_key(int ch) { + config.f.deadx=!config.f.deadx; + break; + case 27: // ESC ++ if (showhelp&&!in_ionice&&!in_filter) ++ showhelp=0; ++ // unlike help window these cannot happen at the same time + if (in_ionice) + in_ionice=0; + if (in_filter) diff -Nru iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch --- iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch 1970-01-01 02:00:00.000000000 +0200 +++ iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch 2021-09-06 04:54:40.000000000 +0300 @@ -0,0 +1,21 @@ +Description: Fix OOB access on some UTF input + On architectures with signed char type and input that is >=128 there is + an out-of-bounds access causing SIGSEGV. It is most probably not exploitable + but degrades user experience. +--- +Origin: upstream, https://github.com/Tomas-M/iotop/commit/8aaa4fce743cf14a5a727c6cb24c63450d317a28 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/iotop/+bug/1932523 +Forwarded: not-needed +Last-Update: 2021-09-06 + +--- iotop-c-1.17.orig/src/utils.c ++++ iotop-c-1.17/src/utils.c +@@ -171,7 +171,7 @@ inline const char *esc_low_ascii1(char c + static char ehex[0x20][6]; + static int initialized=0; + +- if (c>=0x20) // no escaping needed ++ if (c<0||c>=0x20) // no escaping needed + return NULL; + if (!initialized) { + int i; diff -Nru iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch --- iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch 1970-01-01 02:00:00.000000000 +0200 +++ iotop-c-1.17/debian/patches/fix-flicker-with-help-shown.patch 2021-09-06 04:54:40.000000000 +0300 @@ -0,0 +1,29 @@ +Description: Fix flicker with help shown + Change the refresh sequence to avoid flicker +--- +Origin: upstream, https://github.com/Tomas-M/iotop/commit/1b36b51c72088f9e346dc5dc473653487d97cfed +Forwarded: not-needed +Last-Update: 2021-09-06 + +--- iotop-c-1.17.orig/src/view_curses.c ++++ iotop-c-1.17/src/view_curses.c +@@ -841,7 +841,7 @@ donedraw: + move(promptx,prompty); + curs_set(show); + draw_vscroll(maxx-1,head1row?2:3,maxy-1,dispcount,saveskip); +- refresh(); ++ wnoutrefresh(stdscr); + if (showhelp) { + int rhh,rhw; + +@@ -874,8 +874,9 @@ donedraw: + wresize(whelp,rhh,rhw); + mvwin(whelp,hy,hx); + view_help(); +- wrefresh(whelp); ++ wnoutrefresh(whelp); + } ++ doupdate(); + } + + static inline int curses_key(int ch) { diff -Nru iotop-c-1.17/debian/patches/series iotop-c-1.17/debian/patches/series --- iotop-c-1.17/debian/patches/series 1970-01-01 02:00:00.000000000 +0200 +++ iotop-c-1.17/debian/patches/series 2021-09-06 04:54:40.000000000 +0300 @@ -0,0 +1,4 @@ +document-esc-key.patch +fix-OOB-on-utf.patch +fix-flicker-with-help-shown.patch +esc-closes-help.patch
