On Tue, 2021-09-07 at 20:14 +0100, Jonathan Wiltshire wrote: > On Tue, Sep 07, 2021 at 08:38:58PM +0300, Boian Bonev wrote:
> > This is behaviour change or enhancement, it is generally not OK in a > stable > update unless you can convince us it has a really good case e.g. the > only > way to fix a security issue. I see no point in doing that - those two fixes were improving user experience, i.e. enhancements. Thanks for your advise. > While you are doing that please also ensure the changelog refers to > appropriate bugs in the BTS so that the changes are easily traced > back. Can not do that - there was no bug filed for the problem initially; I have discovered it by browsing test cases that cause problems for a similar package and using them as test cases for this one. Somehow I do not see a point in filing a bug myself, assign it to myself and close it immediately afterwards. If required, I will do. PFA the updated debdiff. Thanks,
diff -Nru iotop-c-1.17/debian/changelog iotop-c-1.17/debian/changelog --- iotop-c-1.17/debian/changelog 2021-02-06 03:02:03.000000000 +0200 +++ iotop-c-1.17/debian/changelog 2021-09-06 04:54:40.000000000 +0300 @@ -1,3 +1,10 @@ +iotop-c (1.17-1+deb11u1) bullseye; urgency=medium + + * Backport bugfix from 1.18 + - fix OOB access caused by UTF8 process names + + -- Boian Bonev <bbo...@ipacct.com> Mon, 06 Sep 2021 01:54:40 +0000 + iotop-c (1.17-1) unstable; urgency=medium * Update to new upstream release of 1.17 diff -Nru iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch --- iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch 1970-01-01 02:00:00.000000000 +0200 +++ iotop-c-1.17/debian/patches/fix-OOB-on-utf.patch 2021-09-06 04:54:40.000000000 +0300 @@ -0,0 +1,20 @@ +Description: Fix OOB access on some UTF input + On architectures with signed char type and input that is >=128 there is + an out-of-bounds access causing SIGSEGV. It is most probably not exploitable + but degrades user experience. +--- +Origin: upstream, https://github.com/Tomas-M/iotop/commit/8aaa4fce743cf14a5a727c6cb24c63450d317a28 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/iotop/+bug/1932523 +Last-Update: 2021-09-06 + +--- iotop-c-1.17.orig/src/utils.c ++++ iotop-c-1.17/src/utils.c +@@ -171,7 +171,7 @@ inline const char *esc_low_ascii1(char c + static char ehex[0x20][6]; + static int initialized=0; + +- if (c>=0x20) // no escaping needed ++ if (c<0||c>=0x20) // no escaping needed + return NULL; + if (!initialized) { + int i; diff -Nru iotop-c-1.17/debian/patches/series iotop-c-1.17/debian/patches/series --- iotop-c-1.17/debian/patches/series 1970-01-01 02:00:00.000000000 +0200 +++ iotop-c-1.17/debian/patches/series 2021-09-06 04:54:40.000000000 +0300 @@ -0,0 +1 @@ +fix-OOB-on-utf.patch
