Control: tags -1 confirmed On 2025-05-19 17:13:16 +0800, Yangfl wrote: > Package: release.debian.org > Severity: normal > X-Debbugs-Cc: fi...@packages.debian.org > Control: affects -1 + src:finit > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package finit > > This fixes CVE-2025-32022 (#1104932).
Please go ahead Cheers > > I also took the opportunity to catch up with the latest upstream version. > > The diff is fairly small, so I can manually verify that hopefully no > breakage will be introduced. > > unblock finit/4.12-1 > diff --git a/ChangeLog.md b/ChangeLog.md > index 031c3359..9b014b99 100644 > --- a/ChangeLog.md > +++ b/ChangeLog.md > @@ -3,6 +3,19 @@ Change Log > > All relevant changes are documented in this file. > > + > +[4.12][] - 2025-04-28 > +--------------------- > + > +### Changes > + - Improve notify:s6 readiness compatibility, by Aaron Andersen > + - Update `runparts` usage text > + > +### Fixes > + - Fix variable overloading in urandom plugin > + - Fix buffer overwrite in urandom plugin, reported by Aaron Andersen > + > + > [4.11][] - 2025-03-27 > --------------------- > > @@ -1785,6 +1798,7 @@ Major bug fix release. > * Initial release > > [UNRELEASED]: https://github.com/troglobit/finit/compare/4.11...HEAD > +[4.12]: https://github.com/troglobit/finit/compare/4.11...4.12 > [4.11]: https://github.com/troglobit/finit/compare/4.10...4.11 > [4.10]: https://github.com/troglobit/finit/compare/4.9...4.10 > [4.9]: https://github.com/troglobit/finit/compare/4.8...4.9 > diff --git a/README.md b/README.md > index 9767e5f8..9b91207d 100644 > --- a/README.md > +++ b/README.md > @@ -251,7 +251,7 @@ All services in runlevel S) are started first, followed > by the desired > run-time runlevel. Run tasks in runlevel S can be started in sequence > by using `run [S] cmd`. Changing runlevels at runtime is done like any > other init, e.g. <kbd>init 4</kbd>, but also using the more advanced > -`intictl` tool. > +[`initctl`](#commands--status) tool. > > > **Conditions** > diff --git a/configure b/configure > index e2791a20..36467f2f 100755 > --- a/configure > +++ b/configure > @@ -1,6 +1,6 @@ > #! /bin/sh > # Guess values for system-dependent variables and create Makefiles. > -# Generated by GNU Autoconf 2.71 for Finit 4.11. > +# Generated by GNU Autoconf 2.71 for Finit 4.12. > # > # Report bugs to <https://github.com/troglobit/finit/issues>. > # > @@ -621,8 +621,8 @@ MAKEFLAGS= > # Identity of this package. > PACKAGE_NAME='Finit' > PACKAGE_TARNAME='finit' > -PACKAGE_VERSION='4.11' > -PACKAGE_STRING='Finit 4.11' > +PACKAGE_VERSION='4.12' > +PACKAGE_STRING='Finit 4.12' > PACKAGE_BUGREPORT='https://github.com/troglobit/finit/issues' > PACKAGE_URL='https://troglobit.com/projects/finit/' > > @@ -1464,7 +1464,7 @@ if test "$ac_init_help" = "long"; then > # Omit some internal or obsolete options to make the list less imposing. > # This message is too long to be a string in the A/UX 3.1 sh. > cat <<_ACEOF > -\`configure' configures Finit 4.11 to adapt to many kinds of systems. > +\`configure' configures Finit 4.12 to adapt to many kinds of systems. > > Usage: $0 [OPTION]... [VAR=VALUE]... > > @@ -1535,7 +1535,7 @@ fi > > if test -n "$ac_init_help"; then > case $ac_init_help in > - short | recursive ) echo "Configuration of Finit 4.11:";; > + short | recursive ) echo "Configuration of Finit 4.12:";; > esac > cat <<\_ACEOF > > @@ -1731,7 +1731,7 @@ fi > test -n "$ac_init_help" && exit $ac_status > if $ac_init_version; then > cat <<\_ACEOF > -Finit configure 4.11 > +Finit configure 4.12 > generated by GNU Autoconf 2.71 > > Copyright (C) 2021 Free Software Foundation, Inc. > @@ -2006,7 +2006,7 @@ cat >config.log <<_ACEOF > This file contains any messages produced by compilers while > running configure, to aid debugging if configure makes a mistake. > > -It was created by Finit $as_me 4.11, which was > +It was created by Finit $as_me 4.12, which was > generated by GNU Autoconf 2.71. Invocation command line was > > $ $0$ac_configure_args_raw > @@ -3276,7 +3276,7 @@ fi > > # Define the identity of the package. > PACKAGE='finit' > - VERSION='4.11' > + VERSION='4.12' > > > printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h > @@ -16299,7 +16299,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 > # report actual input values of CONFIG_FILES etc. instead of their > # values after options handling. > ac_log=" > -This file was extended by Finit $as_me 4.11, which was > +This file was extended by Finit $as_me 4.12, which was > generated by GNU Autoconf 2.71. Invocation command line was > > CONFIG_FILES = $CONFIG_FILES > @@ -16368,7 +16368,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | > sed "s/^ //; s/'/'\\\\\\\\ > cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 > ac_cs_config='$ac_cs_config_escaped' > ac_cs_version="\\ > -Finit config.status 4.11 > +Finit config.status 4.12 > configured by $0, generated by GNU Autoconf 2.71, > with options \\"\$ac_cs_config\\" > > diff --git a/configure.ac b/configure.ac > index 5ffcce4a..b5e9bbe2 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -1,4 +1,4 @@ > -AC_INIT([Finit], [4.11], [https://github.com/troglobit/finit/issues], > +AC_INIT([Finit], [4.12], [https://github.com/troglobit/finit/issues], > [finit], [https://troglobit.com/projects/finit/]) > AC_CONFIG_AUX_DIR(aux) > AM_INIT_AUTOMAKE([1.11 foreign dist-xz subdir-objects]) > diff --git a/debian/changelog b/debian/changelog > index 15e257ea..bd4e2ddc 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +finit (4.12-1) unstable; urgency=medium > + > + * New upstream release > + * Fix CVE-2025-32022 (Closes: #1104932) > + > + -- Yangfl <mmyan...@gmail.com> Fri, 09 May 2025 23:26:56 +0800 > + > finit (4.11-1) unstable; urgency=medium > > * New upstream release > diff --git a/plugins/urandom.c b/plugins/urandom.c > index d2a54983..2de5f820 100644 > --- a/plugins/urandom.c > +++ b/plugins/urandom.c > @@ -78,6 +78,7 @@ static void setup(void *arg) > { > #ifdef RANDOMSEED > struct rand_pool_info *rpi; > + unsigned char *rpi_buf; > ssize_t len = 0; > struct stat st; > int rc = -1; > @@ -103,13 +104,14 @@ static void setup(void *arg) > hw = fopen(hwrng, "r"); > if (hw) { > char buf[512]; > - size_t len; > + size_t num; > > - len = fread(buf, sizeof(buf[0]), sizeof(buf), > hw); > - if (len == 0) > + num = fread(buf, sizeof(buf[0]), sizeof(buf), > hw); > + if (num == 0) > fallback(fp); > else > - len = fwrite(buf, sizeof(buf[0]), len, > fp); > + fwrite(buf, sizeof(buf[0]), num, fp); > + > fclose(hw); > } else { > fallback(fp); > @@ -137,10 +139,11 @@ static void setup(void *arg) > goto fallback; > } > > + rpi_buf = (unsigned char *)rpi->buf; > do { > ssize_t num; > > - num = read(fd, &rpi->buf[len], RANDOM_BYTES - len); > + num = read(fd, &rpi_buf[len], RANDOM_BYTES - len); > if (num <= 0) { > if (num == -1 && errno == EINTR) > continue; > diff --git a/src/cond.c b/src/cond.c > index 2b8badea..3d1b06c1 100644 > --- a/src/cond.c > +++ b/src/cond.c > @@ -96,16 +96,16 @@ enum cond_state cond_get(const char *name) > > enum cond_state cond_get_agg(const char *names) > { > - static char conds[MAX_COND_LEN]; > enum cond_state s = COND_ON; > - char *cond; > > - if (!names) > - return COND_ON; > + if (names) { > + char conds[strlen(names) + 1]; > + const char *cond; > > - strlcpy(conds, names, sizeof(conds)); > - for (cond = strtok(conds, ","); s && cond; cond = strtok(NULL, ",")) > - s = min(s, cond_get(cond)); > + strlcpy(conds, names, sizeof(conds)); > + for (cond = strtok(conds, ","); s && cond; cond = strtok(NULL, > ",")) > + s = min(s, cond_get(cond)); > + } > > return s; > } > diff --git a/src/runparts.c b/src/runparts.c > index c4225ceb..51984b94 100644 > --- a/src/runparts.c > +++ b/src/runparts.c > @@ -193,7 +193,7 @@ int run_parts(char *dir, char *cmd, const char *env[], > int progress, int sysv) > #ifndef __FINIT__ > static int usage(int rc) > { > - warnx("usage: runparts [-dhps?] DIRECTORY"); > + warnx("usage: runparts [-bdhps?] DIRECTORY"); > return rc; > } > > diff --git a/src/service.c b/src/service.c > index ae997e7b..023b9bc1 100644 > --- a/src/service.c > +++ b/src/service.c > @@ -2912,7 +2912,7 @@ void service_notify_cb(uev_t *w, void *arg, int events) > } > > len = read(w->fd, buf, sizeof(buf) - 1); > - if (len == -1) { > + if (len <= 0) { > warn("Failed reading notification from %s", svc_ident(svc, > NULL, 0)); > return; > } > @@ -2920,7 +2920,7 @@ void service_notify_cb(uev_t *w, void *arg, int events) > buf[len] = 0; > > /* systemd and s6, respectively. The latter then closes the socket */ > - if (!strcmp(buf, "READY=1\n") || !strcmp(buf, "\n")) { > + if (!strcmp(buf, "READY=1\n") || buf[len - 1] == '\n') { > /* > * native (pidfile) services are marked as started by > * the pidfile plugin. -- Sebastian Ramacher
