Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: h...@packages.debian.org
Control: affects -1 + src:htop
Please unblock package htop
I have backported a fix against a segfault happening in parsing the
Command line of processes from upstream commit
https://github.com/htop-dev/htop/commit/d2617e25081a1573081f165c9baae28f87970639
.
[ Reason ]
User triggerable segfault
[ Impact ]
htop can segfault when parameters of viewed process lines start with a blank
[ Tests ]
none
[ Risks ]
none, very small targeted fix
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock htop/3.4.1-5
# debdiff htop_3.4.1-4.dsc htop_3.4.1-5.dsc
diff -Nru htop-3.4.1/debian/changelog htop-3.4.1/debian/changelog
--- htop-3.4.1/debian/changelog 2025-04-25 22:56:00.000000000 +0200
+++ htop-3.4.1/debian/changelog 2025-07-11 10:48:00.000000000 +0200
@@ -1,3 +1,9 @@
+htop (3.4.1-5) unstable; urgency=medium
+
+ * Fix stack buffer overflow in CommandScreen
+
+ -- Daniel Lange <dla...@debian.org> Fri, 11 Jul 2025 10:48:00 +0200
+
htop (3.4.1-4) unstable; urgency=medium
* Fix temperature reading on older Intel CPUs
diff -Nru htop-3.4.1/debian/patches/003-fix-stack-buffer-overflow.patch
htop-3.4.1/debian/patches/003-fix-stack-buffer-overflow.patch
--- htop-3.4.1/debian/patches/003-fix-stack-buffer-overflow.patch
1970-01-01 01:00:00.000000000 +0100
+++ htop-3.4.1/debian/patches/003-fix-stack-buffer-overflow.patch
2025-07-11 10:46:04.000000000 +0200
@@ -0,0 +1,36 @@
+From d2617e25081a1573081f165c9baae28f87970639 Mon Sep 17 00:00:00 2001
+From: Benny Baumann <be...@geshi.org>
+Date: Fri, 11 Jul 2025 01:13:13 +0200
+Subject: [PATCH] Avoid stack buffer overflow in CommandScreen
+
+This can be triggered by leading whitespace in the arguments of a process.
+
+Fixes: #1737
+
+Co-authored-by: Enzo Saracen <enzosara...@gmail.com>
+---
+ CommandScreen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/CommandScreen.c b/CommandScreen.c
+index 465e4c2f1..1a3bf80d3 100644
+--- a/CommandScreen.c
++++ b/CommandScreen.c
+@@ -26,7 +26,7 @@ static void CommandScreen_scan(InfoScreen* this) {
+
+ const char* p = Process_getCommand(this->process);
+ char line[COLS + 1];
+- int line_offset = 0, last_spc = -1, len;
++ int line_offset = 0, last_spc = -1;
+ for (; *p != '\0'; p++, line_offset++) {
+ assert(line_offset >= 0 && (size_t)line_offset < sizeof(line));
+ line[line_offset] = *p;
+@@ -35,7 +35,7 @@ static void CommandScreen_scan(InfoScreen* this) {
+ }
+
+ if (line_offset == COLS) {
+- len = (last_spc == -1) ? line_offset : last_spc;
++ int len = last_spc <= 0 ? line_offset : last_spc;
+ line[len] = '\0';
+ InfoScreen_addLine(this, line);
+
diff -Nru htop-3.4.1/debian/patches/series htop-3.4.1/debian/patches/series
--- htop-3.4.1/debian/patches/series 2025-04-25 22:55:18.000000000 +0200
+++ htop-3.4.1/debian/patches/series 2025-07-11 10:47:16.000000000 +0200
@@ -1,2 +1,3 @@
001-fix-follow-scroll.patch
002-fix-temp-reading-on-older-Intel-CPUs.patch
+003-fix-stack-buffer-overflow.patch