Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: h...@packages.debian.org
Control: affects -1 + src:htop

Please unblock package htop

I have backported a fix against a segfault happening in parsing the Command line of processes from upstream commit https://github.com/htop-dev/htop/commit/d2617e25081a1573081f165c9baae28f87970639 .

[ Reason ]
User triggerable segfault

[ Impact ]
htop can segfault when parameters of viewed process lines start with a blank

[ Tests ]
none

[ Risks ]
none, very small targeted fix

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock htop/3.4.1-5

# debdiff htop_3.4.1-4.dsc htop_3.4.1-5.dsc
diff -Nru htop-3.4.1/debian/changelog htop-3.4.1/debian/changelog
--- htop-3.4.1/debian/changelog 2025-04-25 22:56:00.000000000 +0200
+++ htop-3.4.1/debian/changelog 2025-07-11 10:48:00.000000000 +0200
@@ -1,3 +1,9 @@
+htop (3.4.1-5) unstable; urgency=medium
+
+  * Fix stack buffer overflow in CommandScreen
+
+ -- Daniel Lange <dla...@debian.org>  Fri, 11 Jul 2025 10:48:00 +0200
+
 htop (3.4.1-4) unstable; urgency=medium

   * Fix temperature reading on older Intel CPUs
diff -Nru htop-3.4.1/debian/patches/003-fix-stack-buffer-overflow.patch htop-3.4.1/debian/patches/003-fix-stack-buffer-overflow.patch --- htop-3.4.1/debian/patches/003-fix-stack-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ htop-3.4.1/debian/patches/003-fix-stack-buffer-overflow.patch 2025-07-11 10:46:04.000000000 +0200
@@ -0,0 +1,36 @@
+From d2617e25081a1573081f165c9baae28f87970639 Mon Sep 17 00:00:00 2001
+From: Benny Baumann <be...@geshi.org>
+Date: Fri, 11 Jul 2025 01:13:13 +0200
+Subject: [PATCH] Avoid stack buffer overflow in CommandScreen
+
+This can be triggered by leading whitespace in the arguments of a process.
+
+Fixes: #1737
+
+Co-authored-by: Enzo Saracen <enzosara...@gmail.com>
+---
+ CommandScreen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/CommandScreen.c b/CommandScreen.c
+index 465e4c2f1..1a3bf80d3 100644
+--- a/CommandScreen.c
++++ b/CommandScreen.c
+@@ -26,7 +26,7 @@ static void CommandScreen_scan(InfoScreen* this) {
+
+    const char* p = Process_getCommand(this->process);
+    char line[COLS + 1];
+-   int line_offset = 0, last_spc = -1, len;
++   int line_offset = 0, last_spc = -1;
+    for (; *p != '\0'; p++, line_offset++) {
+       assert(line_offset >= 0 && (size_t)line_offset < sizeof(line));
+       line[line_offset] = *p;
+@@ -35,7 +35,7 @@ static void CommandScreen_scan(InfoScreen* this) {
+       }
+
+       if (line_offset == COLS) {
+-         len = (last_spc == -1) ? line_offset : last_spc;
++         int len = last_spc <= 0 ? line_offset : last_spc;
+          line[len] = '\0';
+          InfoScreen_addLine(this, line);
+
diff -Nru htop-3.4.1/debian/patches/series htop-3.4.1/debian/patches/series
--- htop-3.4.1/debian/patches/series    2025-04-25 22:55:18.000000000 +0200
+++ htop-3.4.1/debian/patches/series    2025-07-11 10:47:16.000000000 +0200
@@ -1,2 +1,3 @@
 001-fix-follow-scroll.patch
 002-fix-temp-reading-on-older-Intel-CPUs.patch
+003-fix-stack-buffer-overflow.patch

Reply via email to