Bug#1026106: pacparser: diff for NMU version 1.3.6-1.4

Sat, 25 Feb 2023 07:15:13 -0800 

Control: tags 1026106 + patch
Control: tags 1026106 + pending

Dear maintainer,

I've prepared an NMU for pacparser (versioned as 1.3.6-1.4) and uploaded 
it to DELAYED/5. Please feel free to tell me if I should cancel it.

cu
Adrian

diff -Nru pacparser-1.3.6/debian/changelog pacparser-1.3.6/debian/changelog
--- pacparser-1.3.6/debian/changelog	2022-07-25 00:20:17.000000000 +0300
+++ pacparser-1.3.6/debian/changelog	2023-02-25 16:48:20.000000000 +0200
@@ -1,3 +1,11 @@
+pacparser (1.3.6-1.4) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-25078: Possible memory overwrite in pacparser_find_proxy()
+    (Closes: #1026106)
+
+ -- Adrian Bunk <b...@debian.org>  Sat, 25 Feb 2023 16:48:20 +0200
+
 pacparser (1.3.6-1.3) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru pacparser-1.3.6/debian/patches/0001-Fix-possible-memory-overwrite-vulnerability.-134.patch pacparser-1.3.6/debian/patches/0001-Fix-possible-memory-overwrite-vulnerability.-134.patch
--- pacparser-1.3.6/debian/patches/0001-Fix-possible-memory-overwrite-vulnerability.-134.patch	1970-01-01 02:00:00.000000000 +0200
+++ pacparser-1.3.6/debian/patches/0001-Fix-possible-memory-overwrite-vulnerability.-134.patch	2023-02-25 16:48:20.000000000 +0200
@@ -0,0 +1,30 @@
+From 91a93b40f6b4e0a1a9ac497edfbc2a4b18196483 Mon Sep 17 00:00:00 2001
+From: Manu Garg <manug...@gmail.com>
+Date: Wed, 13 Apr 2022 14:30:07 -0700
+Subject: Fix possible memory overwrite vulnerability. (#134)
+
+---
+ src/pacparser.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/pacparser.c b/src/pacparser.c
+index cc70a64..5a37d09 100644
+--- a/src/pacparser.c
++++ b/src/pacparser.c
+@@ -440,11 +440,11 @@ pacparser_find_proxy(const char *url, const char *host)
+   // Hostname shouldn't have single quotes in them
+   if (strchr(host, '\'')) {
+     print_error("%s %s\n", error_prefix,
+-		"Invalid hostname: hostname can't have single quotes.");
++      "Invalid hostname: hostname can't have single quotes.");
+     return NULL;
+   }
+ 
+-  script = (char*) malloc(32 + strlen(url) + strlen(host));
++  script = (char*) malloc(32 + strlen(sanitized_url) + strlen(host));
+   script[0] = '\0';
+   strcat(script, "FindProxyForURL('");
+   strcat(script, sanitized_url);
+-- 
+2.30.2
+
diff -Nru pacparser-1.3.6/debian/patches/series pacparser-1.3.6/debian/patches/series
--- pacparser-1.3.6/debian/patches/series	2020-03-02 07:22:40.000000000 +0200
+++ pacparser-1.3.6/debian/patches/series	2023-02-25 16:48:18.000000000 +0200
@@ -1 +1,2 @@
 py3only.patch
+0001-Fix-possible-memory-overwrite-vulnerability.-134.patch

Reply via email to