aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Lange <DLange@git.local>2021-02-02 06:45:23 +0100
committerDaniel Lange <DLange@git.local>2021-02-02 06:45:23 +0100
commitc41f79d4da85e7156d0fb1e6fc979ffc038328f3 (patch)
tree3976b5c032b57b7ecf2fe7f3e336cf05153fe9c5
parent3dd4a25d33277d99595b8f5ce51c025bf5106f28 (diff)
downloaddebian_htop-c41f79d4da85e7156d0fb1e6fc979ffc038328f3.tar.gz
debian_htop-c41f79d4da85e7156d0fb1e6fc979ffc038328f3.tar.bz2
debian_htop-c41f79d4da85e7156d0fb1e6fc979ffc038328f3.zip
Add (first) hardening patch for makeCommandStr string handling
Upstream refactors the functions around string handling significantly. This is a significant effort and not will likely introduce new issues at first. Thus trying to apply just some hardening patches from that effort to htop in preparation of the Bullseye release.
-rw-r--r--debian/changelog3
-rw-r--r--debian/patches/0009-hardening.patch18
-rw-r--r--debian/patches/series1
3 files changed, 21 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog
index 1a5e14a..503f04c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,8 +2,9 @@ htop (3.0.5-4) UNRELEASED; urgency=medium
* Fix mouse use / scrolling in Infoscreens
* Fix Shift-F3 (prev hit in search mode) for QT based terminals
+ * Harden string handling routine
- -- Daniel Lange <DLange@debian.org> Mon, 01 Feb 2021 12:32:00 +0100
+ -- Daniel Lange <DLange@debian.org> Tue, 02 Feb 2021 06:45:00 +0100
htop (3.0.5-3) unstable; urgency=medium
diff --git a/debian/patches/0009-hardening.patch b/debian/patches/0009-hardening.patch
new file mode 100644
index 0000000..e2b4638
--- /dev/null
+++ b/debian/patches/0009-hardening.patch
@@ -0,0 +1,18 @@
+Backport of commit 12208af7773775bf637ee2f8a07fdd6300238fc1
+Author: Benny Baumann <BenBE@geshi.org>
+Date: Mon Feb 1 22:09:39 2021 +0100
+
+ DiD: Avoid negative cmdlineBasenameOffset
+
+--- a/linux/LinuxProcess.c
++++ b/linux/LinuxProcess.c
+@@ -202,6 +202,9 @@
+ size_t tokenLen;
+ const size_t commLen = strlen(comm);
+
++ if (cmdlineBasenameOffset < 0)
++ return false;
++
+ for (const char *token = cmdline + cmdlineBasenameOffset; *token; ) {
+ for (tokenBase = token; *token && *token != '\n'; ++token) {
+ if (*token == '/') {
diff --git a/debian/patches/series b/debian/patches/series
index fbb892e..f8c651e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@
0006-fix-infoscreen-mouse.patch
0007-fix-exit-in-signal-handler.patch
0008-add-qterm-keyboard-code.patch
+0009-hardening.patch

© 2014-2024 Faster IT GmbH | imprint | privacy policy