diff options
author | Daniel Lange <DLange@git.local> | 2021-02-02 06:45:23 +0100 |
---|---|---|
committer | Daniel Lange <DLange@git.local> | 2021-02-02 06:45:23 +0100 |
commit | c41f79d4da85e7156d0fb1e6fc979ffc038328f3 (patch) | |
tree | 3976b5c032b57b7ecf2fe7f3e336cf05153fe9c5 | |
parent | 3dd4a25d33277d99595b8f5ce51c025bf5106f28 (diff) | |
download | debian_htop-c41f79d4da85e7156d0fb1e6fc979ffc038328f3.tar.gz debian_htop-c41f79d4da85e7156d0fb1e6fc979ffc038328f3.tar.bz2 debian_htop-c41f79d4da85e7156d0fb1e6fc979ffc038328f3.zip |
Add (first) hardening patch for makeCommandStr string handling
Upstream refactors the functions around string handling significantly.
This is a significant effort and not will likely introduce new issues at first.
Thus trying to apply just some hardening patches from that effort to htop in
preparation of the Bullseye release.
-rw-r--r-- | debian/changelog | 3 | ||||
-rw-r--r-- | debian/patches/0009-hardening.patch | 18 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 21 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 1a5e14a..503f04c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,8 +2,9 @@ htop (3.0.5-4) UNRELEASED; urgency=medium * Fix mouse use / scrolling in Infoscreens * Fix Shift-F3 (prev hit in search mode) for QT based terminals + * Harden string handling routine - -- Daniel Lange <DLange@debian.org> Mon, 01 Feb 2021 12:32:00 +0100 + -- Daniel Lange <DLange@debian.org> Tue, 02 Feb 2021 06:45:00 +0100 htop (3.0.5-3) unstable; urgency=medium diff --git a/debian/patches/0009-hardening.patch b/debian/patches/0009-hardening.patch new file mode 100644 index 0000000..e2b4638 --- /dev/null +++ b/debian/patches/0009-hardening.patch @@ -0,0 +1,18 @@ +Backport of commit 12208af7773775bf637ee2f8a07fdd6300238fc1 +Author: Benny Baumann <BenBE@geshi.org> +Date: Mon Feb 1 22:09:39 2021 +0100 + + DiD: Avoid negative cmdlineBasenameOffset + +--- a/linux/LinuxProcess.c ++++ b/linux/LinuxProcess.c +@@ -202,6 +202,9 @@ + size_t tokenLen; + const size_t commLen = strlen(comm); + ++ if (cmdlineBasenameOffset < 0) ++ return false; ++ + for (const char *token = cmdline + cmdlineBasenameOffset; *token; ) { + for (tokenBase = token; *token && *token != '\n'; ++token) { + if (*token == '/') { diff --git a/debian/patches/series b/debian/patches/series index fbb892e..f8c651e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ 0006-fix-infoscreen-mouse.patch 0007-fix-exit-in-signal-handler.patch 0008-add-qterm-keyboard-code.patch +0009-hardening.patch |