[med-svn] [Git][med-team/bwa][master] Add patch from upstream to fix CVE-2019-10269. (Closes: #926014)

Dylan Aïssi gitlab at salsa.debian.org
Sat Mar 30 14:18:45 GMT 2019 


Dylan Aïssi pushed to branch master at Debian Med / bwa


Commits:
2f03e0f1 by Dylan Aïssi at 2019-03-30T14:17:53Z
Add patch from upstream to fix CVE-2019-10269. (Closes: #926014)

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2019-10269.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,8 +1,15 @@
 bwa (0.7.17-3) UNRELEASED; urgency=medium
 
+  * Team upload.
+
+  [ Dylan Aïssi ]
+  * Add patch from upstream to fix CVE-2019-10269.
+      (Closes: #926014)
+
+  [ Jelmer Vernooij ]
   * Trim trailing whitespace.
 
- -- Jelmer Vernooij <jelmer at debian.org>  Sat, 20 Oct 2018 13:21:47 +0000
+ -- Dylan Aïssi <daissi at debian.org>  Sat, 30 Mar 2019 15:15:04 +0100
 
 bwa (0.7.17-2) unstable; urgency=medium
 


=====================================
debian/patches/CVE-2019-10269.patch
=====================================
@@ -0,0 +1,23 @@
+Author: Heng Li <lh3 at me.com>
+Description: Fix CVE-2019-10269.
+Origin: upstream, https://github.com/lh3/bwa/commit/20d0a13092aa4cb73230492b05f9697d5ef0b88e
+Bug: https://github.com/lh3/bwa/pull/232
+Bug-Debian: https://bugs.debian.org/926014
+
+--- a/bntseq.c
++++ b/bntseq.c
+@@ -197,7 +197,13 @@
+ 				}
+ 				while (c != '\n' && c != EOF) c = fgetc(fp);
+ 				i = 0;
+-			} else str[i++] = c; // FIXME: potential segfault here
++			} else {
++				if (i >= 1022) {
++					fprintf(stderr, "[E::%s] sequence name longer than 1023 characters. Abort!\n", __func__);
++					exit(1);
++				}
++				str[i++] = c;
++			}
+ 		}
+ 		kh_destroy(str, h);
+ 		fclose(fp);


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 fix_heap_block_overrun			# See https://github.com/lh3/bwa/issues/146
 fix_build_on_freebsd.patch
+CVE-2019-10269.patch



View it on GitLab: https://salsa.debian.org/med-team/bwa/commit/2f03e0f1fa6b0ca04f6d5ec9f95a488f14508914

-- 
View it on GitLab: https://salsa.debian.org/med-team/bwa/commit/2f03e0f1fa6b0ca04f6d5ec9f95a488f14508914
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20190330/babc4666/attachment-0001.html>

More information about the debian-med-commit mailing list