[Git][debian-gis-team/liblas][master] Add upstream patch to fix CVE-2018-20540.
Bas Couwenberg
gitlab at salsa.debian.org
Sun Jan 20 08:07:50 GMT 2019
Bas Couwenberg pushed to branch master at Debian GIS Project / liblas
Commits:
caa196e9 by Bas Couwenberg at 2019-01-20T08:07:41Z
Add upstream patch to fix CVE-2018-20540.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/0001-Ensure-stream-is-deallocated-in-case-of-exception-16.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+liblas (1.8.1-10) UNRELEASED; urgency=medium
+
+ * Add upstream patch to fix CVE-2018-20540.
+
+ -- Bas Couwenberg <sebastic at debian.org> Sun, 20 Jan 2019 09:06:54 +0100
+
liblas (1.8.1-9) unstable; urgency=medium
* Bump Standards-Version to 4.3.0, no changes.
=====================================
debian/patches/0001-Ensure-stream-is-deallocated-in-case-of-exception-16.patch
=====================================
@@ -0,0 +1,49 @@
+Description: Ensure stream is deallocated in case of exception
+ Fixes CVE-2018-20540: memory leak at liblas::Open(liblas/liblas.hpp:127)
+Author: Mateusz Loskot <mateusz at loskot.net>
+Origin: https://github.com/libLAS/libLAS/commit/09d45518776489508f34098f1c159f58b856f459
+Bug: https://github.com/libLAS/libLAS/issues/158
+
+--- a/include/liblas/liblas.hpp
++++ b/include/liblas/liblas.hpp
+@@ -119,16 +119,32 @@ inline std::istream* Open(std::string co
+ {
+ #ifdef USE_BOOST_IO
+ namespace io = boost::iostreams;
+- io::stream<io::file_source>* ifs = new io::stream<io::file_source>();
+- ifs->open(filename.c_str(), mode);
+- if (ifs->is_open() == false) return NULL;
+- return ifs;
++ io::stream<io::file_source>* ifs = NULL;
++ try
++ {
++ ifs = new io::stream<io::file_source>();
++ ifs->open(filename.c_str(), mode);
++ if (ifs->is_open() == false) return NULL;
++ return ifs;
++ }
++ catch (...)
++ {
++ delete ifs;
++ }
+ #else
+- std::ifstream* ifs = new std::ifstream();
+- ifs->open(filename.c_str(), mode);
+- if (ifs->is_open() == false) return NULL;
+- return ifs;
++ std::ifstream* ifs = NULL;
++ try
++ {
++ ifs = new std::ifstream();
++ ifs->open(filename.c_str(), mode);
++ if (ifs->is_open() == false) return NULL;
++ }
++ catch (...)
++ {
++ delete ifs;
++ }
+ #endif
++ return NULL;
+ }
+
+ /// Create file and open to write in binary mode.
=====================================
debian/patches/series
=====================================
@@ -3,3 +3,4 @@ gdal-c++11.patch
0001-GDAL-interface-no-longer-use-deprecated-API-of-GDAL-.patch
0001-WITH_GDAL-fix-build-with-DDEBUG.patch
0001-Fix-compilation-with-DDEBUG-and-GDAL-2.patch
+0001-Ensure-stream-is-deallocated-in-case-of-exception-16.patch
View it on GitLab: https://salsa.debian.org/debian-gis-team/liblas/commit/caa196e994988d75ac3f1c4c8698649e3ca62fa9
--
View it on GitLab: https://salsa.debian.org/debian-gis-team/liblas/commit/caa196e994988d75ac3f1c4c8698649e3ca62fa9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20190120/38f2dd07/attachment-0001.html>
More information about the Pkg-grass-devel
mailing list