Bug#1029976: bullseye-pu: libzen/0.4.38-1+deb11u1

To: submit@bugs.debian.org
Cc: Chow Loong Jin <hyperair@debian.org>
Subject: Bug#1029976: bullseye-pu: libzen/0.4.38-1+deb11u1
From: Thorsten Alteholz <debian@alteholz.de>
Date: Sun, 29 Jan 2023 18:24:28 +0000 (UTC)
Message-id: <[🔎] alpine.DEB.2.21.2301291816420.21073@postfach.intern.alteholz.me>
Reply-to: Thorsten Alteholz <debian@alteholz.de>, 1029976@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bulleye
User: release.debian.org@packages.debian.org
Usertags: pu


The attached debdiff for libzen fixes CVE-2020-36646 in Bullseye.
It has been already uploaded to all releases from Jessie to Buster.

This CVE has been marked as no-dsa by the security team.

  Thorsten

diff -Nru libzen-0.4.38/debian/changelog libzen-0.4.38/debian/changelog
--- libzen-0.4.38/debian/changelog	2020-04-10 17:32:09.000000000 +0200
+++ libzen-0.4.38/debian/changelog	2023-01-28 13:03:02.000000000 +0100
@@ -1,3 +1,11 @@
+libzen (0.4.38-1+deb11u1) bullseye; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2020-36646
+    fix for possible null pointer dereference
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sat, 28 Jan 2023 13:03:02 +0100
+
 libzen (0.4.38-1) unstable; urgency=medium
 
   * [7cc8350] New upstream version 0.4.38
diff -Nru libzen-0.4.38/debian/patches/CVE-2020-36646.patch libzen-0.4.38/debian/patches/CVE-2020-36646.patch
--- libzen-0.4.38/debian/patches/CVE-2020-36646.patch	1970-01-01 01:00:00.000000000 +0100
+++ libzen-0.4.38/debian/patches/CVE-2020-36646.patch	2023-01-28 13:03:02.000000000 +0100
@@ -0,0 +1,27 @@
+commit 6475fcccd37c9cf17e0cfe263b5fe0e2e47a8408
+Author: Pave Pimenov <pavel.pimenov@gmail.com>
+Date:   Sat Sep 12 07:46:47 2020 +0300
+
+    fix V522 [CWE-690] There might be dereferencing of a potential null pointer 'Gmt'.
+
+diff --git a/Source/ZenLib/Ztring.cpp b/Source/ZenLib/Ztring.cpp
+index bc38fe4..21bbc58 100644
+--- a/Source/ZenLib/Ztring.cpp
++++ b/Source/ZenLib/Ztring.cpp
+@@ -1364,6 +1364,8 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const int32u Value)
+     #endif
+     Ztring DateT;
+     Ztring Date;
++    if (Gmt)
++    {
+     Date+=Ztring::ToZtring((Gmt->tm_year+1900));
+     Date+=__T("-");
+     DateT.From_Number(Gmt->tm_mon+1); if (DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_mon+1);}
+@@ -1381,6 +1383,7 @@ Ztring& Ztring::Date_From_Seconds_1970_Local (const int32u Value)
+     DateT.From_Number(Gmt->tm_sec); if (DateT.size()<2){DateT=Ztring(__T("0"))+Ztring::ToZtring(Gmt->tm_sec);}
+     Date+=DateT;
+     assign (Date.c_str());
++    }
+     return *this;
+ }
+ 
diff -Nru libzen-0.4.38/debian/patches/series libzen-0.4.38/debian/patches/series
--- libzen-0.4.38/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libzen-0.4.38/debian/patches/series	2023-01-28 13:03:02.000000000 +0100
@@ -0,0 +1 @@
+CVE-2020-36646.patch

Reply to:

Prev by Date: Bug#1026825: marked as done (python3.11 as default)
Next by Date: bookworm and the release notes
Previous by thread: Bug#1026825: marked as done (python3.11 as default)
Next by thread: bookworm and the release notes
Index(es):
- Date
- Thread