Cherry-pick upstream patches to fix CVE-2018-1071 + CVE-2018-1083

* CVE-2018-1071 (Check bounds when copying path in "hashcmd()".
  Closes: #894044)

* CVE-2018-1083 (Check bounds on PATH_MAX-sized buffer used for file
  completion candidates. Closes: #894043)

Gbp-Dch: Full

1 files changed, 34 insertions, 0 deletions

diff --git a/debian/patches/CVE-2018-1071.patch b/debian/patches/CVE-2018-1071.patch
new file mode 100644
index 000000000..89ca5853f
--- /dev/null
+++ b/debian/patches/CVE-2018-1071.patch
@@ -0,0 +1,34 @@
+Description: CVE-2018-1071
+ Check bounds when copying path in hashcmd().
+Origin: 679b71ec4d852037fe5f73d35bf557b0f406c8d4
+Author: Oliver Kiddle <okiddle@yahoo.co.uk>
+Bug-Debian: https://bugs.debian.org/894043
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083
+
+--- a/Src/exec.c
++++ b/Src/exec.c
+@@ -920,7 +920,7 @@
+     for (; *pp; pp++)
+ 	if (**pp == '/') {
+ 	    s = buf;
+-	    strucpy(&s, *pp);
++	    struncpy(&s, *pp, PATH_MAX);
+ 	    *s++ = '/';
+ 	    if ((s - buf) + strlen(arg0) >= PATH_MAX)
+ 		continue;
+--- a/Src/utils.c
++++ b/Src/utils.c
+@@ -2283,10 +2283,10 @@
+ {
+     char *u = *s;
+ 
+-    while (n--)
+-	*u++ = *t++;
++    while (n-- && (*u++ = *t++));
+     *s = u;
+-    *u = '\0';
++    if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
++	*u = '\0';
+ }
+ 
+ /* Return the number of elements in an array of pointers. *