Version in base suite: 2.0.5-1

Base version: libidn2_2.0.5-1
Target version: libidn2_2.0.5-1+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libi/libidn2/libidn2_2.0.5-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libi/libidn2/libidn2_2.0.5-1+deb10u1.dsc

 changelog                                                         |   12 +++
 control                                                           |    4 -
 patches/Fail-make-if-ronn-doesn-t-existi-when-building-docs.patch |   20 +++++
 patches/Fix-free-of-random-stack-value-in-idn2_to_ascii_4i.patch  |   28 +++++++
 patches/Fix-generation-of-idn2.1-man-page-file.patch              |   20 +++++
 patches/idn2_to_ascii_4i-Restrict-output-length-to-63.patch       |   40 ++++++++++
 patches/series                                                    |    4 +
 7 files changed, 126 insertions(+), 2 deletions(-)

diff -Nru libidn2-2.0.5/debian/changelog libidn2-2.0.5/debian/changelog
--- libidn2-2.0.5/debian/changelog	2018-08-31 13:05:31.000000000 +0000
+++ libidn2-2.0.5/debian/changelog	2020-01-30 22:15:38.000000000 +0000
@@ -1,3 +1,15 @@
+libidn2 (2.0.5-1+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix free of random (stack) value in idn2_to_ascii_4i()
+  * idn2_to_ascii_4i(): Restrict output length to 63 (CVE-2019-18224)
+    (Closes: #942895)
+  * Fail make if 'ronn' doesn't exist when building docs
+  * Fix generation of idn2.1 man page file
+  * Move texinfo from Build-Depends-Indep to Build-Depends (Closes: #949705)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 30 Jan 2020 23:15:38 +0100
+
 libidn2 (2.0.5-1) unstable; urgency=medium
 
   * New upstream version 2.0.5
diff -Nru libidn2-2.0.5/debian/control libidn2-2.0.5/debian/control
--- libidn2-2.0.5/debian/control	2018-08-31 13:05:31.000000000 +0000
+++ libidn2-2.0.5/debian/control	2020-01-30 22:15:38.000000000 +0000
@@ -9,11 +9,11 @@
                help2man,
                libunistring-dev,
                ronn | ruby-ronn (<< 0.7.3-5.1~),
-               pkg-config
+               pkg-config,
+               texinfo
 Build-Depends-Indep: dblatex,
                      gtk-doc-tools,
                      libglib2.0-dev,
-                     texinfo,
                      texlive
 Standards-Version: 4.1.0
 Priority: optional
diff -Nru libidn2-2.0.5/debian/patches/Fail-make-if-ronn-doesn-t-existi-when-building-docs.patch libidn2-2.0.5/debian/patches/Fail-make-if-ronn-doesn-t-existi-when-building-docs.patch
--- libidn2-2.0.5/debian/patches/Fail-make-if-ronn-doesn-t-existi-when-building-docs.patch	1970-01-01 00:00:00.000000000 +0000
+++ libidn2-2.0.5/debian/patches/Fail-make-if-ronn-doesn-t-existi-when-building-docs.patch	2020-01-30 22:15:38.000000000 +0000
@@ -0,0 +1,20 @@
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sat, 9 Feb 2019 19:01:03 +0100
+Subject: Fail make if 'ronn' doesn't existi when building docs
+Origin: https://github.com/libidn/libidn2/commit/19fc21a5dd9bf23b8c0c0220a96da726ddafed41
+
+---
+ doc/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -45,7 +45,7 @@ dist_man_MANS = $(gdoc_MANS)
+ dist_man_MANS += idn2.1
+ 
+ idn2.1: idn2.md
+-	ronn -r $^ >$@
++	ronn -r $^ >$@ || false
+ 
+ CLEANFILES = $(dist_man_MANS) decode.c example-tounicode.c example-toascii.c lookup.c \
+ 	register.c stamp-vti version.texi
diff -Nru libidn2-2.0.5/debian/patches/Fix-free-of-random-stack-value-in-idn2_to_ascii_4i.patch libidn2-2.0.5/debian/patches/Fix-free-of-random-stack-value-in-idn2_to_ascii_4i.patch
--- libidn2-2.0.5/debian/patches/Fix-free-of-random-stack-value-in-idn2_to_ascii_4i.patch	1970-01-01 00:00:00.000000000 +0000
+++ libidn2-2.0.5/debian/patches/Fix-free-of-random-stack-value-in-idn2_to_ascii_4i.patch	2020-01-30 22:15:38.000000000 +0000
@@ -0,0 +1,28 @@
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sat, 5 Jan 2019 22:49:13 +0100
+Subject: Fix free of random (stack) value in idn2_to_ascii_4i()
+Origin: https://github.com/libidn/libidn2/commit/dfedd4024b01bf08d5b55ed8fb29c009b887f083
+
+---
+ lib/lookup.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/lookup.c b/lib/lookup.c
+index 14e87daf9cf1..7c5b52bb7bc8 100644
+--- a/lib/lookup.c
++++ b/lib/lookup.c
+@@ -619,9 +619,10 @@ idn2_to_ascii_4i (const uint32_t * input, size_t inlen, char * output, int flags
+        */
+       if (output)
+ 	strcpy (output, (const char *) output_u8);
++
++      free(output_u8);
+     }
+ 
+-  free(output_u8);
+   return rc;
+ }
+ 
+-- 
+2.25.0
+
diff -Nru libidn2-2.0.5/debian/patches/Fix-generation-of-idn2.1-man-page-file.patch libidn2-2.0.5/debian/patches/Fix-generation-of-idn2.1-man-page-file.patch
--- libidn2-2.0.5/debian/patches/Fix-generation-of-idn2.1-man-page-file.patch	1970-01-01 00:00:00.000000000 +0000
+++ libidn2-2.0.5/debian/patches/Fix-generation-of-idn2.1-man-page-file.patch	2020-01-30 22:15:38.000000000 +0000
@@ -0,0 +1,20 @@
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Thu, 23 May 2019 14:51:59 +0200
+Subject: Fix generation of idn2.1 man page file
+Origin: https://github.com/libidn/libidn2/commit/f14320fffe193a975e692a8db28069ddc3bfe046
+
+---
+ doc/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -45,7 +45,7 @@ dist_man_MANS = $(gdoc_MANS)
+ dist_man_MANS += idn2.1
+ 
+ idn2.1: idn2.md
+-	ronn -r $^ >$@ || false
++	ronn <$^ >$@ || false
+ 
+ CLEANFILES = $(dist_man_MANS) decode.c example-tounicode.c example-toascii.c lookup.c \
+ 	register.c stamp-vti version.texi
diff -Nru libidn2-2.0.5/debian/patches/idn2_to_ascii_4i-Restrict-output-length-to-63.patch libidn2-2.0.5/debian/patches/idn2_to_ascii_4i-Restrict-output-length-to-63.patch
--- libidn2-2.0.5/debian/patches/idn2_to_ascii_4i-Restrict-output-length-to-63.patch	1970-01-01 00:00:00.000000000 +0000
+++ libidn2-2.0.5/debian/patches/idn2_to_ascii_4i-Restrict-output-length-to-63.patch	2020-01-30 22:15:38.000000000 +0000
@@ -0,0 +1,40 @@
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 9 Jan 2019 14:36:16 +0100
+Subject: idn2_to_ascii_4i(): Restrict output length to 63
+Origin: https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-18224
+Bug-Debian: https://bugs.debian.org/942895
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420
+
+---
+ lib/lookup.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/lookup.c b/lib/lookup.c
+index 7c5b52bb7bc8..cc918d951ea7 100644
+--- a/lib/lookup.c
++++ b/lib/lookup.c
+@@ -617,10 +617,18 @@ idn2_to_ascii_4i (const uint32_t * input, size_t inlen, char * output, int flags
+        * char * out  output zero terminated string that must have room for at
+        * least 63 characters plus the terminating zero.
+        */
++      size_t len = strlen ((char *) output_u8);
++
++      if (len > 63)
++        {
++	  free (output_u8);
++	  return IDN2_TOO_BIG_DOMAIN;
++        }
++
+       if (output)
+-	strcpy (output, (const char *) output_u8);
++	strcpy (output, (char *) output_u8);
+ 
+-      free(output_u8);
++      free (output_u8);
+     }
+ 
+   return rc;
+-- 
+2.25.0
+
diff -Nru libidn2-2.0.5/debian/patches/series libidn2-2.0.5/debian/patches/series
--- libidn2-2.0.5/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libidn2-2.0.5/debian/patches/series	2020-01-30 22:15:38.000000000 +0000
@@ -0,0 +1,4 @@
+Fix-free-of-random-stack-value-in-idn2_to_ascii_4i.patch
+idn2_to_ascii_4i-Restrict-output-length-to-63.patch
+Fail-make-if-ronn-doesn-t-existi-when-building-docs.patch
+Fix-generation-of-idn2.1-man-page-file.patch