diff -Nru epiphany-browser-42.1/debian/changelog epiphany-browser-42.1/debian/changelog --- epiphany-browser-42.1/debian/changelog 2022-04-12 19:07:56.000000000 +0000 +++ epiphany-browser-42.1/debian/changelog 2022-07-31 19:53:30.000000000 +0000 @@ -1,3 +1,10 @@ +epiphany-browser (42.1-1ubuntu1) jammy-security; urgency=medium + + * SECURITY UPDATE: Fix memory corruption in ephy_string_shorten() + - CVE-2022-29536 (LP: #1969851) + + -- Jeremy Bicha Sun, 31 Jul 2022 15:53:30 -0400 + epiphany-browser (42.1-1) unstable; urgency=medium * New upstream release (LP: #1968747) diff -Nru epiphany-browser-42.1/debian/control epiphany-browser-42.1/debian/control --- epiphany-browser-42.1/debian/control 2022-04-12 19:07:56.000000000 +0000 +++ epiphany-browser-42.1/debian/control 2022-07-31 19:53:30.000000000 +0000 @@ -5,7 +5,8 @@ Source: epiphany-browser Section: gnome Priority: optional -Maintainer: Debian GNOME Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GNOME Maintainers Uploaders: Jeremy Bicha , Laurent Bigonville , Michael Biebl , Sebastien Bacher Build-Depends: appstream-util, at-spi2-core , @@ -40,8 +41,10 @@ Rules-Requires-Root: no Build-Depends-Indep: libglib2.0-doc, libgtk-3-doc Standards-Version: 4.5.1 -Vcs-Browser: https://salsa.debian.org/gnome-team/epiphany-browser -Vcs-Git: https://salsa.debian.org/gnome-team/epiphany-browser.git +XS-Debian-Vcs-Browser: https://salsa.debian.org/gnome-team/epiphany-browser +XS-Debian-Vcs-Git: https://salsa.debian.org/gnome-team/epiphany-browser.git +Vcs-Browser: https://salsa.debian.org/gnome-team/epiphany-browser/tree/ubuntu/jammy +Vcs-Git: https://salsa.debian.org/gnome-team/epiphany-browser.git -b ubuntu/jammy Homepage: https://wiki.gnome.org/Apps/Web Package: epiphany-browser diff -Nru epiphany-browser-42.1/debian/control.in epiphany-browser-42.1/debian/control.in --- epiphany-browser-42.1/debian/control.in 2022-04-12 19:07:56.000000000 +0000 +++ epiphany-browser-42.1/debian/control.in 2022-07-31 19:53:30.000000000 +0000 @@ -1,7 +1,8 @@ Source: epiphany-browser Section: gnome Priority: optional -Maintainer: Debian GNOME Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GNOME Maintainers Uploaders: @GNOME_TEAM@ Build-Depends: appstream-util, at-spi2-core , @@ -36,8 +37,10 @@ Rules-Requires-Root: no Build-Depends-Indep: libglib2.0-doc, libgtk-3-doc Standards-Version: 4.5.1 -Vcs-Browser: https://salsa.debian.org/gnome-team/epiphany-browser -Vcs-Git: https://salsa.debian.org/gnome-team/epiphany-browser.git +XS-Debian-Vcs-Browser: https://salsa.debian.org/gnome-team/epiphany-browser +XS-Debian-Vcs-Git: https://salsa.debian.org/gnome-team/epiphany-browser.git +Vcs-Browser: https://salsa.debian.org/gnome-team/epiphany-browser/tree/ubuntu/jammy +Vcs-Git: https://salsa.debian.org/gnome-team/epiphany-browser.git -b ubuntu/jammy Homepage: https://wiki.gnome.org/Apps/Web Package: epiphany-browser diff -Nru epiphany-browser-42.1/debian/gbp.conf epiphany-browser-42.1/debian/gbp.conf --- epiphany-browser-42.1/debian/gbp.conf 2022-04-12 19:07:56.000000000 +0000 +++ epiphany-browser-42.1/debian/gbp.conf 2022-07-31 19:53:30.000000000 +0000 @@ -1,6 +1,7 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master +debian-branch = ubuntu/jammy +debian-tag = ubuntu/%(version)s upstream-branch = upstream/latest [buildpackage] diff -Nru epiphany-browser-42.1/debian/patches/Fix-memory-corruption-in-ephy_string_shorten.patch epiphany-browser-42.1/debian/patches/Fix-memory-corruption-in-ephy_string_shorten.patch --- epiphany-browser-42.1/debian/patches/Fix-memory-corruption-in-ephy_string_shorten.patch 1970-01-01 00:00:00.000000000 +0000 +++ epiphany-browser-42.1/debian/patches/Fix-memory-corruption-in-ephy_string_shorten.patch 2022-07-31 19:53:30.000000000 +0000 @@ -0,0 +1,41 @@ +From: Michael Catanzaro +Date: Fri, 15 Apr 2022 18:09:46 -0500 +Subject: Fix memory corruption in ephy_string_shorten() + +This fixes a regression that I introduced in 232c613472b38ff0d0d97338f366024ddb9cd228. + +I got my browser stuck in a crash loop today while visiting a website +with a page title greater than ephy-embed.c's MAX_TITLE_LENGTH, the only +condition in which ephy_string_shorten() is ever used. Turns out this +commit is wrong: an ellipses is a multibyte character (three bytes in +UTF-8) and so we're writing past the end of the buffer when calling +strcat() here. Ooops. + +Shame it took nearly four years to notice and correct this. + +Part-of: +(cherry picked from commit 486da133569ebfc436c959a7419565ab102e8525) + +LP: #1969851 +--- + lib/ephy-string.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/lib/ephy-string.c b/lib/ephy-string.c +index dd434e1..1987aae 100644 +--- a/lib/ephy-string.c ++++ b/lib/ephy-string.c +@@ -114,11 +114,10 @@ ephy_string_shorten (char *str, + /* create string */ + bytes = GPOINTER_TO_UINT (g_utf8_offset_to_pointer (str, target_length - 1) - str); + +- /* +1 for ellipsis, +1 for trailing NUL */ +- new_str = g_new (gchar, bytes + 1 + 1); ++ new_str = g_new (gchar, bytes + strlen ("…") + 1); + + strncpy (new_str, str, bytes); +- strcat (new_str, "…"); ++ strncpy (new_str + bytes, "…", strlen ("…") + 1); + + g_free (str); + diff -Nru epiphany-browser-42.1/debian/patches/series epiphany-browser-42.1/debian/patches/series --- epiphany-browser-42.1/debian/patches/series 2022-04-12 19:07:56.000000000 +0000 +++ epiphany-browser-42.1/debian/patches/series 2022-07-31 19:53:30.000000000 +0000 @@ -1,2 +1,3 @@ 00_epiphany-browser.patch 07_bookmarks.patch +Fix-memory-corruption-in-ephy_string_shorten.patch