Bug#404235: marked as done (trr19: segfault when no argument is given)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 03 Feb 2007 12:17:02 +0000
with message-id <E1HDJpG-0001La-Os@ries.debian.org>
and subject line Bug#404235: fixed in trr19 1.0beta5-19
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: trr19: segfault when no argument is given
• From: Arnaud Fontaine <arnaud@andesi.org>
• Date: Fri, 22 Dec 2006 18:53:15 +0100
• Message-id: <873b77bywk.fsf@scoobidee.mini-dweeb.org>

Package: trr19
Version: 1.0beta5-19
Severity: normal
Tags: patch

Hello,

When no argument is given  to trr_update or trr_format, it segfaults. In
addition the  program could give a  buffer overflow which may  be use to
gain the games group privileges. This bug should be grave because it can
allow someone to modify the nethack scores... ;)

Regards,
Arnaud Fontaine

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.19.1-maggie
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages trr19 depends on:
ii  emacs-snapshot-gtk [emacs-s 1:20061221-1 The GNU Emacs editor (with GTK+ 2.
ii  libc6                       2.3.6.ds1-9  GNU C Library: Shared libraries

trr19 recommends no packages.

-- no debconf information

diff -urN trr19-1.0beta5.orig/trr_format.c trr19-1.0beta5/trr_format.c
--- trr19-1.0beta5.orig/trr_format.c	2006-12-22 02:58:26.000000000 +0100
+++ trr19-1.0beta5/trr_format.c	2006-12-22 02:56:12.000000000 +0100
@@ -54,6 +54,11 @@
   signal(SIGTERM, SIG_IGN);
 
   strcpy(textfile, TEXT_DIR);
+  if (argc < 2 || (strlen (TEXT_DIR) + strlen (argv[1])) >= 256){
+    fprintf (stderr, "%s: %s\n", argv[0], strerror (EINVAL));
+    exit(1);
+  }
+
   strcat(textfile, argv[1]);
   strcpy(formattedfile, textfile);
   strcat(formattedfile, ".formed");
diff -urN trr19-1.0beta5.orig/trr_update.c trr19-1.0beta5/trr_update.c
--- trr19-1.0beta5.orig/trr_update.c	1996-07-03 06:52:08.000000000 +0200
+++ trr19-1.0beta5/trr_update.c	2006-12-22 18:12:52.000000000 +0100
@@ -74,6 +74,11 @@
   }
 
   /* upfate high score file */
+  if (argc != 7 || (strlen (argv[1]) + strlen (".lock")) >= 256){
+    fprintf (stderr, "%s: %s\n", argv[0], strerror (EINVAL));
+    exit(1);
+  }
+
   strcat(scorefile, argv[1]);
   strcpy(lockfile, scorefile);
   strcat(lockfile, ".lock");

--- End Message ---

--- Begin Message ---

• To: 404235-close@bugs.debian.org
• Subject: Bug#404235: fixed in trr19 1.0beta5-19
• From: Arnaud Fontaine <arnaud@andesi.org>
• Date: Sat, 03 Feb 2007 12:17:02 +0000
• Message-id: <E1HDJpG-0001La-Os@ries.debian.org>

Source: trr19
Source-Version: 1.0beta5-19

We believe that the bug you reported is fixed in the latest version of
trr19, which is due to be installed in the Debian FTP archive:

trr19_1.0beta5-19.diff.gz
  to pool/main/t/trr19/trr19_1.0beta5-19.diff.gz
trr19_1.0beta5-19.dsc
  to pool/main/t/trr19/trr19_1.0beta5-19.dsc
trr19_1.0beta5-19_i386.deb
  to pool/main/t/trr19/trr19_1.0beta5-19_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 404235@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arnaud Fontaine <arnaud@andesi.org> (supplier of updated trr19 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 22 Dec 2006 02:04:20 +0100
Source: trr19
Binary: trr19
Architecture: source i386
Version: 1.0beta5-19
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Arnaud Fontaine <arnaud@andesi.org>
Description: 
 trr19      - A type training software on GNU Emacs
Closes: 403159 404229 404235
Changes: 
 trr19 (1.0beta5-19) unstable; urgency=low
 .
   * QA upload.
   * Remove unecessary debian/conffiles.
   * New patch which fixes trr_update and trr_format segfaults.
     Closes: #404235.
   * debian/control:
     + Add emacs-snapshot to Depends. Closes: #403159.
     + Bump policy version to 3.7.2. No changes needed.
     + Add a versioned Build-Depends for debhelper.
   * debian/emacsen-install:
     + Don't byte-compiled for xemacs21-*. Closes: #404229.
Files: 
 8807efafe36cd99ed997bf06ec01ce1f 582 games optional trr19_1.0beta5-19.dsc
 44124739ce2a92bc2d52acac123f690d 9367 games optional trr19_1.0beta5-19.diff.gz
 dde905098bbd693078d531dd2db07b3f 76678 games optional trr19_1.0beta5-19_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFxHl/sczZcpAmcIYRAsrBAJ4/OcosogcavfTjR6t/1g58lCcJQACgpRea
W/6t3ckoBbQtRk4yaiqsu7A=
=yiqS
-----END PGP SIGNATURE-----

--- End Message ---