I've prepared a patch/NMU using the patch I uploaded to fix this in Ubuntu. -- William Grant
diff -u htdig-3.2.0b6/htsearch/Display.cc htdig-3.2.0b6/htsearch/Display.cc --- htdig-3.2.0b6/htsearch/Display.cc +++ htdig-3.2.0b6/htsearch/Display.cc @@ -138,7 +138,7 @@ // Must temporarily stash the message in a String, since // displaySyntaxError will overwrite the static temp used in form. - String s(form("No such sort method: `%s'", (const char*)config->Find("sort"))); + String s("Invalid sort method."); displaySyntaxError(s); return; diff -u htdig-3.2.0b6/debian/changelog htdig-3.2.0b6/debian/changelog --- htdig-3.2.0b6/debian/changelog +++ htdig-3.2.0b6/debian/changelog @@ -1,3 +1,11 @@ +htdig (1:3.2.0b6-3.2) unstable; urgency=high + + * Non-maintainer upload. + * htsearch/Display.cc, libhtdig/ResultFetch.cc: Don't display the sort type + if it is unrecognised (CVE-2007-6110). Patch from Ubuntu. (Closes: #453278) + + -- William Grant <william.grant@ubuntu.org.au> Sun, 02 Dec 2007 11:05:35 +1100 + htdig (1:3.2.0b6-3.1) unstable; urgency=low * Non-maintainer upload to fix pending l10n issues. only in patch2: unchanged: --- htdig-3.2.0b6.orig/libhtdig/ResultFetch.cc +++ htdig-3.2.0b6/libhtdig/ResultFetch.cc @@ -142,7 +142,7 @@ // Must temporarily stash the message in a String, since // displaySyntaxError will overwrite the static temp used in form. - String s(form("No such sort method: `%s'", (const char *) config->Find("sort"))); + String s("Invalid search method."); displaySyntaxError(s); //return;
Attachment:
signature.asc
Description: This is a digitally signed message part