I've prepared a patch/NMU using the patch I uploaded to fix this in Ubuntu. -- William Grant
diff -u htdig-3.2.0b6/htsearch/Display.cc htdig-3.2.0b6/htsearch/Display.cc
--- htdig-3.2.0b6/htsearch/Display.cc
+++ htdig-3.2.0b6/htsearch/Display.cc
@@ -138,7 +138,7 @@
// Must temporarily stash the message in a String, since
// displaySyntaxError will overwrite the static temp used in form.
- String s(form("No such sort method: `%s'", (const char*)config->Find("sort")));
+ String s("Invalid sort method.");
displaySyntaxError(s);
return;
diff -u htdig-3.2.0b6/debian/changelog htdig-3.2.0b6/debian/changelog
--- htdig-3.2.0b6/debian/changelog
+++ htdig-3.2.0b6/debian/changelog
@@ -1,3 +1,11 @@
+htdig (1:3.2.0b6-3.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * htsearch/Display.cc, libhtdig/ResultFetch.cc: Don't display the sort type
+ if it is unrecognised (CVE-2007-6110). Patch from Ubuntu. (Closes: #453278)
+
+ -- William Grant <william.grant@ubuntu.org.au> Sun, 02 Dec 2007 11:05:35 +1100
+
htdig (1:3.2.0b6-3.1) unstable; urgency=low
* Non-maintainer upload to fix pending l10n issues.
only in patch2:
unchanged:
--- htdig-3.2.0b6.orig/libhtdig/ResultFetch.cc
+++ htdig-3.2.0b6/libhtdig/ResultFetch.cc
@@ -142,7 +142,7 @@
// Must temporarily stash the message in a String, since
// displaySyntaxError will overwrite the static temp used in form.
- String s(form("No such sort method: `%s'", (const char *) config->Find("sort")));
+ String s("Invalid search method.");
displaySyntaxError(s);
//return;
Attachment:
signature.asc
Description: This is a digitally signed message part