Bug#482538: marked as done (ytalk: unsafe use of getenv)
Your message dated Sat, 2 May 2015 01:14:41 +0200
with message-id <20150501231441.GA26131@sym.noone.org>
and subject line Re: Bug#482538: ytalk: unsafe use of getenv
has caused the Debian Bug report #482538,
regarding ytalk: unsafe use of getenv
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
482538: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482538
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ytalk: unsafe use of getenv
- From: Marc Glisse <marc.glisse@loria.fr>
- Date: Fri, 23 May 2008 15:01:31 +0200
- Message-id: <20080523130131.27931.67743.reportbug@stedding.loria.fr>
Package: ytalk
Version: 3.3.0-5
Severity: minor
Hello,
Some time ago, I filed a RFE which resulted in the inclusion of
user.dpatch and shell.dpatch. Since then, I learned that the way I used
getenv there is unsafe (there may be an other call to getenv or putenv
before the value returned by getenv is used, which can invalidate the
result). Since I did not notice any error in practice, I am rating this
as minor, but I felt that I should warn you. In user.dpatch,
return c;
should probably be replaced by something like:
return strndup(c,12);
(I think 12 is the right number, but I don't know for sure, and the old
strdup may be safe enough to use on the output of getenv anyway)
and something similar should be done for the shell patch.
Sorry about the lousy patches... And please feel free to ignore this bug
if you believe it is not worth fixing.
-- System Information:
Debian Release: lenny/sid
APT prefers stable
APT policy: (500, 'stable'), (50, 'testing'), (10, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages ytalk depends on:
ii libc6 2.7-10 GNU C Library: Shared libraries
ii libncurses5 5.6+20080308-1 Shared libraries for terminal hand
ii talkd 0.17-13 Remote user communication server
ytalk recommends no packages.
-- debconf-show failed
--- End Message ---
--- Begin Message ---
- To: 482538-done@bugs.debian.org, 482538-submitter@bugs.debian.org
- Subject: Re: Bug#482538: ytalk: unsafe use of getenv
- From: Axel Beckert <abe@debian.org>
- Date: Sat, 2 May 2015 01:14:41 +0200
- Message-id: <20150501231441.GA26131@sym.noone.org>
- In-reply-to: <20080530200642.GO20948@matthew.ath.cx>
- References: <20080523130131.27931.67743.reportbug@stedding.loria.fr> <20080530200642.GO20948@matthew.ath.cx>
Version: 3.3.0-7
Hi,
Matthew Johnson wrote:
> On Fri May 23 15:01, Marc Glisse wrote:
> > Some time ago, I filed a RFE which resulted in the inclusion of
> > user.dpatch and shell.dpatch. Since then, I learned that the way I used
> > getenv there is unsafe (there may be an other call to getenv or putenv
> > before the value returned by getenv is used, which can invalidate the
> > result). Since I did not notice any error in practice, I am rating this
> > as minor, but I felt that I should warn you.
>
> I have updated this in the repository and will make a normal upload to
> fix it at some point.
This has never happened so far and was now included in the 3.3.0-8
upload. See below for the full changelog since the previous upload to
Debian.
ytalk (3.3.0-8) unstable; urgency=medium
* QA Upload
[ Axel Beckert ]
* Set Maintainer to Debian QA Group. (See #762556)
* Merge in unreleased packaging by Matthew found in ytalk's collab-maint
git repo and set the according changelog entries to UNRELEASED
* Add Vcs-* headers
* Update the package to point to the new upstream homepage at
http://ytalk.ourproject.org/:
+ Add according Homepage header
+ Udate watch file accordingly. (Closes: #550768)
+ Update URL in debian/copyright accordingly.
* Take selected hunks from Jari's overzealous #669700 patch (see below).
(Closes: #669700)
* Apply wrap-and-sort.
* Revamp debian/rules
+ Use dh_auto_{configure,build,install,clean}
+ Use dh_autotools-dev_{update,restore}config; + b-d on autotools-dev
+ Whitespace cleanup
+ Drop with compat level 9 unnecessary manual stamp file removal
+ Drop now unnecessary dh_install{dirs,changelogs} parameter
+ Finally switch to a minimal dh v7 style debian/rules file
* Declare compliance with Debian Policy 3.9.6 (no other changes needed)
* Add patch by Daniele Di Domizio to support long user names
(Closes: #732630)
* Add patch to fix spelling error found by lintian.
* Add patch to fix man-page error found by lintian.
[ Jari Aalto ]
* Switch from dpatch to source format "3.0 (quilt)".
* Add build-arch and build-indep targets. Fixes lintian warning
debian-rules-missing-recommended-target.
* Update debhelper compatibility to 9.
* Add dependency on ${misc:Depends}. Fixes lintian warning
debhelper-but-no-misc-depends.
* Replace "dh_clean -k" by "dh_prep".
-- Axel Beckert <abe@debian.org> Fri, 01 May 2015 04:00:45 +0200
ytalk (3.3.0-7) UNRELEASED; urgency=low
* Update user.dpatch and shell.dpatch to use getenv more safely.
Suggested by Marc Glisse. (Closes: #482538)
-- Matthew Johnson <mjj29@debian.org> Fri, 30 May 2008 21:02:08 +0100
ytalk (3.3.0-6) UNRELEASED; urgency=low
* Bump Standards-Version
-- Matthew Johnson <mjj29@debian.org> Tue, 05 Feb 2008 09:28:05 +0000
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
--- End Message ---
Reply to: