Re: Bug#609096: Buffer overflow in xdigger with long argv[0]

To: Peter Pentchev <roam@ringlet.net>
Cc: Silvio Cesare <silvio.cesare@gmail.com>, 609096@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#609096: Buffer overflow in xdigger with long argv[0]
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sun, 16 Jan 2011 19:25:01 +0000
Message-id: <[🔎] 1295205901.23434.1952.camel@hathi.jungle.funky-badger.org>
In-reply-to: <[🔎] 20110116183843.GD4176@straylight.ringlet.net>
References: <AANLkTinp1DUhPo7TbTUrRgR6o+FGtSvotDnj0geXQUs7@mail.gmail.com> <[🔎] 20110108231614.GA3725@straylight.ringlet.net> <[🔎] 1294866654.9806.654.camel@hathi.jungle.funky-badger.org> <[🔎] 20110113101850.GA3549@straylight.ringlet.net> <[🔎] 1294957631.1480.437.camel@hathi.jungle.funky-badger.org> <[🔎] 20110116183843.GD4176@straylight.ringlet.net>

On Sun, 2011-01-16 at 20:38 +0200, Peter Pentchev wrote:
> Here's the new debdiff; thanks for your time!

Thanks for that.

Two small things:

+-  strcat(strcpy(croom, " ROOM:  "), slevel_number);
[...]
++  snprintf(croom, sizeof(croom), " ROOM: %s", slevel_number);

The new version has one fewer space than the original; I guessed that
the double space might be so that the string aligns with " LIVES: ".

+-  strcpy(localhost, gethostbyname(localhost)->h_name);
+-  strcpy(xhost, gethostbyname(xhost)->h_name);
++  snprintf(localhost, sizeof(localhost), gethostbyname(localhost)->h_name);
++  snprintf(xhost, sizeof(xhost), gethostbyname(xhost)->h_name);

Those should probably be strncpys, or have an explicit "%s" format string.

+xdigger (1.0.10-13+lenny1) unstable; urgency=low

s/unstable/stable/

Okay, I lied; it was three things. :)

With the above changes, please feel free to upload (bearing in mind that
the deadline for inclusion in the next point release is tomorrow).

Regards,

Adam

Reply to:

Follow-Ups:
- Re: Bug#609096: Buffer overflow in xdigger with long argv[0]
  - From: Peter Pentchev <roam@ringlet.net>

References:
- Re: Bug#609096: Buffer overflow in xdigger with long argv[0]
  - From: Peter Pentchev <roam@ringlet.net>
- Re: Bug#609096: Buffer overflow in xdigger with long argv[0]
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Bug#609096: Buffer overflow in xdigger with long argv[0]
  - From: Peter Pentchev <roam@ringlet.net>
- Re: Bug#609096: Buffer overflow in xdigger with long argv[0]
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: Bug#609096: Buffer overflow in xdigger with long argv[0]
  - From: Peter Pentchev <roam@ringlet.net>

Prev by Date: Bug#610216: unblock: chromium-browser/6.0.472.63~r59945-5
Next by Date: Bug#610146: pu: package mumble/1.1.4-4+lenny1
Previous by thread: Re: Bug#609096: Buffer overflow in xdigger with long argv[0]
Next by thread: Re: Bug#609096: Buffer overflow in xdigger with long argv[0]
Index(es):
- Date
- Thread