Package: apt Version: 1.0.9.3 Severity: minor In methods/ftp.cc on line 264-271(per current git repo).. > // Substitute the variables into the command > char SitePort[20]; > if (ServerName.Port != 0) > sprintf(SitePort,"%u",ServerName.Port); > else > strcpy(SitePort,"21"); gives way too much buffer to 'SitePort'.. Since 65535 is the highest port number, that's only 5 characters long.. since %u is used, I'm assuming that the 20 is used because of the nature of the max unsigned int. > $ printf '18446744073709551615' | wc -c > 20 If anything, SitePort should probably be an int.(if possible. I haven't looked at how it is handled by 'SubstVar'.. Everywhere else in the methods' of apt has been updated to strings, and strprintf, so I think this one should too.. Oh, did I mention, it should be char SitePort[21];, since sprintf will add the trailing null-byte? lol Thanks, -- -- Joshua Rogers <https://internot.info/>
Attachment:
signature.asc
Description: OpenPGP digital signature