retitle 497835 gmanedit: CVE-2008-3971 buffer overflow when converting manpage to utf8 thanks
Hi, the utf8 conversion issue got CVE-2008-3971 as an identifier, the COMMANDS issue is treated as a security issue as there is no need to overflow a buffer since the COMMANDS configuration variable can contain malicious commands anyway. Attached is a debdiff to fix most of the minor (not security relevant) buffer overflows and the utf8 conversion thing. It will be also archived on: http://people.debian.org/~nion/nmu-diff/gmanedit-0.4.1-1_0.4.1-1.1.patch Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u gmanedit-0.4.1/debian/changelog gmanedit-0.4.1/debian/changelog
--- gmanedit-0.4.1/debian/changelog
+++ gmanedit-0.4.1/debian/changelog
@@ -1,3 +1,13 @@
+gmanedit (0.4.1-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix heap-based buffer overflow on converting a manpage
+ from the currently used locale to utf8 and various other
+ not security relevant buffer overflows
+ (CVE-2008-3971; Closes: #497835).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Thu, 11 Sep 2008 13:05:52 +0200
+
gmanedit (0.4.1-1) unstable; urgency=low
[ Anibal Avelar ]
only in patch2:
unchanged:
--- gmanedit-0.4.1.orig/src/callbacks.c
+++ gmanedit-0.4.1/src/callbacks.c
@@ -646,14 +646,11 @@
if (datos==NULL)
{
- strcpy(command,"xterm -e man -l ");
- strcat(command,temp);
+ snprintf(command, sizeof command, "xterm -e man -l %s", temp);
}
else
{
- strcpy(command,datos);
- strcat(command," -l ");
- strcat(command,temp);
+ snprintf(command, sizeof command, "%s -l %s", datos, temp);
}
text=lookup_widget(wprincipal,"text");
@@ -707,7 +704,8 @@
aux=ReadConfFromFile("COMMAND");
if (aux != NULL)
{
- strcpy(datos,aux);
+ strncpy(datos,aux, sizeof datos - 1);
+ datos[sizeof(datos) - 1] = 0;
obj=lookup_widget(GTK_WIDGET(prefs),"entry_command");
gtk_entry_set_text(GTK_ENTRY(obj),datos);
}
@@ -715,7 +713,8 @@
aux=ReadConfFromFile("INTERNET_BROWSER");
if (aux != NULL)
{
- strcpy(datos,aux);
+ strncpy(datos,aux, sizeof(datos) - 1);
+ datos[sizeof(datos) - 1] = 0;
obj=lookup_widget(GTK_WIDGET(prefs),"combo2");
gtk_entry_set_text (GTK_ENTRY (GTK_BIN(obj)->child),datos);
}
@@ -825,20 +824,16 @@
/* I get home directory */
home=(gchar *)getenv("HOME");
- strcpy(cad2,home);
- strcat(cad2,"/.gmaneditrc");
+ if(!home) return;
+ snprintf(cad2, sizeof cad2, "%s/.gmaneditrc", home);
entry=lookup_widget(prefs,"entry_command");
entry_text=gtk_entry_get_text(GTK_ENTRY(entry));
- strcpy(cad,"# File created by gmanedit preferences option\n\nCOMMAND=");
- strcat(cad,entry_text);
- strcat(cad,"\n");
ch = lookup_widget(prefs, "combo2");
browser = gtk_editable_get_chars
(GTK_EDITABLE (GTK_BIN(ch)->child), 0, -1);
- strcat(cad,"INTERNET_BROWSER=");
- strcat(cad,browser);
+ snprintf(cad, "# File created by gmanedit preferences option\n\nCOMMAND=%s\nINTERNET_BROWSER=%s", entry_text, browser);
g_free(browser);
if ((p=fopen(cad2,"w"))!=NULL)
@@ -868,8 +863,8 @@
// Intento de abrir el fichero con la configuraciĆ³n personalizada
home = getenv("HOME");
- strcpy(readed,home);
- strcat(readed,"/.gmaneditrc");
+ if(!home) return NULL;
+ snprintf(readed, sizeof readed, "%s/.gmaneditrc", home);
f = fopen(readed,"r");
if (f == NULL)
@@ -1109,8 +1104,7 @@
browser=ReadConfFromFile("INTERNET_BROWSER");
if (browser==NULL)
browser="mozilla";
- strcpy(cad, browser);
- strcat(cad, " http://sourceforge.net/projects/gmanedit2";);
+ snprintf(cad, sizeof cad, "%s http://sourceforge.net/projects/gmanedit2";, browser);
g_spawn_command_line_sync(cad, NULL, NULL, &exitstatus, NULL);
}
@@ -1128,13 +1122,11 @@
if (datos==NULL)
{
- strcpy(command,"xterm -e man");
- strcat(command,temp);
+ snprintf(command, sizeof command, "xterm -e man %s", temp);
}
else
{
- strcpy(command,datos);
- strcat(command,temp);
+ snprintf(command, sizeof command, "%s%s", datos, temp);
}
g_spawn_command_line_sync(command, NULL, NULL, &exitstatus, NULL);
@@ -1188,8 +1180,10 @@
{
utf8 = g_locale_to_utf8(buffer, -1, NULL, NULL, NULL);
}
- if (utf8 != NULL)
- strncpy(buffer,utf8,strlen(utf8));
+ if (utf8 != NULL){
+ strncpy(buffer,utf8, BUFFER_SIZE - 1);
+ buffer[BUFFER_SIZE - 1] = 0;
+ }
gtk_text_buffer_insert_at_cursor(tb, buffer ,bytes_read);
}
}
pgpmkK3JvSoWw.pgp
Description: PGP signature
