Package: libnet-arp-perl Version: 1.0.3-2 Severity: normal Tags: patch Hello,
libnet-arp-perl fails to build in Ubuntu karmic because of a buffer overflow in get_mac_linux(): t/get_mac........*** buffer overflow detected ***: /usr/bin/perl terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x4b)[0x4014c97b] /lib/libc.so.6[0x4014a9c0] /lib/libc.so.6(__strcpy_chk+0x44)[0x40149cf4] /build/buildd/libnet-arp-perl-1.0.3/blib/arch/auto/Net/ARP/ARP.so(get_mac_linux+0x7c)[0x401e2afc] /build/buildd/libnet-arp-perl-1.0.3/blib/arch/auto/Net/ARP/ARP.so(XS_Net__ARP_get_mac+0x1d5)[0x401e1d15] /usr/bin/perl(Perl_pp_entersub+0x552)[0x80b3c92] /usr/bin/perl(Perl_runops_standard+0x19)[0x80b2069] /usr/bin/perl(perl_run+0x2e0)[0x80b04d0] /usr/bin/perl(main+0xed)[0x8063ebd] /lib/libc.so.6(__libc_start_main+0xe5)[0x4007c775] /usr/bin/perl[0x8063d31] The upstream "Changes" file talks about a fix for a buffer overflow in get_mac_linux() but when I compared the version 1.0.2 and 1.0.3 (or even 1.0.4) I couldn't find any changes for this. Attached is a small patch which fixes this by ensuring that not more data is copied into the interface name buffer than fits in. Regards, Michael
diff -u libnet-arp-perl-1.0.3/debian/patches/series libnet-arp-perl-1.0.3/debian/patches/series --- libnet-arp-perl-1.0.3/debian/patches/series +++ libnet-arp-perl-1.0.3/debian/patches/series @@ -6,0 +7 @@ +get_mac_linux_bufferoverflow.patch only in patch2: unchanged: --- libnet-arp-perl-1.0.3.orig/debian/patches/get_mac_linux_bufferoverflow.patch +++ libnet-arp-perl-1.0.3/debian/patches/get_mac_linux_bufferoverflow.patch @@ -0,0 +1,14 @@ +Index: libnet-arp-perl-1.0.3/get_mac_linux.c +=================================================================== +--- libnet-arp-perl-1.0.3.orig/get_mac_linux.c 2009-05-14 17:52:35.000000000 +0200 ++++ libnet-arp-perl-1.0.3/get_mac_linux.c 2009-05-14 17:55:59.000000000 +0200 +@@ -43,7 +43,8 @@ + if(strlen(dev) == 0) + return -1; + +- strcpy(iface.ifr_name,dev); ++ strncpy(iface.ifr_name, dev, IFNAMSIZ); ++ iface.ifr_name[IFNAMSIZ] = '\0'; + + // Open a socket + if((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
