Package: xfstt
Version: 1.7-6
Severity: important
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu lucid ubuntu-patch
xfstt.cc:ttySyncAll can cause buffer overruns due to misuse of struct
TTFNHeader, i.e
src/xfstt.cc:
strncpy(info.magic, "TTFNINFO", 8);
but,
src/xfstt.h:
typedef struct {
char magic[4]; // == TTFN
char type[4]; // == INFO or NAME
u16_t version;
u16_t key;
u32_t crc;
//TTFNdata ttfn[];
} TTFNheader;
so should,
src/xfstt.cc:
- strncpy(info.magic, "TTFNINFO", 8);
+ strncpy(info.magic, "TTFN", 4);
+ strncpy(info.type, "INFO", 4);
*** /tmp/tmpj1S3b4
In Ubuntu, we've applied the attached patch to achieve the following:
* src/xfstt.cc:
- don't copy TTFNINFO into TTFNHeader's magic variable, it should be
broken into TTFN for magic and INFO for type. thanks to PCC (LP:#433146)
We thought you might be interested in doing the same.
-- System Information:
Debian Release: squeeze/sid
APT prefers lucid
APT policy: (500, 'lucid')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-12-generic (SMP w/8 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u xfstt-1.7/debian/changelog xfstt-1.7/debian/changelog
only in patch2:
unchanged:
--- xfstt-1.7.orig/src/xfstt.cc
+++ xfstt-1.7/src/xfstt.cc
@@ -313,7 +313,8 @@
}
TTFNheader info;
- strncpy(info.magic, "TTFNINFO", 8);
+ strncpy(info.magic, "TTFN", 4);
+ strncpy(info.type, "INFO", 4);
info.version = TTFN_VERSION;
info.crc = 0; // XXX
fwrite((void *)&info, 1, sizeof(info), infoFile);
