tags 606257 + patch thanks Dear maintainer,
I've prepared an NMU for xfig (versioned as 1:3.2.5.b-1.1). The diff is attached to this message. Regards. Giuseppe
diff -u xfig-3.2.5.b/debian/changelog xfig-3.2.5.b/debian/changelog --- xfig-3.2.5.b/debian/changelog +++ xfig-3.2.5.b/debian/changelog @@ -1,3 +1,11 @@ +xfig (1:3.2.5.b-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fixed CVE-2010-4262: Stack-based buffer overflow by processing certain FIG + images (Closes: #606257) + + -- Giuseppe Iuculano <[email protected]> Wed, 29 Dec 2010 16:50:04 +0100 + xfig (1:3.2.5.b-1) unstable; urgency=low * New upstream version 3.2.5b. diff -u xfig-3.2.5.b/debian/patches/00list xfig-3.2.5.b/debian/patches/00list --- xfig-3.2.5.b/debian/patches/00list +++ xfig-3.2.5.b/debian/patches/00list @@ -11,0 +12 @@ +35_CVE-2010-4262 only in patch2: unchanged: --- xfig-3.2.5.b.orig/debian/patches/35_CVE-2010-4262.dpatch +++ xfig-3.2.5.b/debian/patches/35_CVE-2010-4262.dpatch @@ -0,0 +1,30 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 35_CVE-2010-4262.dpatch by Giuseppe Iuculano <[email protected]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: CVE-2010-4262 + +...@dpatch@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' xfig~/w_msgpanel.c xfig/w_msgpanel.c +--- xfig~/w_msgpanel.c 2010-12-29 16:34:02.000000000 +0100 ++++ xfig/w_msgpanel.c 2010-12-29 16:48:34.000000000 +0100 +@@ -60,7 +60,7 @@ + /* for the popup message (file_msg) window */ + + static int file_msg_length=0; +-static char tmpstr[300]; ++static char tmpstr[512]; + static Widget file_msg_panel, + file_msg_win, file_msg_dismiss; + +@@ -582,8 +582,8 @@ + } + + va_start(ap, format); +- /* format the string */ +- vsprintf(tmpstr, format, ap); ++ /* format the string (but leave room for \n and \0) */ ++ vsnprintf(tmpstr, sizeof(tmpstr)-2, format, ap); + va_end(ap); + + strcat(tmpstr,"\n");
signature.asc
Description: Digital signature
