Hi, I intend to upload an NMU to fix this problem, attached is a patch which should fix CVE-2007-3231
The patch is also archived on: http://people.debian.org/~nion/nmu-diff/mecab-0.95-1_0.95-1.1.patch Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -Nurad mecab~/mecab-0.95/debian/changelog mecab/mecab-0.95/debian/changelog
--- mecab~/mecab-0.95/debian/changelog 2007-08-16 02:12:32.000000000 +0200
+++ mecab/mecab-0.95/debian/changelog 2007-08-16 02:11:58.000000000 +0200
@@ -1,3 +1,11 @@
+mecab (0.95-1.1) unstable; urgency=high
+
+ * Non-maintainer upload for testing security team.
+ * Included 040_fix_CVE-2007-3231.patch to fix
+ CVE-2007-3231 (Closes: #429174).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Thu, 16 Aug 2007 02:11:16 +0200
+
mecab (0.95-1) unstable; urgency=low
* New upstream.
diff -Nurad mecab~/mecab-0.95/debian/patches/040_fix_CVE-2007-3231.patch mecab/mecab-0.95/debian/patches/040_fix_CVE-2007-3231.patch
--- mecab~/mecab-0.95/debian/patches/040_fix_CVE-2007-3231.patch 1970-01-01 01:00:00.000000000 +0100
+++ mecab/mecab-0.95/debian/patches/040_fix_CVE-2007-3231.patch 2007-08-16 02:10:15.000000000 +0200
@@ -0,0 +1,15 @@
+diff -Nurad mecab-0.95~/src/tokenizer.cpp mecab-0.95/src/tokenizer.cpp
+--- mecab-0.95~/src/tokenizer.cpp 2007-08-16 02:08:30.000000000 +0200
++++ mecab-0.95/src/tokenizer.cpp 2007-08-16 02:09:23.000000000 +0200
+@@ -235,6 +235,11 @@
+ const char *begin3 = begin2 + mblen;
+ const char *group_begin3 = 0;
+
++ if (begin3 > end) {
++ ADDUNKNWON;
++ return resultNode;
++ }
++
+ if (cinfo.group) {
+ const char *tmp = begin3;
+ CharInfo fail;
pgpZ8Adbyoq0L.pgp
Description: PGP signature
