Package: calcurse
Version: 1.6-1
Severity: normal
Tag: sourcescan
*** Please type your report below this line ***
I found a small bug in the handling of TODO entries. Any item of
longer than 99 characters will trigger a buffer overflow and segfault.
Demonstration:
# create a directory:
if [ ! -d ~/.calcurse ]; then mkdir ~/.calcurse; fi
# create a long TODO entry:
perl -e 'print "x"x9999' > ~/.calcurse/todo
The program segfaults in io.c:
load_todo(int colr)
{
...
...
char buf[100], e_todo[100];
....
fgets(buf, MAX_LENGTH, data_file);
...
return nb_tod;
}
Notice that there is declared a buffer 100 bytes long, then
we try to read "MAX_LENGTH" bytes into it? One or other
of those must be changed.
Not hugely urgent, and already fixed in upstream CVS. If
#426005 is closed this can be at the same time.
Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages calcurse depends on:
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libncurses5 5.6-3 Shared libraries for terminal hand
calcurse recommends no packages.
-- no debconf information
Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
