Package: fcitx
Version: 1:3.4.3-1
Severity: normal
Usertags: sourcescan
*** Please type your report below this line ***
fcitx makes unsafe use of several environmental variables, allowing
the program to crash.
If the program were setuid, or setgid, these would be security issues
as arbitary code execution is possible.
As a brief demo:
[EMAIL PROTECTED]:~$ HOME=`perl -e 'print "X"x33333'` fcitx
Segmentation fault
The code should be changed from using this, (for example from py.c):
//????????????????????????????????????
strcpy (strPath, (char *) getenv ("HOME"));
strcat (strPath, "/.fcitx/");
To this safer alternative:
memset( strPath, '\0', sizeof(strPath));
snprintf( strPath, sizeof(strPath)-1, "%s/.fcitx/", getenv("HOME" ));
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-xen (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages fcitx depends on:
ii libc6 2.5-11 GNU C Library: Shared libraries
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxft2 2.1.12-2 FreeType-based font drawing librar
ii libxpm4 1:3.5.6-3 X11 pixmap library
Versions of packages fcitx recommends:
pn im-switch <none> (no description available)
pn ttf-arphic-gbsn00lp | ttf-arp <none> (no description available)
-- no debconf information
Steve
--
# Commercial Debian GNU/Linux Support
http://www.linux-administration.org/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
