Hello,
I intend to NMU this bug as soon as possible. Please find attached the
debdiff for the NMU.
Regards,
Vincent
--
Vincent Fourmond, Debian Developer
http://vince-debian.blogspot.com/
If you put a large switch in some cave somewhere, with a sign on it
saying "End-of-the-World switch. PLEASE DO NOT TOUCH", the paint
wouldn't even have the time to dry.
-- Terry Pratchet, Thief of Time
Vincent, listening to White Summer (live) (Led Zeppelin)
diff -u xautolock-2.1/debian/changelog xautolock-2.1/debian/changelog
--- xautolock-2.1/debian/changelog
+++ xautolock-2.1/debian/changelog
@@ -1,3 +1,14 @@
+xautolock (1:2.1-7.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * 10-fix-memory-corruption to fix a memory corruption problem leading to
+ a user security problem (closes: 514406). Thanks to
+ Uli <[email protected]> for spotting the problem and providing the fix.
+ * Urgency high since it is a user security hole that really should make
+ it into lenny.
+
+ -- Vincent Fourmond <[email protected]> Tue, 10 Feb 2009 21:49:25 +0100
+
xautolock (1:2.1-7) unstable; urgency=high
* High-urgency upload for RC bugfix by Steve Langasek
diff -u xautolock-2.1/debian/patches/00list xautolock-2.1/debian/patches/00list
--- xautolock-2.1/debian/patches/00list
+++ xautolock-2.1/debian/patches/00list
@@ -1,0 +2 @@
+10-fix-memory-corruption
only in patch2:
unchanged:
--- xautolock-2.1.orig/debian/patches/10-fix-memory-corruption.dpatch
+++ xautolock-2.1/debian/patches/10-fix-memory-corruption.dpatch
@@ -0,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10-fix-memory-corruption.dpatch by <[email protected]>
+##
+## DP: Don't send a freed memory location to an exec system call !
+
+...@dpatch@
+diff -urNad xautolock-2.1~/src/options.c xautolock-2.1/src/options.c
+--- xautolock-2.1~/src/options.c 2002-01-15 16:37:33.000000000 +0100
++++ xautolock-2.1/src/options.c 2009-02-10 21:40:02.000000000 +0100
+@@ -250,6 +250,8 @@
+ * actually consists of multiple ones, we need to look for `;'
+ * characters first. We can only err on the safe side here...
+ */
++ /* FIXME: This would also need to handle other stuff like e.g. & */
++#if 0
+ if (!strchr (*command, ';'))
+ {
+ char* tmp;
+@@ -257,6 +259,14 @@
+ "exec %s", *command);
+ *command = tmp;
+ }
++#else
++ /* Create a copy of the string or else XrmDestroyDatabase would free() that
++ * string from underneath us.
++ */
++ char* tmp = newArray (char, strlen (*command) + 1);
++ (void) strcpy (tmp, *command);
++ *command = tmp;
++#endif
+ }
+ #endif /* !VMS */
+
