On Wed, Apr 4, 2007 at 17:11:44 +0200, Arnaud Giersch wrote: > Package: elinks > Version: 0.11.1-1.2 > Severity: grave > Tags: security, patch > > Hi, > > Elinks loads untrusted gettext catalog from the relative directory > "../po/", and crashes (SIGSEGV) if the loaded file is corrupted.
Hi,
I prepared a NMU for this bug, patch attached. The patch simply
disables the "feature" which lead to the opening of untrusted files.
Security team, I'll prepare packages for sarge and etch, let me know if
I can upload to {,old}stable-security.
Cheers,
Julien
diff -u elinks-0.11.1/debian/changelog elinks-0.11.1/debian/changelog
--- elinks-0.11.1/debian/changelog
+++ elinks-0.11.1/debian/changelog
@@ -1,3 +1,11 @@
+elinks (0.11.1-1.4) unstable; urgency=high
+
+ * Non-maintainer security upload.
+ * Don't look for gettext message catalogs in ../po/ (closes: #417789).
+ Thanks, Arnaud Giersch! Reference: CVE-2007-2027.
+
+ -- Julien Cristau <[EMAIL PROTECTED]> Sun, 29 Apr 2007 00:18:54 +0200
+
elinks (0.11.1-1.3) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- elinks-0.11.1.orig/src/intl/gettext/loadmsgcat.c
+++ elinks-0.11.1/src/intl/gettext/loadmsgcat.c
@@ -247,7 +247,7 @@
{
struct string filename;
- if (init_string(&filename)
+ if (init_string(&filename) && 0
&& add_filename_to_string(&filename, domain_file)) {
fd = open(filename.source, O_RDONLY | O_BINARY);
}
signature.asc
Description: Digital signature
