Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Hi Release Team! cfingerd in unstable addresses CVE-2013-1049 to fix a buffer overflow in rfc1413 (ident) client. See #700098. Would it be possible to have cfingerd unblocked for wheezy? Debdiff against the version in Wheezy ist attached. unblock cfingerd/1.4.3-3.1 Thank you for your work, and regards, Salvatore
Base version: cfingerd_1.4.3-3 from testing Target version: cfingerd_1.4.3-3.1 from unstable No hints in place. Excuses: debian/changelog | 9 +++++++++ src/rfc1413.c | 6 ++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff -u cfingerd-1.4.3/debian/changelog cfingerd-1.4.3/debian/changelog --- cfingerd-1.4.3/debian/changelog +++ cfingerd-1.4.3/debian/changelog @@ -1,3 +1,12 @@ +cfingerd (1.4.3-3.1) unstable; urgency=high + + * Non-maintainer upload. + * [SECURITY] CVE-2013-1049: fix buffer overflow in rfc1413 (ident) client. + Thanks to Malcolm Scott <[email protected]> and Marc Deslauriers + <[email protected]> (Closes: #700098) (LP: #1104425) + + -- Salvatore Bonaccorso <[email protected]> Sat, 09 Feb 2013 18:38:28 +0100 + cfingerd (1.4.3-3) unstable; urgency=low * Approve NMU diff -u cfingerd-1.4.3/src/rfc1413.c cfingerd-1.4.3/src/rfc1413.c --- cfingerd-1.4.3/src/rfc1413.c +++ cfingerd-1.4.3/src/rfc1413.c @@ -25,7 +25,9 @@ * the implementation. Completely rewritten by yours truly to be self- * contained in a single program. Simple, easy to use. */ -#define BUFLEN (2 * INET6_ADDRSTRLEN) +#define UNAMELEN 64 +#define BUFLEN UNAMELEN + INET6_ADDRSTRLEN + 2 +#define INPUTLEN 256 char *get_rfc1413_data(struct sockaddr_storage * local_addr, struct sockaddr_storage * peer_addr ) { @@ -34,7 +36,7 @@ struct sockaddr_storage sin; struct sockaddr_in *sa4 = (struct sockaddr_in *) &sin; struct sockaddr_in6 *sa6 = (struct sockaddr_in6 *) &sin; - char buffer[1024], buf[BUFLEN], uname[64], *bleah; + char buffer[1024], buf[INPUTLEN], uname[UNAMELEN], *bleah; char *cp, *xp; struct servent *serv;
