Your message dated Tue, 03 May 2011 11:02:50 +0000
with message-id <e1qhdns-0005qk...@franck.debian.org>
and subject line Bug#624775: fixed in lv2core 4.0-6
has caused the Debian Bug report #624775,
regarding lv2core: Buffer overflow in serd-0.1.0.c
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
624775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624775
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: lv2core
Version: 4.0-5
Severity: normal
Tags: patch


This is a bug against the SOURCE package from Debian Sid so my distribution 
is irrelevant.

When building lv2core-4.0-5 from sid, I noticed a warning about snprintf 
being guaranteed to overflow in write_text. The problem seems to be that the 
local variable `escape' is declared as char [10], then used in snprintf as 
if it had 11 characters.

Attached patch trivially fixes that.

-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 
'lucid-proposed'), (500, 'lucid-backports'), (500, 'lucid')
Architecture: i386 (i686)

Kernel: Linux 2.6.31-11-rt (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- a/serd-0.1.0.c
+++ b/serd-0.1.0.c
@@ -2313,7 +2313,7 @@
 write_text(SerdWriter writer, TextContext ctx,
            const uint8_t* utf8, size_t n_bytes, uint8_t terminator)
 {
-	char escape[10] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+	char escape[15] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
 	for (size_t i = 0; i < n_bytes;) {
 		uint8_t in = utf8[i++];
 		switch (in) {

--- End Message ---
--- Begin Message ---
Source: lv2core
Source-Version: 4.0-6

We believe that the bug you reported is fixed in the latest version of
lv2core, which is due to be installed in the Debian FTP archive:

lv2core_4.0-6.debian.tar.gz
  to main/l/lv2core/lv2core_4.0-6.debian.tar.gz
lv2core_4.0-6.dsc
  to main/l/lv2core/lv2core_4.0-6.dsc
lv2core_4.0-6_amd64.deb
  to main/l/lv2core/lv2core_4.0-6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jaromír Mikeš <mira.mi...@seznam.cz> (supplier of updated lv2core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 03 May 2011 11:47:20 +0200
Source: lv2core
Binary: lv2core
Architecture: source amd64
Version: 4.0-6
Distribution: unstable
Urgency: low
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Jaromír Mikeš <mira.mi...@seznam.cz>
Description: 
 lv2core    - LV2 audio plugin specification
Closes: 624775
Changes: 
 lv2core (4.0-6) unstable; urgency=low
 .
   * Added patch to fix snprintf overflow (Closes: #624775)
     - thanks to Dan Muresan <danmb...@yahoo.ro>
   * Bump Standards
Checksums-Sha1: 
 eb8e858454c96283ed6b4ecc857ae072d76e01f0 1304 lv2core_4.0-6.dsc
 3e582001724c383e21e7494b5afca652b66273c6 8192 lv2core_4.0-6.debian.tar.gz
 cde5c237d58cec1b741f0dccd8a22f3bc0b73304 50758 lv2core_4.0-6_amd64.deb
Checksums-Sha256: 
 d44c424080677e18abda6d904c767262ff2aedae844a16fc129994b52e796e20 1304 
lv2core_4.0-6.dsc
 75a1f05a09918dff059a96709893b359c550c9aef607184cf493742b7e413622 8192 
lv2core_4.0-6.debian.tar.gz
 a147cf1924234a6e30954ccb473ee623d7422e2a5160ccfcf951cbd3890fcdf5 50758 
lv2core_4.0-6_amd64.deb
Files: 
 89a466ee5267afe90cc4544edb573bb1 1304 sound optional lv2core_4.0-6.dsc
 dc360cc9940ff65f3f490bd2da165272 8192 sound optional 
lv2core_4.0-6.debian.tar.gz
 383acfb7460f0108350658bc0218b583 50758 sound optional lv2core_4.0-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk2/3goACgkQRdSMfNz8P9CfCACeOX5/pL7FqyHr47DsL4/yRT8H
F5cAnj4WRyBZs8aS2gMStIiVWvn5J3NB
=L6tO
-----END PGP SIGNATURE-----



--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to