Hi, I intent to NMU this bug with the permission of Miriam because her hardware is currently broken.
debdiff attached and archived on: http://people.debian.org/~nion/nmu-diff/tmsnc-0.3.2-1_0.3.2-1.1.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u tmsnc-0.3.2/debian/changelog tmsnc-0.3.2/debian/changelog
--- tmsnc-0.3.2/debian/changelog
+++ tmsnc-0.3.2/debian/changelog
@@ -1,3 +1,11 @@
+tmsnc (0.3.2-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix stack-based buffer overflow in UBX handling
+ (No CVE id yet; Closes: #487222, #487046).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Mon, 23 Jun 2008 19:24:31 +0200
+
tmsnc (0.3.2-1) unstable; urgency=low
* New Upstream Release. Closes: #401935
only in patch2:
unchanged:
--- tmsnc-0.3.2.orig/src/core_net.c
+++ tmsnc-0.3.2/src/core_net.c
@@ -845,11 +845,14 @@
i = atoi(ptr[0]);
free(ptr[0]);
+ if(i < 0 || i > sizeof(buf) - 1)
+ i = sizeof(buf) - 1;
if (read(session->sd, buf, i) != i) {
strncpy(message, "Couldn't read UBX payload",
message_len - 1);
return -1;
}
+ buf[sizeof(buf) - 1] = 0;
// parsing PSM, by gfhuang
if(0 == i) buf[0] = 0; //important, by gfhuang, when i=0, buf is untouched!
pgp92rOVLJwmL.pgp
Description: PGP signature
