Hello, I intend to NMU this bug as soon as possible. Please find attached the debdiff for the NMU.
Regards, Vincent -- Vincent Fourmond, Debian Developer http://vince-debian.blogspot.com/ If you put a large switch in some cave somewhere, with a sign on it saying "End-of-the-World switch. PLEASE DO NOT TOUCH", the paint wouldn't even have the time to dry. -- Terry Pratchet, Thief of Time Vincent, listening to White Summer (live) (Led Zeppelin)
diff -u xautolock-2.1/debian/changelog xautolock-2.1/debian/changelog --- xautolock-2.1/debian/changelog +++ xautolock-2.1/debian/changelog @@ -1,3 +1,14 @@ +xautolock (1:2.1-7.1) unstable; urgency=high + + * Non-maintainer upload. + * 10-fix-memory-corruption to fix a memory corruption problem leading to + a user security problem (closes: 514406). Thanks to + Uli <tobespam...@web.de> for spotting the problem and providing the fix. + * Urgency high since it is a user security hole that really should make + it into lenny. + + -- Vincent Fourmond <fourm...@debian.org> Tue, 10 Feb 2009 21:49:25 +0100 + xautolock (1:2.1-7) unstable; urgency=high * High-urgency upload for RC bugfix by Steve Langasek diff -u xautolock-2.1/debian/patches/00list xautolock-2.1/debian/patches/00list --- xautolock-2.1/debian/patches/00list +++ xautolock-2.1/debian/patches/00list @@ -1,0 +2 @@ +10-fix-memory-corruption only in patch2: unchanged: --- xautolock-2.1.orig/debian/patches/10-fix-memory-corruption.dpatch +++ xautolock-2.1/debian/patches/10-fix-memory-corruption.dpatch @@ -0,0 +1,33 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 10-fix-memory-corruption.dpatch by <fourm...@debian.org> +## +## DP: Don't send a freed memory location to an exec system call ! + +...@dpatch@ +diff -urNad xautolock-2.1~/src/options.c xautolock-2.1/src/options.c +--- xautolock-2.1~/src/options.c 2002-01-15 16:37:33.000000000 +0100 ++++ xautolock-2.1/src/options.c 2009-02-10 21:40:02.000000000 +0100 +@@ -250,6 +250,8 @@ + * actually consists of multiple ones, we need to look for `;' + * characters first. We can only err on the safe side here... + */ ++ /* FIXME: This would also need to handle other stuff like e.g. & */ ++#if 0 + if (!strchr (*command, ';')) + { + char* tmp; +@@ -257,6 +259,14 @@ + "exec %s", *command); + *command = tmp; + } ++#else ++ /* Create a copy of the string or else XrmDestroyDatabase would free() that ++ * string from underneath us. ++ */ ++ char* tmp = newArray (char, strlen (*command) + 1); ++ (void) strcpy (tmp, *command); ++ *command = tmp; ++#endif + } + #endif /* !VMS */ +