Package: cscope
Version: 15.5+cvs20050816-1
Followup-For: Bug #340177
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Upstream appears to have stalled on this issue because some cscope
targets platforms do not have snprintf(). Debian has snprintf(), so
this is not a problem for us.
The attached patch CVE-2004-2541.diff converts sprintf() calls to
snprintf(). It applies and compiles, and when patched cscope no longer
segfaults when examining the attached CVE-2004-2541-test.c.
- -- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.16-alec-laptop
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages cscope depends on:
ii libc6 2.3.6-7 GNU C Library: Shared libraries
ii libncurses5 5.5-2 Shared libraries for terminal hand
cscope recommends no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEaH+JAud/2YgchcQRAj5fAKCjaA733NRcu8TO5tqNN3AAdYlcIQCcCwDQ
fPGtu6bPz2Hu2cuHkNhifw4=
=5d2y
-----END PGP SIGNATURE-----
--- cscope-15.5+cvs20050816/src/build.c.orig 2006-05-15 13:43:41.000000000 +0100
+++ cscope-15.5+cvs20050816/src/build.c 2006-05-15 13:45:02.000000000 +0100
@@ -220,7 +220,7 @@
(void) strcpy(newdir, "$HOME");
}
else if (strncmp(currentdir, home, strlen(home)) == 0) {
- (void) sprintf(newdir, "$HOME%s", currentdir + strlen(home));
+ (void) snprintf(newdir, sizeof(newdir), "$HOME%s", currentdir + strlen(home));
}
/* sort the source file names (needed for rebuilding) */
qsort(srcfiles, (unsigned) nsrcfiles, sizeof(char *), compare);
@@ -447,7 +447,7 @@
}
(void) fstat(fileno(postings), &statstruct);
(void) fclose(postings);
- (void) sprintf(sortcommand, "env LC_ALL=C sort -T %s %s", tmpdir, temp1);
+ (void) snprintf(sortcommand, sizeof(sortcommand), "env LC_ALL=C sort -T %s %s", tmpdir, temp1);
if ((postings = mypopen(sortcommand, "r")) == NULL) {
(void) fprintf(stderr, "cscope: cannot open pipe to sort command\n");
cannotindex();
--- cscope-15.5+cvs20050816/src/command.c.orig 2006-05-15 13:43:41.000000000 +0100
+++ cscope-15.5+cvs20050816/src/command.c 2006-05-15 13:45:15.000000000 +0100
@@ -754,7 +754,7 @@
/* make sure it can be changed */
if (access(newfile, WRITE) != 0) {
- (void) sprintf(msg, "Cannot write to file %s", newfile);
+ (void) snprintf(msg, sizeof(msg), "Cannot write to file %s", newfile);
postmsg(msg);
anymarked = NO;
break;
--- cscope-15.5+cvs20050816/src/dir.c.orig 2006-05-15 13:43:41.000000000 +0100
+++ cscope-15.5+cvs20050816/src/dir.c 2006-05-15 13:46:09.000000000 +0100
@@ -138,7 +138,7 @@
/* compute its path from higher view path source dirs */
for (i = 1; i < nvpsrcdirs; ++i) {
- (void) sprintf(path, "%.*s/%s",
+ (void) snprintf(path, sizeof(path), "%.*s/%s",
PATHLEN - 2 - dir_len,
srcdirs[i], dir);
addsrcdir(path);
@@ -206,7 +206,7 @@
/* compute its path from higher view path source dirs */
for (i = 1; i < nvpsrcdirs; ++i) {
- (void) sprintf(path, "%.*s/%s",
+ (void) snprintf(path, sizeof(path), "%.*s/%s",
PATHLEN - 2 - dir_len,
srcdirs[i], dir);
addincdir(dir, path);
@@ -483,8 +483,6 @@
DIR *dirfile;
int adir_len = strlen(adir);
- /* FIXME: no guards against adir_len > PATHLEN, yet */
-
if ((dirfile = opendir(adir)) != NULL) {
struct dirent *entry;
char path[PATHLEN + 1];
@@ -495,7 +493,7 @@
&& (strcmp("..",entry->d_name) != 0)) {
struct stat buf;
- sprintf(path,"%s/%.*s", adir,
+ snprintf(path, sizeof(path), "%s/%.*s", adir,
PATHLEN - 2 - adir_len,
entry->d_name);
@@ -610,14 +608,14 @@
for (i = 0; i < nincdirs; ++i) {
/* don't include the file from two directories */
- (void) sprintf(name, "%.*s/%s",
+ (void) snprintf(name, sizeof(name), "%.*s/%s",
PATHLEN - 2 - file_len, incnames[i],
file);
if (infilelist(name) == YES) {
break;
}
/* make sure it exists and is readable */
- (void) sprintf(path, "%.*s/%s",
+ (void) snprintf(path, sizeof(path), "%.*s/%s",
PATHLEN - 2 - file_len, incdirs[i],
file);
if (access(compath(path), READ) == 0) {
@@ -661,7 +659,7 @@
/* compute its path from higher view path source dirs */
for (i = 1; i < nvpsrcdirs; ++i) {
- (void) sprintf(path, "%.*s/%s",
+ (void) snprintf(path, sizeof(path), "%.*s/%s",
PATHLEN - 2 - file_len, srcdirs[i],
file);
if (access(compath(path), READ) == 0) {
--- cscope-15.5+cvs20050816/src/display.c.orig 2006-05-15 13:43:42.000000000 +0100
+++ cscope-15.5+cvs20050816/src/display.c 2006-05-15 13:48:08.000000000 +0100
@@ -481,20 +481,20 @@
/* see if it is empty */
if ((c = getc(refsfound)) == EOF) {
if (findresult != NULL) {
- (void) sprintf(lastmsg, "Egrep %s in this pattern: %s",
+ (void) snprintf(lastmsg, sizeof(lastmsg), "Egrep %s in this pattern: %s",
findresult, Pattern);
} else if (rc == NOTSYMBOL) {
- (void) sprintf(lastmsg, "This is not a C symbol: %s",
+ (void) snprintf(lastmsg, sizeof(lastmsg), "This is not a C symbol: %s",
Pattern);
} else if (rc == REGCMPERROR) {
- (void) sprintf(lastmsg, "Error in this regcomp(3) regular expression: %s",
+ (void) snprintf(lastmsg, sizeof(lastmsg), "Error in this regcomp(3) regular expression: %s",
Pattern);
} else if (funcexist == NO) {
- (void) sprintf(lastmsg, "Function definition does not exist: %s",
+ (void) snprintf(lastmsg, sizeof(lastmsg), "Function definition does not exist: %s",
Pattern);
} else {
- (void) sprintf(lastmsg, "Could not find the %s: %s",
+ (void) snprintf(lastmsg, sizeof(lastmsg), "Could not find the %s: %s",
fields[field].text2, Pattern);
}
return(NO);
@@ -530,17 +530,17 @@
move(MSGLINE, 0);
clrtoeol();
addstr(what);
- sprintf(msg, "%ld", current);
+ snprintf(msg, sizeof(msg), "%ld", current);
move(MSGLINE, (COLS / 2) - (strlen(msg) / 2));
addstr(msg);
- sprintf(msg, "%ld", max);
+ snprintf(msg, sizeof(msg), "%ld", max);
move(MSGLINE, COLS - strlen(msg));
addstr(msg);
refresh();
}
else if (verbosemode == YES)
{
- sprintf(msg, "> %s %ld of %ld", what, current, max);
+ snprintf(msg, sizeof(msg), "> %s %ld of %ld", what, current, max);
}
start = now;
@@ -578,7 +578,7 @@
s = sys_errlist[errno];
}
#endif
- (void) sprintf(msg, "%s: %s", text, s);
+ (void) snprintf(msg, sizeof(msg), "%s: %s", text, s);
postmsg(msg);
}
--- cscope-15.5+cvs20050816/src/edit.c.orig 2006-05-15 13:43:42.000000000 +0100
+++ cscope-15.5+cvs20050816/src/edit.c 2006-05-15 13:50:49.000000000 +0100
@@ -105,9 +105,9 @@
char *s;
file = filepath(file);
- (void) sprintf(msg, "%s +%s %s", mybasename(editor), linenum, file);
+ (void) snprintf(msg, sizeof(msg), "%s +%s %s", mybasename(editor), linenum, file);
postmsg(msg);
- (void) sprintf(plusnum, lineflag, linenum);
+ (void) snprintf(plusnum, sizeof(plusnum), lineflag, linenum);
/* if this is the more or page commands */
if (strcmp(s = mybasename(editor), "more") == 0 || strcmp(s, "page") == 0) {
@@ -132,7 +132,7 @@
static char path[PATHLEN + 1];
if (prependpath != NULL && *file != '/') {
- (void) sprintf(path, "%s/%s", prependpath, file);
+ (void) snprintf(path, sizeof(path), "%s/%s", prependpath, file);
file = path;
}
return(file);
--- cscope-15.5+cvs20050816/src/exec.c.orig 2006-05-15 13:43:42.000000000 +0100
+++ cscope-15.5+cvs20050816/src/exec.c 2006-05-15 13:50:59.000000000 +0100
@@ -124,7 +124,7 @@
/* execute the program or shell script */
(void) execvp(a, args); /* returns only on failure */
- (void) sprintf(msg, "\nCannot exec %s", a);
+ (void) snprintf(msg, sizeof(msg), "\nCannot exec %s", a);
perror(msg); /* display the reason */
askforreturn(); /* wait until the user sees the message */
myexit(1); /* exit the child */
--- cscope-15.5+cvs20050816/src/find.c.orig 2006-05-15 13:43:42.000000000 +0100
+++ cscope-15.5+cvs20050816/src/find.c 2006-05-15 13:51:08.000000000 +0100
@@ -666,7 +666,7 @@
/* must be an exact match */
/* note: regcomp doesn't recognize ^*keypad$ as a syntax error
unless it is given as a single arg */
- (void) sprintf(buf, "^%s$", s);
+ (void) snprintf(buf, sizeof(buf), "^%s$", s);
if (regcomp (®exp, buf, REG_EXTENDED | REG_NOSUB) != 0) {
return(REGCMPERROR);
}
--- cscope-15.5+cvs20050816/src/main.c.orig 2006-05-15 13:43:42.000000000 +0100
+++ cscope-15.5+cvs20050816/src/main.c 2006-05-15 13:52:25.000000000 +0100
@@ -350,7 +350,7 @@
/* create the temporary file names */
orig_umask = umask(S_IRWXG|S_IRWXO);
pid = getpid();
- sprintf(tempdirpv, "%s/cscope.%d", tmpdir, pid);
+ snprintf(tempdirpv, sizeof(tempdirpv), "%s/cscope.%d", tmpdir, pid);
if(mkdir(tempdirpv,S_IRWXU))
{
fprintf(stderr, "cscope: Could not create private temp dir %s\n",tempdirpv);
@@ -358,8 +358,8 @@
}
umask(orig_umask);
- sprintf(temp1, "%s/cscope.1", tempdirpv, pid);
- sprintf(temp2, "%s/cscope.2", tempdirpv, pid);
+ snprintf(temp1, sizeof(temp1), "%s/cscope.1", tempdirpv, pid);
+ snprintf(temp2, sizeof(temp1), "%s/cscope.2", tempdirpv, pid);
/* if running in the foreground */
if (signal(SIGINT, SIG_IGN) != SIG_IGN) {
@@ -379,12 +379,12 @@
* used instead of failing to open a non-existant database in
* the home directory
*/
- sprintf(path, "%s/%s", home, reffile);
+ snprintf(path, sizeof(path), "%s/%s", home, reffile);
if (isuptodate == NO || access(path, READ) == 0) {
reffile = stralloc(path);
- sprintf(path, "%s/%s", home, invname);
+ snprintf(path, sizeof(path), "%s/%s", home, invname);
invname = stralloc(path);
- sprintf(path, "%s/%s", home, invpost);
+ snprintf(path, sizeof(path), "%s/%s", home, invpost);
invpost = stralloc(path);
}
}
--- cscope-15.5+cvs20050816/src/vpaccess.c.orig 2006-05-15 13:43:42.000000000 +0100
+++ cscope-15.5+cvs20050816/src/vpaccess.c 2006-05-15 13:52:42.000000000 +0100
@@ -49,7 +49,7 @@
if ((returncode = access(path, amode)) == -1 && path[0] != '/') {
vpinit(NULL);
for (i = 1; i < vpndirs; i++) {
- (void) sprintf(buf, "%s/%s", vpdirs[i], path);
+ (void) snprintf(buf, sizeof(buf), "%s/%s", vpdirs[i], path);
if ((returncode = access(buf, amode)) != -1) {
break;
}
--- cscope-15.5+cvs20050816/src/vpfopen.c.orig 2006-05-15 13:43:42.000000000 +0100
+++ cscope-15.5+cvs20050816/src/vpfopen.c 2006-05-15 13:52:51.000000000 +0100
@@ -53,7 +53,7 @@
) {
vpinit(NULL);
for (i = 1; i < vpndirs; i++) {
- (void) sprintf(buf, "%s/%s", vpdirs[i], filename);
+ (void) snprintf(buf, sizeof(buf), "%s/%s", vpdirs[i], filename);
if ((returncode = myfopen(buf, type)) != NULL) {
break;
}
--- cscope-15.5+cvs20050816/src/vpopen.c.orig 2006-05-15 13:43:42.000000000 +0100
+++ cscope-15.5+cvs20050816/src/vpopen.c 2006-05-15 13:52:57.000000000 +0100
@@ -52,7 +52,7 @@
oflag == OPENFLAG_READ) {
vpinit(NULL);
for (i = 1; i < vpndirs; i++) {
- (void) sprintf(buf, "%s/%s", vpdirs[i], path);
+ (void) snprintf(buf, sizeof(buf), "%s/%s", vpdirs[i], path);
if ((returncode = myopen(buf, oflag, 0666)) != -1) {
break;
}
#include "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
int main(void) { return 0; }
