Package: gammu
Version: 1.42.0-8.1
Severity: important
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu noble ubuntu-patch
Hi Boian,
In Ubuntu gammu fails to build from source with the current default compiler
because it checks more strictly than Debian's for buffer overflows, and it
finds one in the handling of the GSM_Backup.Creator field: this is a buffer
of 80 characters, and the code assumes it can shove the entire output of
`uname` into it with no bounds checking.
Attached is a patch that allows the package to build without test failures
due to buffer overflows.
Thanks for considering,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slanga...@ubuntu.com vor...@debian.org
diff -Nru gammu-1.42.0/debian/patches/series gammu-1.42.0/debian/patches/series
--- gammu-1.42.0/debian/patches/series 2023-01-29 13:07:57.000000000 -0800
+++ gammu-1.42.0/debian/patches/series 2024-03-17 01:18:45.000000000 -0700
@@ -5,3 +5,4 @@
06-disable_smsd-dbi-sqlite3.patch
07-use_posix_shell_only.patch
08-no_warnings_in_docs.patch
+uname-buffer-overflow.patch
diff -Nru gammu-1.42.0/debian/patches/uname-buffer-overflow.patch
gammu-1.42.0/debian/patches/uname-buffer-overflow.patch
--- gammu-1.42.0/debian/patches/uname-buffer-overflow.patch 1969-12-31
16:00:00.000000000 -0800
+++ gammu-1.42.0/debian/patches/uname-buffer-overflow.patch 2024-03-17
01:22:52.000000000 -0700
@@ -0,0 +1,47 @@
+Description: fix buffer overflow in GSM_Backup.Creator
+ GSM_Backup contains an 80-char 'Creator' field which it tries to fill
+ with the contents of 'uname -a'. Recent compilers rightly detect a
+ buffer overflow (on Ubuntu, this output is 120 characters long and it's
+ not the only thing expected to go in this field). Avoid use of the
+ never-safe strcat().
+Author: Steve Langasek <steve.langa...@canonical.com>
+Forwarded: no
+Last-Update: 2024-03-17
+
+Index: gammu-1.42.0/gammu/backup.c
+===================================================================
+--- gammu-1.42.0.orig/gammu/backup.c
++++ gammu-1.42.0/gammu/backup.c
+@@ -347,6 +347,7 @@
+ GSM_GPRSAccessPoint GPRSPoint;
+ gboolean DoBackupPart;
+ char buffer[GSM_MAX_INFO_LENGTH];
++ size_t len;
+
+ if (argc == 4 && strcasecmp(argv[3],"-yes") == 0) always_answer_yes =
TRUE;
+
+@@ -354,13 +355,18 @@
+ GSM_GetBackupFormatFeatures(GSM_GuessBackupFormat(argv[2],
FALSE),&Info);
+
+ sprintf(Backup.Creator, "Gammu %s", GAMMU_VERSION);
+- if (strlen(GetOS()) != 0) {
+- strcat(Backup.Creator+strlen(Backup.Creator),", ");
+- strcat(Backup.Creator+strlen(Backup.Creator),GetOS());
++ len = sizeof(Backup.Creator) - strlen(Backup.Creator) - 1;
++ if (strlen(GetOS()) != 0 && len > strlen(GetOS()) + 3) {
++ strncat(Backup.Creator+strlen(Backup.Creator),", ", len);
++ len -= 2;
++ strncat(Backup.Creator+strlen(Backup.Creator),GetOS(), len);
++ len -= strlen(GetOS());
+ }
+- if (strlen(GetCompiler()) != 0) {
+- strcat(Backup.Creator+strlen(Backup.Creator),", ");
+- strcat(Backup.Creator+strlen(Backup.Creator),GetCompiler());
++ if (strlen(GetCompiler()) != 0 && len > strlen(GetCompiler()) + 3) {
++ strncat(Backup.Creator+strlen(Backup.Creator),", ", len);
++ len -= 2;
++ strncat(Backup.Creator+strlen(Backup.Creator),GetCompiler(),
++ len);
+ }
+
+ signal(SIGINT, interrupt);
