Joey, On Sat, Apr 23, 2005 at 10:50:15AM +0200, Christian T. Steigies wrote: > Package: f2c > Version: 20020621-3.2 > Severity: serious > Justification: segfaults on m68k which causes r-base build to fail (and > probably others as well)
> On m68k, r-base and a few other packages need f2c to build. The latest > release of R fails to build on m68k with f2c segfaulting: > http://buildd.debian.org/fetch.php?&pkg=r-base&ver=2.1.0-1&arch=m68k&stamp=1114147840&file=log&as=raw > I assume this is dues to a bug in f2c, since with the f2c that was installed > in the successful built, ch2inv.f can be compiled, whereas with the f2c that > is currently in incoming, it can not. > [EMAIL PROTECTED]:/data/gleep/r-base-2.1.0/src/appl>strace f2c < ch2inv.f > execve("/usr/bin/f2c", ["f2c"], [/* 36 vars */]) = 0 > uname({sys="Linux", node="aahz", ...}) = 0 > brk(0) = 0x800352e4 > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or > directory) > open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or > directory) > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat64(3, {st_mode=020151000000, st_size=104135777062912, ...}) = 0 > old_mmap(NULL, 24246, PROT_READ, MAP_PRIVATE, 3, 0) = 0xc0013000 > close(3) = 0 > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or > directory) > open("/lib/libc.so.6", O_RDONLY) = 3 > read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\4\0\0\0\1\0\1\317"..., 512) = > 512 > fstat64(3, {st_mode=020151000000, st_size=4214067292016640, ...}) = 0 > old_mmap(NULL, 992864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xc0019000 > old_mmap(0xc0103000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, > 0xe8000) = 0xc0103000 > old_mmap(0xc0109000, 9824, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xc0109000 > close(3) = 0 > munmap(0xc0013000, 24246) = 0 > brk(0) = 0x800352e4 > brk(0x800562e4) = 0x800562e4 > brk(0) = 0x800562e4 > brk(0x80057000) = 0x80057000 > --- SIGSEGV (Segmentation fault) --- > +++ killed by SIGSEGV +++ This looks like a pretty serious regression in the latest security NMU of f2c. The code now reads: char *c_functions = "c_functions"; char *coutput = "c_output"; char *initfname = "raw_data"; char *initbname = "raw_data.b"; char *blkdfname = "block_data"; char *p1_file = "p1_file"; char *p1_bakfile = "p1_file.BAK"; char *sortfname = "init_file"; char *proto_fname = "proto_file"; [...] void set_tmp_names(Void) { #ifdef MSDOS [...] #else sprintf(c_functions, "%s/f2c_func_XXXXXX", tmpdir); sprintf(initfname, "%s/f2c_rc_XXXXXX", tmpdir); sprintf(initbname, "%s/f2c_rc.b_XXXXXX", tmpdir); sprintf(blkdfname, "%s/f2c_blkd_XXXXXX", tmpdir); sprintf(p1_file, "%s/f2c_p1f_XXXXXX", tmpdir); sprintf(p1_bakfile, "%s/f2c_p1fb_XXXXXX", tmpdir); sprintf(sortfname, "%s/f2c_sort_XXXXXX", tmpdir); #endif [...] } which is an obvious overflow condition. AFAICT, the initialization of these strings is completely inappropriate, and should be replaced with a sensibly-sized buffer, followed by the use of snprintf() instead of sprintf(). Would you (or Dan McMahill, if that's where this patch came from) care to fix this up, or would you like me to prepare a patch? Thanks, -- Steve Langasek postmodern programmer
signature.asc
Description: Digital signature