tags 305971 patch thanks Oh what the heck, here's a patch.
Cheers, -- Steve Langasek postmodern programmer On Sat, Apr 23, 2005 at 01:58:37PM -0700, Steve Langasek wrote: > On Sat, Apr 23, 2005 at 10:50:15AM +0200, Christian T. Steigies wrote: > > Package: f2c > > Version: 20020621-3.2 > > Severity: serious > > Justification: segfaults on m68k which causes r-base build to fail (and > > probably others as well) > > > On m68k, r-base and a few other packages need f2c to build. The latest > > release of R fails to build on m68k with f2c segfaulting: > > > http://buildd.debian.org/fetch.php?&pkg=r-base&ver=2.1.0-1&arch=m68k&stamp=1114147840&file=log&as=raw > > > I assume this is dues to a bug in f2c, since with the f2c that was installed > > in the successful built, ch2inv.f can be compiled, whereas with the f2c that > > is currently in incoming, it can not. > This looks like a pretty serious regression in the latest security NMU of > f2c. The code now reads: > > char *c_functions = "c_functions"; > char *coutput = "c_output"; > char *initfname = "raw_data"; > char *initbname = "raw_data.b"; > char *blkdfname = "block_data"; > char *p1_file = "p1_file"; > char *p1_bakfile = "p1_file.BAK"; > char *sortfname = "init_file"; > char *proto_fname = "proto_file"; > > [...] > > void > set_tmp_names(Void) > { > #ifdef MSDOS > [...] > #else > sprintf(c_functions, "%s/f2c_func_XXXXXX", tmpdir); > sprintf(initfname, "%s/f2c_rc_XXXXXX", tmpdir); > sprintf(initbname, "%s/f2c_rc.b_XXXXXX", tmpdir); > sprintf(blkdfname, "%s/f2c_blkd_XXXXXX", tmpdir); > sprintf(p1_file, "%s/f2c_p1f_XXXXXX", tmpdir); > sprintf(p1_bakfile, "%s/f2c_p1fb_XXXXXX", tmpdir); > sprintf(sortfname, "%s/f2c_sort_XXXXXX", tmpdir); > #endif > [...] > } > > which is an obvious overflow condition. > > AFAICT, the initialization of these strings is completely inappropriate, and > should be replaced with a sensibly-sized buffer, followed by the use of > snprintf() instead of sprintf(). Would you (or Dan McMahill, if that's > where this patch came from) care to fix this up, or would you like me to > prepare a patch?
diff -u f2c-20020621/src/sysdep.c f2c-20020621/src/sysdep.c
--- f2c-20020621/src/sysdep.c
+++ f2c-20020621/src/sysdep.c
@@ -26,14 +26,14 @@
char binread[] = "rb", textread[] = "r";
char binwrite[] = "wb", textwrite[] = "w";
-char *c_functions = "c_functions";
+char c_functions[64];
char *coutput = "c_output";
-char *initfname = "raw_data";
-char *initbname = "raw_data.b";
-char *blkdfname = "block_data";
-char *p1_file = "p1_file";
-char *p1_bakfile = "p1_file.BAK";
-char *sortfname = "init_file";
+char initfname[64];
+char initbname[64];
+char blkdfname[64];
+char p1_file[64];
+char p1_bakfile[64];
+char sortfname[64];
char *proto_fname = "proto_file";
char link_msg[] = "-lf2c -lm"; /* was "-lF77 -lI77 -lm -lc"; */
@@ -123,13 +123,13 @@
p1_bakfile = p1_file + k;
sortfname = p1_bakfile + k;
#else
- sprintf(c_functions, "%s/f2c_func_XXXXXX", tmpdir);
- sprintf(initfname, "%s/f2c_rc_XXXXXX", tmpdir);
- sprintf(initbname, "%s/f2c_rc.b_XXXXXX", tmpdir);
- sprintf(blkdfname, "%s/f2c_blkd_XXXXXX", tmpdir);
- sprintf(p1_file, "%s/f2c_p1f_XXXXXX", tmpdir);
- sprintf(p1_bakfile, "%s/f2c_p1fb_XXXXXX", tmpdir);
- sprintf(sortfname, "%s/f2c_sort_XXXXXX", tmpdir);
+ snprintf(c_functions, sizeof(c_functions), "%s/f2c_func_XXXXXX",
tmpdir);
+ snprintf(initfname, sizeof(initfname), "%s/f2c_rc_XXXXXX", tmpdir);
+ snprintf(initbname, sizeof(initbname), "%s/f2c_rc.b_XXXXXX", tmpdir);
+ snprintf(blkdfname, sizeof(blkdfname), "%s/f2c_blkd_XXXXXX", tmpdir);
+ snprintf(p1_file, sizeof(p1_file), "%s/f2c_p1f_XXXXXX", tmpdir);
+ snprintf(p1_bakfile, sizeof(p1_bakfile), "%s/f2c_p1fb_XXXXXX", tmpdir);
+ snprintf(sortfname, sizeof(sortfname), "%s/f2c_sort_XXXXXX", tmpdir);
#endif
{
#ifdef MSDOS
diff -u f2c-20020621/debian/changelog f2c-20020621/debian/changelog
--- f2c-20020621/debian/changelog
+++ f2c-20020621/debian/changelog
@@ -1,3 +1,11 @@
+f2c (20020621-3.3) unstable; urgency=high
+
+ * NMU, same issue
+ * Use preallocated buffers for our tmpfile names, instead of using
+ randomly-sized strings and scribbling on memory. Closes #305971.
+
+ -- Steve Langasek <[EMAIL PROTECTED]> Sat, 23 Apr 2005 14:44:59 -0700
+
f2c (20020621-3.2) unstable; urgency=HIGH
* NMU again for same security issues.
only in patch2:
unchanged:
--- f2c-20020621.orig/src/defs.h
+++ f2c-20020621/src/defs.h
@@ -64,7 +64,7 @@
extern int current_ftn_file;
extern int maxcontin;
-extern char *blkdfname, *initfname, *sortfname;
+extern char blkdfname[], initfname[], sortfname[];
extern long headoffset; /* Since the header block requires data
we
don't know about until AFTER each
function has been processed, we keep a
only in patch2:
unchanged:
--- f2c-20020621.orig/src/main.c
+++ f2c-20020621/src/main.c
@@ -215,13 +215,13 @@
f2c_entry ("dneg", P_NO_ARGS, P_INT, &dneg, YES)
}; /* table */
-extern char *c_functions; /* "c_functions" */
+extern char c_functions[]; /* "c_functions" */
extern char *coutput; /* "c_output" */
-extern char *initfname; /* "raw_data" */
-extern char *blkdfname; /* "block_data" */
-extern char *p1_file; /* "p1_file" */
-extern char *p1_bakfile; /* "p1_file.BAK" */
-extern char *sortfname; /* "init_file" */
+extern char initfname[]; /* "raw_data" */
+extern char blkdfname[]; /* "block_data" */
+extern char p1_file[]; /* "p1_file" */
+extern char p1_bakfile[]; /* "p1_file.BAK" */
+extern char sortfname[]; /* "init_file" */
extern char *proto_fname; /* "proto_file" */
FILE *protofile;
signature.asc
Description: Digital signature
