Hi, attached is a patch for an NMU to fix this issue. It will be also archived on: http://people.debian.org/~nion/nmu-diff/emacs22-22.1+1-2.1_22.1+1-2.2.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u emacs22-22.1+1/debian/patches/series emacs22-22.1+1/debian/patches/series
--- emacs22-22.1+1/debian/patches/series
+++ emacs22-22.1+1/debian/patches/series
@@ -14,0 +15 @@
+CVE-2007-6109.diff
diff -u emacs22-22.1+1/debian/changelog emacs22-22.1+1/debian/changelog
--- emacs22-22.1+1/debian/changelog
+++ emacs22-22.1+1/debian/changelog
@@ -1,3 +1,14 @@
+emacs22 (22.1+1-2.2) unstable; urgency=high
+
+ * Non-maintainer upload by testing-security team.
+ * This update addresses the following security issue:
+ - CVE-2007-6109: A stack-based buffer overflow in the format function
+ when dealing with high precision values could lead to arbitrary code
+ execution.
+ Added upstream patch (CVE-2007-6109.diff) to fix this (Closes: #455432).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Mon, 10 Dec 2007 16:42:03 +0100
+
emacs22 (22.1+1-2.1) unstable; urgency=high
* NMU
only in patch2:
unchanged:
--- emacs22-22.1+1.orig/debian/patches/CVE-2007-6109.diff
+++ emacs22-22.1+1/debian/patches/CVE-2007-6109.diff
@@ -0,0 +1,74 @@
+--- a/src/editfns.c 2007/08/08 07:49:19 1.439.2.3
++++ b/src/editfns.c 2007/11/16 00:18:55 1.439.2.8
+@@ -3543,8 +3543,10 @@
+ precision[n+1] = 10 * precision[n+1] + *format - '0';
+ }
+
+- if (format - this_format_start + 1 > longest_format)
+- longest_format = format - this_format_start + 1;
++ /* Extra +1 for 'l' that we may need to insert into the
++ format. */
++ if (format - this_format_start + 2 > longest_format)
++ longest_format = format - this_format_start + 2;
+
+ if (format == end)
+ error ("Format string ends in middle of format specifier");
+@@ -3605,7 +3607,7 @@
+ && *format != 'i' && *format != 'X' && *format != 'c')
+ error ("Invalid format operation %%%c", *format);
+
+- thissize = 30;
++ thissize = 30 + (precision[n] > 0 ? precision[n] : 0);
+ if (*format == 'c')
+ {
+ if (! SINGLE_BYTE_CHAR_P (XINT (args[n]))
+@@ -3803,23 +3805,35 @@
+ format - this_format_start);
+ this_format[format - this_format_start] = 0;
+
+- if (INTEGERP (args[n]))
++ if (format[-1] == 'e' || format[-1] == 'f' || format[-1] == 'g')
++ sprintf (p, this_format, XFLOAT_DATA (args[n]));
++ else
+ {
+- if (format[-1] == 'd')
+- sprintf (p, this_format, XINT (args[n]));
+- /* Don't sign-extend for octal or hex printing. */
++ if (sizeof (EMACS_INT) > sizeof (int))
++ {
++ /* Insert 'l' before format spec. */
++ this_format[format - this_format_start]
++ = this_format[format - this_format_start - 1];
++ this_format[format - this_format_start - 1] = 'l';
++ this_format[format - this_format_start + 1] = 0;
++ }
++
++ if (INTEGERP (args[n]))
++ {
++ if (format[-1] == 'd')
++ sprintf (p, this_format, XINT (args[n]));
++ /* Don't sign-extend for octal or hex printing. */
++ else
++ sprintf (p, this_format, XUINT (args[n]));
++ }
++ else if (format[-1] == 'd')
++ /* Maybe we should use "%1.0f" instead so it also works
++ for values larger than MAXINT. */
++ sprintf (p, this_format, (EMACS_INT) XFLOAT_DATA (args[n]));
+ else
+- sprintf (p, this_format, XUINT (args[n]));
++ /* Don't sign-extend for octal or hex printing. */
++ sprintf (p, this_format, (EMACS_UINT) XFLOAT_DATA (args[n]));
+ }
+- else if (format[-1] == 'e' || format[-1] == 'f' || format[-1] == 'g')
+- sprintf (p, this_format, XFLOAT_DATA (args[n]));
+- else if (format[-1] == 'd')
+- /* Maybe we should use "%1.0f" instead so it also works
+- for values larger than MAXINT. */
+- sprintf (p, this_format, (EMACS_INT) XFLOAT_DATA (args[n]));
+- else
+- /* Don't sign-extend for octal or hex printing. */
+- sprintf (p, this_format, (EMACS_UINT) XFLOAT_DATA (args[n]));
+
+ if (p > buf
+ && multibyte
pgpVTsZ2ZeVop.pgp
Description: PGP signature
