Package: xemacs21 Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for xemacs21.
CVE-2007-6109[0]:
| Stack-based buffer overflow in emacs allows user-assisted attackers to
| cause a denial of service (application crash) and possibly have
| unspecified other impact via a large precision value in an integer
| format string specifier to the format function, as demonstrated via a
| certain "emacs -batch -eval" command line.
We believed that xemacs21 is unaffected by this first but it
turned out (Thanks to Florian) that it actually is but at a
differen place:
src/doprnt.c:
/* Mostly reconstruct the spec and use sprintf() to
format the string. */
*p++ = '%';
if (spec->plus_flag) *p++ = '+';
if (spec->space_flag) *p++ = ' ';
if (spec->number_flag) *p++ = '#';
if (spec->minus_flag) *p++ = '-';
if (spec->zero_flag) *p++ = '0';
if (spec->minwidth >= 0)
p = long_to_string (p, spec->minwidth);
if (spec->precision >= 0)
{
*p++ = '.';
p = long_to_string (p, spec->precision);
}
if (strchr (double_converters, ch))
{
*p++ = ch;
*p++ = '\0';
sprintf (text_to_print, constructed_spec, arg.d);
}
else
{
*p++ = 'l'; /* Always use longs with sprintf() */
*p++ = ch;
*p++ = '\0';
if (strchr (unsigned_int_converters, ch))
sprintf (text_to_print, constructed_spec, arg.ul);
else
sprintf (text_to_print, constructed_spec, arg.l);
}
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6109
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp1tzuy5nczX.pgp
Description: PGP signature
