Your message dated Thu, 05 Feb 2009 12:17:15 +0000 with message-id <e1lv3ar-0005pq...@ries.debian.org> and subject line Bug#514217: fixed in tangogps 0.9.6-1 has caused the Debian Bug report #514217, regarding Buffer overflow in update_poi to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 514217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514217 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: tangogps Version: 0.9.3-2 Severity: serious Hello, thanks for maintaining tangogps. I have noticed that it has a tendency to segfault when I type long POI descriptions. The backtrace is rather useless, except it points at the update_poi function. A quick glance at the function shows the issue: char sql[512]; [...] g_snprintf(sql, 2048, "UPDATE " "poi " "SET " "lat=%f," "lon=%f," "keywords='%s'," "desc='%s'" "WHERE " "idmd5='%s'" , lat_deg, lon_deg, keyword, desc, idmd5); Doh. The buffer is 512 bytes, but the limit given to snprintf is 2048: boom. Fixing the buffer to be 2048 bytes is a quick fix, but in the long term the function need considerable smartening up: if a long (>1900 or so bytes) is pasted in the field (say, the menu of a restaurant pasted form a web page, or extensive road directions), it will still lead to a truncated, and therefore invalid, SQL query. Ciao, Enrico -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages tangogps depends on: ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit ii libc6 2.7-18 GNU C Library: Shared libraries ii libcairo2 1.6.4-7 The Cairo 2D vector graphics libra ii libcurl3-gnutls 7.18.2-8 Multi-protocol file transfer libra ii libgconf2-4 2.22.0-1 GNOME configuration database syste ii libglib2.0-0 2.16.6-1 The GLib library of C routines ii libgtk2.0-0 2.12.11-4 The GTK+ graphical user interface ii libpango1.0-0 1.20.5-3 Layout and rendering of internatio ii libsqlite3-0 3.5.9-5 SQLite 3 shared library Versions of packages tangogps recommends: ii gpsd 2.37-7 GPS (Global Positioning System) da tangogps suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: tangogps Source-Version: 0.9.6-1 We believe that the bug you reported is fixed in the latest version of tangogps, which is due to be installed in the Debian FTP archive: tangogps_0.9.6-1.diff.gz to pool/main/t/tangogps/tangogps_0.9.6-1.diff.gz tangogps_0.9.6-1.dsc to pool/main/t/tangogps/tangogps_0.9.6-1.dsc tangogps_0.9.6-1_i386.deb to pool/main/t/tangogps/tangogps_0.9.6-1_i386.deb tangogps_0.9.6.orig.tar.gz to pool/main/t/tangogps/tangogps_0.9.6.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 514...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Baumann <dan...@debian.org> (supplier of updated tangogps package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 5 Feb 2009 13:05:00 +0100 Source: tangogps Binary: tangogps Architecture: source i386 Version: 0.9.6-1 Distribution: unstable Urgency: high Maintainer: Daniel Baumann <dan...@debian.org> Changed-By: Daniel Baumann <dan...@debian.org> Description: tangogps - GTK+ mapping and GPS application Closes: 514217 Changes: tangogps (0.9.6-1) unstable; urgency=high . * Merging upstream version 0.9.6: - Fixes buffer overflow in update_poi (Closes: #514217). * Adding libexif to build-depends. Checksums-Sha1: f19e8855159b3e8cd1a58b3a14430d2e54dce0dd 1199 tangogps_0.9.6-1.dsc 80a2643c381ca253b8f64abb4677f8571881456e 483451 tangogps_0.9.6.orig.tar.gz 8e66cbae11f1f7523543a79294f774c176a33cd3 4527 tangogps_0.9.6-1.diff.gz 58ef47b42643e02293517740b2655fa94411e4cc 133356 tangogps_0.9.6-1_i386.deb Checksums-Sha256: cefd450cc545570dfbd8a9ef8f80ec1d69f6a1eb9db8d8b7cd586cb9dda2a997 1199 tangogps_0.9.6-1.dsc e56a77325cdea8c274a39fcb79bd47919cbafa15d8009176538ec9a94f5e6e13 483451 tangogps_0.9.6.orig.tar.gz 5da026935e32cd5ee9c04895c13d55767c7da3bdc65b7106fe60eccc3396d00a 4527 tangogps_0.9.6-1.diff.gz 27e0011830158cfd98541c4cb6d6821b84f730c0aa1cae3da06d79f881da07d6 133356 tangogps_0.9.6-1_i386.deb Files: b4df805e03adb1e90421fd86032e1030 1199 comm optional tangogps_0.9.6-1.dsc 85755b15099f6071776d6feb67bdbca8 483451 comm optional tangogps_0.9.6.orig.tar.gz d5dff860853cd77138d0018d65dc393a 4527 comm optional tangogps_0.9.6-1.diff.gz 72841cee532d8443e274b02de8180c7e 133356 comm optional tangogps_0.9.6-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmK13oACgkQ+C5cwEsrK55sfQCdEIknaHVOtl62htx5twbCo4Aw yGMAn1TKBUiemlnllrkylDhulnVnkuh8 =4gUT -----END PGP SIGNATURE-----
--- End Message ---
