Joey and security folks, I think that the attached patch will fix the problem. It seems a little too simple, though, so I'd appreciate it if any of you would glance an eye at it and make sure it looks good.
If so, I'll upload it as 3.0.10 to sid and you can do the appropriate thing with the other dists. Thanks, -- John
Wed Sep 21 14:23:14 CDT 2005 John Goerzen <[EMAIL PROTECTED]> * Part 2 of the security fix Wed Sep 21 13:52:10 CDT 2005 John Goerzen <[EMAIL PROTECTED]> * [security] Initial code for first issue in CAN-2005-2772 debian #327722 http://marc.theaimsgroup.com/?l=bugtraq&m=112559902931614&w=2 Sat Jul 30 16:18:38 CDT 2005 John Goerzen <[EMAIL PROTECTED]> tagged DEBIAN_gopher_3.0.10 diff -rN -u old-gopher/object/fileio.c new-gopher/object/fileio.c --- old-gopher/object/fileio.c 2005-09-21 14:23:59.944644055 -0500 +++ new-gopher/object/fileio.c 2005-09-21 14:21:42.000000000 -0500 @@ -807,12 +807,12 @@ int inquote = 0; int insquote = 0; int i; - static char *argv[128]; /* Sufficient for now.. */ + static char *argv[256]; /* Sufficient for now.. */ int argc = 0; char buf[256]; char *cp = buf; - if (cmd == NULL) + if (cmd == NULL || strlen(cmd) >= 245) return(NULL); for (i=0; cmd[i] != '\0'; i++) { diff -rN -u old-gopher/object/VIews.c new-gopher/object/VIews.c --- old-gopher/object/VIews.c 2005-09-21 14:23:59.947643656 -0500 +++ new-gopher/object/VIews.c 2005-09-21 13:51:16.000000000 -0500 @@ -227,6 +227,11 @@ char tmpstr[256], *cp; int i; + if (strlen(line) >= 200) + /* Security: make sure the incoming data won't exceed the buffer. + Pick 200 since that's already larger than any legit data. */ + return (FALSE); + /** Okay, read until the next space, put the result in tmpstr **/ for (cp = line,i=0; (*cp != ' '&&*cp!='\0'&&*cp!=':'); cp++,i++) tmpstr[i] = *cp;
