updated patch from Rob Holland, his commentary:

"Andreas Tille, the Debian WordNet maintainer, noticed a bug in my
patch. The bug is not security related, but causes incorrect behaviour
in WordNet.

I replaced a strncpy(s1, s2, strlen(s2)) with a strcpy forgetting that
strncpy invoked that way would always omit the trailing \0 (as the \0
would always be at strlen(s2) + 1). This resulted in a truncation of
output from WordNet which relied on the previous behavior which it
used to 'patch' s1. I've now adjusted the strncpy to be a memcpy and
added a comment, to make the intent of the code clear. (Using a str*
function when you don't wish any handling of \0 is unintuitive to me,
hence my mistake). [..] Apologies for the error."

thanks Rob for the exemplary handling of this advisory. Notifications
to package maintainers and follow-ups are almost unheard-of and very
welcome.
This commit is contained in:
sthen 2008-09-06 21:49:15 +00:00
parent dd7ddb7a1f
commit f6c9102d1a
2 changed files with 6 additions and 6 deletions

View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.2 2008/09/01 20:02:53 sthen Exp $
# $OpenBSD: Makefile,v 1.3 2008/09/06 21:49:15 sthen Exp $
COMMENT= browser for a large lexical database of English
V= 3.0
DISTNAME= WordNet-$V
PKGNAME= wordnet-$Vp0
PKGNAME= wordnet-$Vp1
CATEGORIES= misc

View File

@ -1,6 +1,6 @@
$OpenBSD: patch-lib_search_c,v 1.1 2008/09/01 20:02:53 sthen Exp $
$OpenBSD: patch-lib_search_c,v 1.2 2008/09/06 21:49:15 sthen Exp $
--- lib/search.c.orig Wed Nov 29 21:02:21 2006
+++ lib/search.c Mon Sep 1 20:53:39 2008
+++ lib/search.c Sat Sep 6 22:44:37 2008
@@ -13,6 +13,7 @@
#include <stdlib.h>
#include <string.h>
@ -329,8 +329,8 @@ $OpenBSD: patch-lib_search_c,v 1.1 2008/09/01 20:02:53 sthen Exp $
bufstart++;
}
- strncpy(bufstart, tmpbuf, strlen(tmpbuf));
+ /* Dodgy...? */
+ strcpy(bufstart, tmpbuf);
+ /* Don't include the \0 */
+ memcpy(bufstart, tmpbuf, strlen(tmpbuf));
bufstart = searchbuffer + strlen(searchbuffer);
}
}