updated patch from Rob Holland, his commentary:
"Andreas Tille, the Debian WordNet maintainer, noticed a bug in my patch. The bug is not security related, but causes incorrect behaviour in WordNet. I replaced a strncpy(s1, s2, strlen(s2)) with a strcpy forgetting that strncpy invoked that way would always omit the trailing \0 (as the \0 would always be at strlen(s2) + 1). This resulted in a truncation of output from WordNet which relied on the previous behavior which it used to 'patch' s1. I've now adjusted the strncpy to be a memcpy and added a comment, to make the intent of the code clear. (Using a str* function when you don't wish any handling of \0 is unintuitive to me, hence my mistake). [..] Apologies for the error." thanks Rob for the exemplary handling of this advisory. Notifications to package maintainers and follow-ups are almost unheard-of and very welcome.
This commit is contained in:
parent
dd7ddb7a1f
commit
f6c9102d1a
@ -1,9 +1,9 @@
|
||||
# $OpenBSD: Makefile,v 1.2 2008/09/01 20:02:53 sthen Exp $
|
||||
# $OpenBSD: Makefile,v 1.3 2008/09/06 21:49:15 sthen Exp $
|
||||
COMMENT= browser for a large lexical database of English
|
||||
|
||||
V= 3.0
|
||||
DISTNAME= WordNet-$V
|
||||
PKGNAME= wordnet-$Vp0
|
||||
PKGNAME= wordnet-$Vp1
|
||||
|
||||
CATEGORIES= misc
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
$OpenBSD: patch-lib_search_c,v 1.1 2008/09/01 20:02:53 sthen Exp $
|
||||
$OpenBSD: patch-lib_search_c,v 1.2 2008/09/06 21:49:15 sthen Exp $
|
||||
--- lib/search.c.orig Wed Nov 29 21:02:21 2006
|
||||
+++ lib/search.c Mon Sep 1 20:53:39 2008
|
||||
+++ lib/search.c Sat Sep 6 22:44:37 2008
|
||||
@@ -13,6 +13,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@ -329,8 +329,8 @@ $OpenBSD: patch-lib_search_c,v 1.1 2008/09/01 20:02:53 sthen Exp $
|
||||
bufstart++;
|
||||
}
|
||||
- strncpy(bufstart, tmpbuf, strlen(tmpbuf));
|
||||
+ /* Dodgy...? */
|
||||
+ strcpy(bufstart, tmpbuf);
|
||||
+ /* Don't include the \0 */
|
||||
+ memcpy(bufstart, tmpbuf, strlen(tmpbuf));
|
||||
bufstart = searchbuffer + strlen(searchbuffer);
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user