Version in base suite: 15.6-2 Version in overlay suite: (not present) Base version: cscope_15.6-2 Target version: cscope_15.6-2+etch1 Base file: /org/ftp.debian.org/ftp/pool/main/c/cscope/cscope_15.6-2.dsc Target file: /org/ftp.debian.org/queue/o-p-u-new/cscope_15.6-2+etch1.dsc cscope-15.6/config.sub | 14 - cscope-15.6/debian/changelog | 7 cscope-15.6/debian/patches/00list | 1 debian/patches/04-cve-2009-0148.dpatch | 344 +++++++++++++++++++++++++++++++++ 4 files changed, 355 insertions(+), 11 deletions(-) diff -u cscope-15.6/config.sub cscope-15.6/config.sub --- cscope-15.6/config.sub +++ cscope-15.6/config.sub @@ -4,7 +4,7 @@ # 2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation, # Inc. -timestamp='2006-09-20' +timestamp='2006-07-02' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -276,7 +276,6 @@ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ - | score \ | sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ @@ -285,7 +284,7 @@ | tahoe | thumb | tic4x | tic80 | tron \ | v850 | v850e \ | we32k \ - | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ + | x86 | xscale | xscalee[bl] | xstormy16 | xtensa \ | z8k) basic_machine=$basic_machine-unknown ;; @@ -368,7 +367,7 @@ | tron-* \ | v850-* | v850e-* | vax-* \ | we32k-* \ - | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ + | x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \ | xstormy16-* | xtensa-* \ | ymp-* \ | z8k-*) @@ -910,10 +909,6 @@ sb1el) basic_machine=mipsisa64sb1el-unknown ;; - sde) - basic_machine=mipsisa32-sde - os=-elf - ;; sei) basic_machine=mips-sei os=-seiux @@ -1371,9 +1366,6 @@ # system, and we'll never get to this point. case $basic_machine in - score-*) - os=-elf - ;; spu-*) os=-elf ;; diff -u cscope-15.6/debian/patches/00list cscope-15.6/debian/patches/00list --- cscope-15.6/debian/patches/00list +++ cscope-15.6/debian/patches/00list @@ -1,0 +2 @@ +04-cve-2009-0148 diff -u cscope-15.6/debian/changelog cscope-15.6/debian/changelog --- cscope-15.6/debian/changelog +++ cscope-15.6/debian/changelog @@ -1,3 +1,10 @@ +cscope (15.6-2+etch1) oldstable-security; urgency=high + + * Security update to fix multiple buffer overflows (CVE-2009-0148). Patch by + Moritz Muehlenhoff and Matthew Murphy. + + -- Tobias Klauser Sat, 23 May 2009 15:54:31 +0200 + cscope (15.6-2) unstable; urgency=low * Fix crash on resize when used inside vim. Patch taken from upstream BTS only in patch2: unchanged: --- cscope-15.6.orig/debian/patches/04-cve-2009-0148.dpatch +++ cscope-15.6/debian/patches/04-cve-2009-0148.dpatch @@ -0,0 +1,344 @@ +#!/bin/sh /usr/share/dpatch/dpatch-run +## 04-cve-2009-0148.dpatch +## +## DP: Fix for CVE-2009-0148 by Moritz Muehlenhoff and Matthew Murphy +## DP: Closes: 528510 + +diff --git a/src/build.c b/src/build.c +index ada2ea1..717d618 100644 +--- a/src/build.c ++++ b/src/build.c +@@ -223,7 +223,7 @@ build(void) + if (strcmp(currentdir, home) == 0) { + strcpy(newdir, "$HOME"); + } else if (strncmp(currentdir, home, strlen(home)) == 0) { +- sprintf(newdir, "$HOME%s", currentdir + strlen(home)); ++ snprintf(newdir, sizeof(newdir), "$HOME%s", currentdir + strlen(home)); + } + /* sort the source file names (needed for rebuilding) */ + qsort(srcfiles, nsrcfiles, sizeof(char *), compare); +@@ -454,7 +454,7 @@ cscope: converting to new symbol database file format\n"); + } + fstat(fileno(postings), &statstruct); + fclose(postings); +- sprintf(sortcommand, "env LC_ALL=C sort -T %s %s", tmpdir, temp1); ++ snprintf(sortcommand, sizeof(sortcommand), "env LC_ALL=C sort -T %s %s", tmpdir, temp1); + if ((postings = mypopen(sortcommand, "r")) == NULL) { + fprintf(stderr, "cscope: cannot open pipe to sort command\n"); + cannotindex(); +diff --git a/src/command.c b/src/command.c +index 0974352..8c9f277 100644 +--- a/src/command.c ++++ b/src/command.c +@@ -739,7 +739,7 @@ changestring(void) + + /* make sure it can be changed */ + if (access(newfile, WRITE) != 0) { +- sprintf(msg, "Cannot write to file %s", newfile); ++ snprintf(msg, sizeof(msg), "Cannot write to file %s", newfile); + postmsg(msg); + anymarked = NO; + break; +diff --git a/src/dir.c b/src/dir.c +index 5773231..33fd7d1 100644 +--- a/src/dir.c ++++ b/src/dir.c +@@ -139,7 +139,7 @@ sourcedir(char *dirlist) + + /* compute its path from higher view path source dirs */ + for (i = 1; i < nvpsrcdirs; ++i) { +- sprintf(path, "%.*s/%s", ++ snprintf(path, sizeof(path), "%.*s/%s", + PATHLEN - 2 - dir_len, + srcdirs[i], dir); + addsrcdir(path); +@@ -207,7 +207,7 @@ includedir(char *dirlist) + + /* compute its path from higher view path source dirs */ + for (i = 1; i < nvpsrcdirs; ++i) { +- sprintf(path, "%.*s/%s", ++ snprintf(path, sizeof(path), "%.*s/%s", + PATHLEN - 2 - dir_len, + srcdirs[i], dir); + addincdir(dir, path); +@@ -482,8 +482,6 @@ scan_dir(const char *adir, BOOL recurse_dir) + DIR *dirfile; + int adir_len = strlen(adir); + +- /* FIXME: no guards against adir_len > PATHLEN, yet */ +- + if ((dirfile = opendir(adir)) != NULL) { + struct dirent *entry; + char path[PATHLEN + 1]; +@@ -494,7 +492,7 @@ scan_dir(const char *adir, BOOL recurse_dir) + && (strcmp("..",entry->d_name) != 0)) { + struct stat buf; + +- sprintf(path,"%s/%.*s", adir, ++ snprintf(path, sizeof(path), "%s/%.*s", adir, + PATHLEN - 2 - adir_len, + entry->d_name); + +@@ -604,14 +602,14 @@ incfile(char *file, char *type) + /* search for the file in the #include directory list */ + for (i = 0; i < nincdirs; ++i) { + /* don't include the file from two directories */ +- sprintf(name, "%.*s/%s", ++ snprintf(name, sizeof(name), "%.*s/%s", + PATHLEN - 2 - file_len, incnames[i], + file); + if (infilelist(name) == YES) { + break; + } + /* make sure it exists and is readable */ +- sprintf(path, "%.*s/%s", ++ snprintf(path, sizeof(path), "%.*s/%s", + PATHLEN - 2 - file_len, incdirs[i], + file); + if (access(compath(path), READ) == 0) { +@@ -659,7 +657,7 @@ inviewpath(char *file) + + /* compute its path from higher view path source dirs */ + for (i = 1; i < nvpsrcdirs; ++i) { +- sprintf(path, "%.*s/%s", ++ snprintf(path, sizeof(path), "%.*s/%s", + PATHLEN - 2 - file_len, srcdirs[i], + file); + if (access(compath(path), READ) == 0) { +diff --git a/src/display.c b/src/display.c +index 7ef03cb..dc81226 100644 +--- a/src/display.c ++++ b/src/display.c +@@ -478,20 +478,20 @@ search(void) + /* see if it is empty */ + if ((c = getc(refsfound)) == EOF) { + if (findresult != NULL) { +- (void) sprintf(lastmsg, "Egrep %s in this pattern: %s", ++ (void) snprintf(lastmsg, sizeof(lastmsg), "Egrep %s in this pattern: %s", + findresult, Pattern); + } else if (rc == NOTSYMBOL) { +- (void) sprintf(lastmsg, "This is not a C symbol: %s", ++ (void) snprintf(lastmsg, sizeof(lastmsg), "This is not a C symbol: %s", + Pattern); + } else if (rc == REGCMPERROR) { +- (void) sprintf(lastmsg, "Error in this regcomp(3) regular expression: %s", ++ (void) snprintf(lastmsg, sizeof(lastmsg), "Error in this regcomp(3) regular expression: %s", + Pattern); + + } else if (funcexist == NO) { +- (void) sprintf(lastmsg, "Function definition does not exist: %s", ++ (void) snprintf(lastmsg, sizeof(lastmsg), "Function definition does not exist: %s", + Pattern); + } else { +- (void) sprintf(lastmsg, "Could not find the %s: %s", ++ (void) snprintf(lastmsg, sizeof(lastmsg), "Could not find the %s: %s", + fields[field].text2, Pattern); + } + return(NO); +@@ -527,17 +527,17 @@ progress(char *what, long current, long max) + move(MSGLINE, 0); + clrtoeol(); + addstr(what); +- sprintf(msg, "%ld", current); ++ snprintf(msg, sizeof(msg), "%ld", current); + move(MSGLINE, (COLS / 2) - (strlen(msg) / 2)); + addstr(msg); +- sprintf(msg, "%ld", max); ++ snprintf(msg, sizeof(msg), "%ld", max); + move(MSGLINE, COLS - strlen(msg)); + addstr(msg); + refresh(); + } + else if (verbosemode == YES) + { +- sprintf(msg, "> %s %ld of %ld", what, current, max); ++ snprintf(msg, sizeof(msg), "> %s %ld of %ld", what, current, max); + } + + start = now; +@@ -575,7 +575,7 @@ myperror(char *text) + s = sys_errlist[errno]; + } + #endif +- (void) sprintf(msg, "%s: %s", text, s); ++ (void) snprintf(msg, sizeof(msg), "%s: %s", text, s); + postmsg(msg); + } + +@@ -647,11 +647,7 @@ posterr(char *msg, ...) + (void) vfprintf(stderr, msg, ap); + (void) fputc('\n', stderr); + } else { +-#if HAVE_VSNPRINTF + vsnprintf(errbuf, sizeof(errbuf), msg, ap); +-#else +- vsprintf(errbuf, msg, ap); +-#endif + postmsg2(errbuf); + } + } +@@ -664,11 +660,7 @@ postfatal(const char *msg, ...) + char errbuf[MSGLEN]; + + va_start(ap, msg); +-#if HAVE_VSNPRINTF + vsnprintf(errbuf, sizeof(errbuf), msg, ap); +-#else +- vsprintf(errbuf, msg, ap); +-#endif + /* restore the terminal to its original mode */ + if (incurses == YES) { + exitcurses(); +diff --git a/src/edit.c b/src/edit.c +index 5d97949..89a4296 100644 +--- a/src/edit.c ++++ b/src/edit.c +@@ -105,9 +105,9 @@ edit(char *file, char *linenum) + char *s; + + file = filepath(file); +- (void) sprintf(msg, "%s +%s %s", mybasename(editor), linenum, file); ++ (void) snprintf(msg, sizeof(msg), "%s +%s %s", mybasename(editor), linenum, file); + postmsg(msg); +- (void) sprintf(plusnum, lineflag, linenum); ++ (void) snprintf(plusnum, sizeof(plusnum), lineflag, linenum); + /* if this is the more or page commands */ + if (strcmp(s = mybasename(editor), "more") == 0 || strcmp(s, "page") == 0) { + +@@ -132,7 +132,7 @@ filepath(char *file) + static char path[PATHLEN + 1]; + + if (prependpath != NULL && *file != '/') { +- (void) sprintf(path, "%s/%s", prependpath, file); ++ (void) snprintf(path, sizeof(path), "%s/%s", prependpath, file); + file = path; + } + return(file); +diff --git a/src/exec.c b/src/exec.c +index 7e4899d..467634e 100644 +--- a/src/exec.c ++++ b/src/exec.c +@@ -123,7 +123,7 @@ myexecvp(char *a, char **args) + + /* execute the program or shell script */ + execvp(a, args); /* returns only on failure */ +- sprintf(msg, "\nCannot exec %s", a); ++ snprintf(msg, sizeof(msg), "\nCannot exec %s", a); + perror(msg); /* display the reason */ + askforreturn(); /* wait until the user sees the message */ + myexit(1); /* exit the child */ +diff --git a/src/find.c b/src/find.c +index f6a6387..1d0a503 100644 +--- a/src/find.c ++++ b/src/find.c +@@ -673,7 +673,7 @@ findinit(char *pattern) + /* must be an exact match */ + /* note: regcomp doesn't recognize ^*keypad$ as a syntax error + unless it is given as a single arg */ +- (void) sprintf(buf, "^%s$", s); ++ (void) snprintf(buf, sizeof(buf), "^%s$", s); + if (regcomp (®exp, buf, REG_EXTENDED | REG_NOSUB) != 0) { + return(REGCMPERROR); + } +diff --git a/src/main.c b/src/main.c +index ca90ea9..5bca752 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -359,7 +359,7 @@ cscope: TMPDIR to a valid directory\n"); + /* create the temporary file names */ + orig_umask = umask(S_IRWXG|S_IRWXO); + pid = getpid(); +- sprintf(tempdirpv, "%s/cscope.%d", tmpdir, pid); ++ snprintf(tempdirpv, sizeof(tempdirpv), "%s/cscope.%d", tmpdir, pid); + if(mkdir(tempdirpv,S_IRWXU)) { + fprintf(stderr, "\ + cscope: Could not create private temp dir %s\n", +@@ -368,8 +368,8 @@ cscope: Could not create private temp dir %s\n", + } + umask(orig_umask); + +- sprintf(temp1, "%s/cscope.1", tempdirpv); +- sprintf(temp2, "%s/cscope.2", tempdirpv); ++ snprintf(temp1, sizeof(temp1), "%s/cscope.1", tempdirpv); ++ snprintf(temp2, sizeof(temp2), "%s/cscope.2", tempdirpv); + + /* if running in the foreground */ + if (signal(SIGINT, SIG_IGN) != SIG_IGN) { +@@ -389,12 +389,12 @@ cscope: Could not create private temp dir %s\n", + * used instead of failing to open a non-existant database in + * the home directory + */ +- sprintf(path, "%s/%s", home, reffile); ++ snprintf(path, sizeof(path), "%s/%s", home, reffile); + if (isuptodate == NO || access(path, READ) == 0) { + reffile = my_strdup(path); +- sprintf(path, "%s/%s", home, invname); ++ snprintf(path, sizeof(path), "%s/%s", home, invname); + invname = my_strdup(path); +- sprintf(path, "%s/%s", home, invpost); ++ snprintf(path, sizeof(path), "%s/%s", home, invpost); + invpost = my_strdup(path); + } + } +@@ -728,22 +728,12 @@ cannotopen(char *file) + void + cannotwrite(char *file) + { +-#if HAVE_SNPRINTF + char msg[MSGLEN + 1]; + + snprintf(msg, sizeof(msg), "Removed file %s because write failed", file); +-#else +- char *msg = mymalloc(50 + strlen(file)); +- +- sprintf(msg, "Removed file %s because write failed", file); +-#endif + + myperror(msg); /* display the reason */ + +-#if !HAVE_SNPRINTF +- free(msg); +-#endif +- + unlink(file); + myexit(1); /* calls exit(2), which closes files */ + } +diff --git a/src/vpaccess.c b/src/vpaccess.c +index cb56730..a3a7ad9 100644 +--- a/src/vpaccess.c ++++ b/src/vpaccess.c +@@ -49,7 +49,7 @@ vpaccess(char *path, mode_t amode) + if ((returncode = access(path, amode)) == -1 && path[0] != '/') { + vpinit(NULL); + for (i = 1; i < vpndirs; i++) { +- (void) sprintf(buf, "%s/%s", vpdirs[i], path); ++ (void) snprintf(buf, sizeof(buf), "%s/%s", vpdirs[i], path); + if ((returncode = access(buf, amode)) != -1) { + break; + } +diff --git a/src/vpfopen.c b/src/vpfopen.c +index bffbc20..b5f592c 100644 +--- a/src/vpfopen.c ++++ b/src/vpfopen.c +@@ -53,7 +53,7 @@ vpfopen(char *filename, char *type) + ) { + vpinit(NULL); + for (i = 1; i < vpndirs; i++) { +- (void) sprintf(buf, "%s/%s", vpdirs[i], filename); ++ (void) snprintf(buf, sizeof(buf), "%s/%s", vpdirs[i], filename); + if ((returncode = myfopen(buf, type)) != NULL) { + break; + } +diff --git a/src/vpopen.c b/src/vpopen.c +index 777f168..de7cc53 100644 +--- a/src/vpopen.c ++++ b/src/vpopen.c +@@ -52,7 +52,7 @@ vpopen(char *path, int oflag) + oflag == OPENFLAG_READ) { + vpinit(NULL); + for (i = 1; i < vpndirs; i++) { +- (void) sprintf(buf, "%s/%s", vpdirs[i], path); ++ (void) snprintf(buf, sizeof(buf), "%s/%s", vpdirs[i], path); + if ((returncode = myopen(buf, oflag, 0666)) != -1) { + break; + }