Your message dated Sat, 2 May 2015 01:14:41 +0200 with message-id <[email protected]> and subject line Re: Bug#482538: ytalk: unsafe use of getenv has caused the Debian Bug report #482538, regarding ytalk: unsafe use of getenv to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 482538: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482538 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: ytalk Version: 3.3.0-5 Severity: minor Hello, Some time ago, I filed a RFE which resulted in the inclusion of user.dpatch and shell.dpatch. Since then, I learned that the way I used getenv there is unsafe (there may be an other call to getenv or putenv before the value returned by getenv is used, which can invalidate the result). Since I did not notice any error in practice, I am rating this as minor, but I felt that I should warn you. In user.dpatch, return c; should probably be replaced by something like: return strndup(c,12); (I think 12 is the right number, but I don't know for sure, and the old strdup may be safe enough to use on the output of getenv anyway) and something similar should be done for the shell patch. Sorry about the lousy patches... And please feel free to ignore this bug if you believe it is not worth fixing. -- System Information: Debian Release: lenny/sid APT prefers stable APT policy: (500, 'stable'), (50, 'testing'), (10, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages ytalk depends on: ii libc6 2.7-10 GNU C Library: Shared libraries ii libncurses5 5.6+20080308-1 Shared libraries for terminal hand ii talkd 0.17-13 Remote user communication server ytalk recommends no packages. -- debconf-show failed
--- End Message ---
--- Begin Message ---Version: 3.3.0-7 Hi, Matthew Johnson wrote: > On Fri May 23 15:01, Marc Glisse wrote: > > Some time ago, I filed a RFE which resulted in the inclusion of > > user.dpatch and shell.dpatch. Since then, I learned that the way I used > > getenv there is unsafe (there may be an other call to getenv or putenv > > before the value returned by getenv is used, which can invalidate the > > result). Since I did not notice any error in practice, I am rating this > > as minor, but I felt that I should warn you. > > I have updated this in the repository and will make a normal upload to > fix it at some point. This has never happened so far and was now included in the 3.3.0-8 upload. See below for the full changelog since the previous upload to Debian. ytalk (3.3.0-8) unstable; urgency=medium * QA Upload [ Axel Beckert ] * Set Maintainer to Debian QA Group. (See #762556) * Merge in unreleased packaging by Matthew found in ytalk's collab-maint git repo and set the according changelog entries to UNRELEASED * Add Vcs-* headers * Update the package to point to the new upstream homepage at http://ytalk.ourproject.org/: + Add according Homepage header + Udate watch file accordingly. (Closes: #550768) + Update URL in debian/copyright accordingly. * Take selected hunks from Jari's overzealous #669700 patch (see below). (Closes: #669700) * Apply wrap-and-sort. * Revamp debian/rules + Use dh_auto_{configure,build,install,clean} + Use dh_autotools-dev_{update,restore}config; + b-d on autotools-dev + Whitespace cleanup + Drop with compat level 9 unnecessary manual stamp file removal + Drop now unnecessary dh_install{dirs,changelogs} parameter + Finally switch to a minimal dh v7 style debian/rules file * Declare compliance with Debian Policy 3.9.6 (no other changes needed) * Add patch by Daniele Di Domizio to support long user names (Closes: #732630) * Add patch to fix spelling error found by lintian. * Add patch to fix man-page error found by lintian. [ Jari Aalto ] * Switch from dpatch to source format "3.0 (quilt)". * Add build-arch and build-indep targets. Fixes lintian warning debian-rules-missing-recommended-target. * Update debhelper compatibility to 9. * Add dependency on ${misc:Depends}. Fixes lintian warning debhelper-but-no-misc-depends. * Replace "dh_clean -k" by "dh_prep". -- Axel Beckert <[email protected]> Fri, 01 May 2015 04:00:45 +0200 ytalk (3.3.0-7) UNRELEASED; urgency=low * Update user.dpatch and shell.dpatch to use getenv more safely. Suggested by Marc Glisse. (Closes: #482538) -- Matthew Johnson <[email protected]> Fri, 30 May 2008 21:02:08 +0100 ytalk (3.3.0-6) UNRELEASED; urgency=low * Bump Standards-Version -- Matthew Johnson <[email protected]> Tue, 05 Feb 2008 09:28:05 +0000 Regards, Axel -- ,''`. | Axel Beckert <[email protected]>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
--- End Message ---
