Your message dated Thu, 18 Jun 2015 19:05:47 +0000
with message-id <[email protected]>
and subject line Bug#786844: fixed in xjdic 24-10
has caused the Debian Bug report #786844,
regarding xjdic: Multiple buffer overflows
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
786844: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786844
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xjdic
Version: 24-9
Severity: normal
Tags: upstream patch
[ Although buffer overflows are often regarded as security bugs, I'm
filing this bug with normal severity, on the advice of the security
team. ]
There are several possible buffer overflows throughout the xjdic code
(at least in the client). The easiest one to trigger is by reading from
/dev/null:
$ xjdic_sa < /dev/null > /dev/null
*** buffer overflow detected ***: /usr/bin/xjdic_sa terminated
[...]
This is due to xjdic usually not checking getchar() for EOF (if not
storing its return value outright in an unsigned char), thus appending
it to its output buffer in an infinite loop.
The one that prompted me to file this bug report occurs when reading a
romaji string of 10 kana or more: simply typing "@aaaaaaaaaa" will crash
the client. (Only romaji is affected; inputting kana directly works
fine.) This is due to tempout[] being woefully short at 80 bytes; I'm
attaching a patch that pushes that limit far enough for any EDICT entry.
(This isn't an actual fix; the client will still crash, only it will
take an unusually long input string for this to happen.)
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.16.0-4-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
>From 9b78d4ecf5a589a7bcd1d22da6b952df99e2be88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Bri=C3=A8re?= <[email protected]>
Date: Tue, 19 May 2015 19:04:46 -0400
Subject: [PATCH] Allocate enough space for romaji input strings of up to 50
kana
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Various buffer overflows will occur once a romaji input string goes over
a certain length. This patch does not actually fix the problem, but
merely pushes that limit beyond 50 kana, which is the length of the
largest string[1] found in EDICT so far.
[1] プログラムせいぎょしきおよびキーボードせいぎょしきのアドレスしていかのうなきおくいきをもつけいさんき
---
xjdfrontend.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xjdfrontend.c b/xjdfrontend.c
index 92ec03d..800afe1 100644
--- a/xjdfrontend.c
+++ b/xjdfrontend.c
@@ -98,7 +98,7 @@ int extlen,extjdxlen;
unsigned char kmodes[2][10] = {"ON","OFF"};
unsigned char kmodes_r[2][10] = {"OFF","ON"};
unsigned long chline,chpos,it;
-unsigned char strfilt[10],tempout[80];
+unsigned char strfilt[10],tempout[256];
unsigned char KSname[50] = {"kanjstroke"};
unsigned char RKname[50] = {"radkfile"};
unsigned char Rname[50] = {"radicals.tm"};
@@ -115,7 +115,7 @@ int jiver = 14; /*The last time the index structure changed was Version1.4*/
unsigned char sver[] = {SVER};
unsigned char fbuff[512],KLine[KFBUFFSIZE],karray[KANJARRAYSIZE][5];
unsigned char LogLine[200];
-unsigned char ksch[50],ktarg[50];
+unsigned char ksch[128],ktarg[128];
/* The following Help table has "~" to force spaces */
unsigned char Help[40][81] = {
"\n~~~~~~~~~~~~~~~~~~XJDIC USAGE SUMMARY ",
--
2.1.4
--- End Message ---
--- Begin Message ---
Source: xjdic
Source-Version: 24-10
We believe that the bug you reported is fixed in the latest version of
xjdic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Drolez <[email protected]> (supplier of updated xjdic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Jun 2015 21:16:03 +0200
Source: xjdic
Binary: xjdic
Architecture: source i386
Version: 24-10
Distribution: unstable
Urgency: medium
Maintainer: Ludovic Drolez <[email protected]>
Changed-By: Ludovic Drolez <[email protected]>
Description:
xjdic - Japanese-English dictionary search program
Closes: 716509 716514 740227 748419 786844
Changes:
xjdic (24-10) unstable; urgency=medium
.
* Fixed buffer overrruns bugs in xjdfrontend.c. Closes: #786844
* Fixed the 2 Mahyem bugs. Closes: #716509, #716514
But there are waaaay more bugs left in the code, a complete rewrite of
xjdic would be more simple...
* Fixed the clang compile bugs. Closes: #740227, #748419
Checksums-Sha1:
20e673e3b490984d959c954361f4be61861dd56e 1238 xjdic_24-10.dsc
7b3a78366854fdc1f7d91f27466867f49fe6a9d3 10425 xjdic_24-10.diff.gz
0afef6fa9a1d75566268387232ba2fe8d3d93d85 126862 xjdic_24-10_i386.deb
Checksums-Sha256:
b0a04d5898c2d2e08697b18aeb3bf6a4676be186f592ebed73d3889b63adf103 1238
xjdic_24-10.dsc
d9217cfc2c74e1c84aa8382d8a404dcbb36aad52fa9ed8dfb1bab966036c6ea6 10425
xjdic_24-10.diff.gz
eb34ed0f55597a46762cce0fc909acea8889d84d288f6f7781f1306a4f035256 126862
xjdic_24-10_i386.deb
Files:
a90d1ef0a65806c7e8fe6ffd644ccaa7 1238 text optional xjdic_24-10.dsc
3c4b5a3a98374c225ce4a6c9ec620f2d 10425 text optional xjdic_24-10.diff.gz
1f5647fe9dcc0fde99bbbd18bae01969 126862 text optional xjdic_24-10_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVgxWxAAoJED6rsctUCn5o+4cH/i+m854KeXICVqVbBkoYWqji
Ug/ee+79TY8uumQhnvPtxdUrze8dWFDn2aMmg5NC0YNBOWdKNhPjynjjEhxkQ46j
GbgUNbCeWzVajWsgFADIXevdsVcQStLtqswfWBSPm8wvi8Ixatour9IKcDPrNjFS
cTtCfVIZxyC7jVYL5jhr5vVrSaTcrZ+yD2z94kSFPcd9JTrSceRHtS2nvmQPk4H9
Okk7axbP4zNMS9T7ryuD/NPSqYBc6WwJVoOndgWvvXUyoKBgjkc5zYWsv9geqQZM
U6dawrOGjHZqaNKqBR9/hEZmKNg4n4DCXta2+p5kNMCQvAYPoqbroas0erNBeBU=
=hObR
-----END PGP SIGNATURE-----
--- End Message ---
