Hello,
I decided to apply the following patch (attached) to ktools in order
to avoid security
problem in centericq. I am waiting for better patch from upstream and
will include it
as soon as it will be available.
Best Regards.
Julien Lemoine.
#! /bin/sh -e
## vgetstring.dpatch by Julien LEMOINE <[EMAIL PROTECTED]>
##
## DP: fix buffer overflow in VGETSTRING macro by replacing vsprintf by
vsnprintf
[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
patch_opts="${patch_opts:--f --no-backup-if-mismatch}"
if [ $# -ne 1 ]; then
echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
exit 1
fi
case "$1" in
-patch) patch $patch_opts -p1 < $0;;
-unpatch) patch $patch_opts -p1 -R < $0;;
*)
echo >&2 "`basename $0`: script expects -patch|-unpatch as argum
ent"
exit 1;;
esac
exit 0
diff -bBdNrw -U5 centericq-4.21.0/kkstrtext-0.1/kkstrtext.h
centericq-4.21.0.modif/kkstrtext-0.1/kkstrtext.h
--- centericq-4.21.0/kkstrtext-0.1/kkstrtext.h 2004-11-18 00:00:38.000000000
+0100
+++ centericq-4.21.0.modif/kkstrtext-0.1/kkstrtext.h 2005-11-30
08:41:58.000000000 +0100
@@ -85,11 +85,11 @@
#define VGETSTRING(c, fmt) \
{ \
va_list vgs__ap; char vgs__buf[1024]; \
va_start(vgs__ap, fmt); \
- vsprintf(vgs__buf, fmt, vgs__ap); c = vgs__buf; \
+ vsnprintf(vgs__buf, 1024, fmt, vgs__ap); c = vgs__buf; \
va_end(vgs__ap); \
}
string justfname(const string &fname);
string justpathname(const string &fname);