Hi, I backported the upstream patch to emacs21. Attached is a patch for an NMU. It will be also archived on: http://people.debian.org/~nion/nmu-diff/emacs21-21.4a+1-5.1_21.4a+1-5.2.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u emacs21-21.4a+1/debian/changelog emacs21-21.4a+1/debian/changelog --- emacs21-21.4a+1/debian/changelog +++ emacs21-21.4a+1/debian/changelog @@ -1,3 +1,14 @@ +emacs21 (21.4a+1-5.2) unstable; urgency=high + + * Non-maintainer upload by testing-security team. + * This update addresses the following security issue: + - CVE-2007-6109: A stack-based buffer overflow in the format function + when dealing with high precision values could lead to arbitrary code + execution. + Added upstream patch (CVE-2007-6109.diff) to fix this (Closes: #455433). + + -- Nico Golde <[EMAIL PROTECTED]> Mon, 10 Dec 2007 16:58:47 +0100 + emacs21 (21.4a+1-5.1) unstable; urgency=high * Non-maintainer upload by the testing-security team diff -u emacs21-21.4a+1/debian/patches/series emacs21-21.4a+1/debian/patches/series --- emacs21-21.4a+1/debian/patches/series +++ emacs21-21.4a+1/debian/patches/series @@ -35,2 +35,3 @@ autofiles.diff +CVE-2007-6109.diff CVE-2007-2833.diff only in patch2: unchanged: --- emacs21-21.4a+1.orig/debian/patches/CVE-2007-6109.diff +++ emacs21-21.4a+1/debian/patches/CVE-2007-6109.diff @@ -0,0 +1,66 @@ +diff -Nurad emacs21-21.4a+1~/src/editfns.c emacs21-21.4a+1/src/editfns.c +--- emacs21-21.4a+1~/src/editfns.c 2007-12-10 17:41:03.000000000 +0100 ++++ emacs21-21.4a+1/src/editfns.c 2007-12-10 17:49:05.000000000 +0100 +@@ -3209,8 +3209,11 @@ + precision = 10 * precision + *format - '0'; + } + +- if (format - this_format_start + 1 > longest_format) +- longest_format = format - this_format_start + 1; ++ /* Extra +1 for 'l' that we may need to insert into the ++ format. */ ++ if (format - this_format_start + 2 > longest_format) ++ longest_format = format - this_format_start + 2; ++ + + if (format == end) + error ("Format string ends in middle of format specifier"); +@@ -3266,7 +3269,7 @@ + && *format != 'i' && *format != 'X' && *format != 'c') + error ("Invalid format operation %%%c", *format); + +- thissize = 30; ++ thissize = 30 + (precision > 0 ? precision : 0); + if (*format == 'c' + && (! SINGLE_BYTE_CHAR_P (XINT (args[n])) + || XINT (args[n]) == 0)) +@@ -3414,10 +3417,35 @@ + format - this_format_start); + this_format[format - this_format_start] = 0; + +- if (INTEGERP (args[n])) +- sprintf (p, this_format, XINT (args[n])); +- else +- sprintf (p, this_format, XFLOAT_DATA (args[n])); ++ if (format[-1] == 'e' || format[-1] == 'f' || format[-1] == 'g') ++ sprintf (p, this_format, XFLOAT_DATA (args[n])); ++ else ++ { ++ if (sizeof (EMACS_INT) > sizeof (int)) ++ { ++ /* Insert 'l' before format spec. */ ++ this_format[format - this_format_start] ++ = this_format[format - this_format_start - 1]; ++ this_format[format - this_format_start - 1] = 'l'; ++ this_format[format - this_format_start + 1] = 0; ++ } ++ ++ if (INTEGERP (args[n])) ++ { ++ if (format[-1] == 'd') ++ sprintf (p, this_format, XINT (args[n])); ++ /* Don't sign-extend for octal or hex printing. */ ++ else ++ sprintf (p, this_format, XUINT (args[n])); ++ } ++ else if (format[-1] == 'd') ++ /* Maybe we should use "%1.0f" instead so it also works ++ for values larger than MAXINT. */ ++ sprintf (p, this_format, (EMACS_INT) XFLOAT_DATA (args[n])); ++ else ++ /* Don't sign-extend for octal or hex printing. */ ++ sprintf (p, this_format, (EMACS_UINT) XFLOAT_DATA (args[n])); ++ } + + if (p > buf + && multibyte
pgpEzhOfAmZCB.pgp
Description: PGP signature