Hi, I backported the upstream patch to emacs21. Attached is a patch for an NMU. It will be also archived on: http://people.debian.org/~nion/nmu-diff/emacs21-21.4a+1-5.1_21.4a+1-5.2.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u emacs21-21.4a+1/debian/changelog emacs21-21.4a+1/debian/changelog
--- emacs21-21.4a+1/debian/changelog
+++ emacs21-21.4a+1/debian/changelog
@@ -1,3 +1,14 @@
+emacs21 (21.4a+1-5.2) unstable; urgency=high
+
+ * Non-maintainer upload by testing-security team.
+ * This update addresses the following security issue:
+ - CVE-2007-6109: A stack-based buffer overflow in the format function
+ when dealing with high precision values could lead to arbitrary code
+ execution.
+ Added upstream patch (CVE-2007-6109.diff) to fix this (Closes: #455433).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Mon, 10 Dec 2007 16:58:47 +0100
+
emacs21 (21.4a+1-5.1) unstable; urgency=high
* Non-maintainer upload by the testing-security team
diff -u emacs21-21.4a+1/debian/patches/series emacs21-21.4a+1/debian/patches/series
--- emacs21-21.4a+1/debian/patches/series
+++ emacs21-21.4a+1/debian/patches/series
@@ -35,2 +35,3 @@
autofiles.diff
+CVE-2007-6109.diff
CVE-2007-2833.diff
only in patch2:
unchanged:
--- emacs21-21.4a+1.orig/debian/patches/CVE-2007-6109.diff
+++ emacs21-21.4a+1/debian/patches/CVE-2007-6109.diff
@@ -0,0 +1,66 @@
+diff -Nurad emacs21-21.4a+1~/src/editfns.c emacs21-21.4a+1/src/editfns.c
+--- emacs21-21.4a+1~/src/editfns.c 2007-12-10 17:41:03.000000000 +0100
++++ emacs21-21.4a+1/src/editfns.c 2007-12-10 17:49:05.000000000 +0100
+@@ -3209,8 +3209,11 @@
+ precision = 10 * precision + *format - '0';
+ }
+
+- if (format - this_format_start + 1 > longest_format)
+- longest_format = format - this_format_start + 1;
++ /* Extra +1 for 'l' that we may need to insert into the
++ format. */
++ if (format - this_format_start + 2 > longest_format)
++ longest_format = format - this_format_start + 2;
++
+
+ if (format == end)
+ error ("Format string ends in middle of format specifier");
+@@ -3266,7 +3269,7 @@
+ && *format != 'i' && *format != 'X' && *format != 'c')
+ error ("Invalid format operation %%%c", *format);
+
+- thissize = 30;
++ thissize = 30 + (precision > 0 ? precision : 0);
+ if (*format == 'c'
+ && (! SINGLE_BYTE_CHAR_P (XINT (args[n]))
+ || XINT (args[n]) == 0))
+@@ -3414,10 +3417,35 @@
+ format - this_format_start);
+ this_format[format - this_format_start] = 0;
+
+- if (INTEGERP (args[n]))
+- sprintf (p, this_format, XINT (args[n]));
+- else
+- sprintf (p, this_format, XFLOAT_DATA (args[n]));
++ if (format[-1] == 'e' || format[-1] == 'f' || format[-1] == 'g')
++ sprintf (p, this_format, XFLOAT_DATA (args[n]));
++ else
++ {
++ if (sizeof (EMACS_INT) > sizeof (int))
++ {
++ /* Insert 'l' before format spec. */
++ this_format[format - this_format_start]
++ = this_format[format - this_format_start - 1];
++ this_format[format - this_format_start - 1] = 'l';
++ this_format[format - this_format_start + 1] = 0;
++ }
++
++ if (INTEGERP (args[n]))
++ {
++ if (format[-1] == 'd')
++ sprintf (p, this_format, XINT (args[n]));
++ /* Don't sign-extend for octal or hex printing. */
++ else
++ sprintf (p, this_format, XUINT (args[n]));
++ }
++ else if (format[-1] == 'd')
++ /* Maybe we should use "%1.0f" instead so it also works
++ for values larger than MAXINT. */
++ sprintf (p, this_format, (EMACS_INT) XFLOAT_DATA (args[n]));
++ else
++ /* Don't sign-extend for octal or hex printing. */
++ sprintf (p, this_format, (EMACS_UINT) XFLOAT_DATA (args[n]));
++ }
+
+ if (p > buf
+ && multibyte
pgpEzhOfAmZCB.pgp
Description: PGP signature
