Re: (UPDATED) mass bug filing for undefined sn?printf use

2009-01-06 Thread Aaron M. Ucko 
Kees Cook k...@debian.org writes:

 Aaron M. Ucko u...@debian.org
ncbi-tools6

Not any more; I uploaded a fixed version (6.1.20080302-4) more than a
week ago, and it's even propagated to lenny because the release team
honored my request to unblock it.  (Thanks!)  I just hadn't previously
bothered replying to the thread, even privately.

-- 
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
http://www.mit.edu/~amu/ | http://stuff.mit.edu/cgi/finger/?...@monk.mit.edu


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: (UPDATED) mass bug filing for undefined sn?printf use

2009-01-04 Thread gregor herrmann 
On Sat, 03 Jan 2009 12:27:46 -0800, Kees Cook wrote:

 Attached is the updated list, 

libpar-packer-perl:
Ryan Niebur has kindly provided a patch, and I've built, tested and
uploaded 0.982-2 with the patch included.

Cheers,
gregor 
-- 
 .''`.   Home: http://info.comodo.priv.at/{,blog/} / GPG Key ID: 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin,  developer - http://www.debian.org/
 `. `'   Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
   `-NP: Joint Venture: Deine Frau


signature.asc
Description: Digital signature

Re: (UPDATED) mass bug filing for undefined sn?printf use

2009-01-03 Thread Kees Cook 
On Thu, Jan 01, 2009 at 10:50:49AM -0800, Kees Cook wrote:
 On Wed, Dec 31, 2008 at 07:01:44PM -0800, Nicholas Breen wrote:
  While fixing one of the affected packages, I discovered that it was
  using similarly problematic syntax to act as a strcat replacement of the
  form 'sprintf(buf, %s\n, buf)', which that regexp didn't catch.  I
  can't imagine that's a common mistake, but it's easy enough to match on
  as well:
  
pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*%s[^]*\s*,\s*\1\s*[,)]'
 
 Oh!  Good catch, thank you.  I've started a re-run with the regex changed.
 So far, it's already caught new stuff.  I'll post updated details once it
 has finished.

Attached is the updated list, which includes 57 new hits, and adds
additional lines of affected code to gabedit, blender, desmume, and
gpe-conf.  I have a dump of the diff between the logs here[1].  The old
logs have been moved to the 2008-12 subdirectory[2].

The handled list is here[3] and should reflect all the replies to
this thread so far (if I missed something, please let me know and I'll
get it fixed).  The current list of affected Debian packages is here[4],
attached, and also with the dd-list output.

At what point should I convert this list into an actual mass-bug-filing?

Thanks!

-Kees

[1] http://people.ubuntu.com/~kees/sprintf-glibc/changed.diff
[2] http://people.ubuntu.com/~kees/sprintf-glibc/2008-12/
[3] http://people.ubuntu.com/~kees/sprintf-glibc/data/handled.pkgs
[4] http://people.ubuntu.com/~kees/sprintf-glibc/debian

-- 
Kees Cook@debian.org
abiword
apache2
apr-util
binutils
cricket
curl
db4.2
espeak
evolution-data-server
gdb
ggz-client-libs
gcc-4.1
gcc-4.2
gcc-4.3
isdnutils
kdeedu
kino
lftp
libopenobex
nagios-plugins
mysql-dfsg-5.0
nas
python-numpy
sane-backends
scrollkeeper
shadow
unixodbc
wacom-tools
xscreensaver
4g8
adplug
afnix
afterstep
amideco
aqualung
arrayprobe
audacious-plugins
avr-evtd
barnowl
barrage
billard-gl
binutils-h8300-hms
binutils-m68hc1x
binutils-avr
black-box
blender
blobwars
blobandconquer
bochs
bomberclone
ace
bumprace
cal
canna
cbflib
cdw
cfs
chinput
cpad-kernel
criticalmass
crossfire
cpqarrayd
ctn
dact
dc-qt
desmume
dwww
dx
ebview
echoping
eggdrop
emil
epiphany
ettercap
freedink
fvwm
gabedit
gaby
gamix
gatos
gcc-3.3
gcl
gcc-m68hc1x
gcolor2
gcom
gclcvs
gdal
gdb-avr
gdb-m68hc1x
gcc-3.4
gcc-snapshot
gdis
genesis
glide
gmult
gmt
gnat-gps
gnuchess
gnuplot
gpe-conf
gplcver
gpstrans
grace
grass
gridengine
grmonitor
gtk+extra2
gtk-imonc
htdig
hypermail
ifmail
insight
ircd-hybrid
ircii
ircd-ratbox
kasablanca
kover
l2tpns
lcd4linux
lesstif2
libcdk5
libgsl-ruby
liblunar
libpar-packer-perl
libsmi
libstatgrab
logtool
lopster
ltp
luola
mafft
man2html
mapserver
med-fichier
micro-evtd
mindi-busybox
mod-bt
mondo
mozart
mp3rename
mp3splt
mrpt
multi-aterm
mysql-gui-tools
nap
ncmpc
ncbi-tools6
netatalk
nws
oftc-hybrid
ogdi-dfsg
openmx
osdsh
osiris
owl
packit
paraview
pari
pcsx
pcsx-df
pennmush
penguin-command
player
plib
pload
plotmtv
pocketpc-gas
pocketpc-binutils
prismstumbler
psemu-video-x11
psqlodbc
qpopper
restartd
rockdodger
root-system
rudiments
screader
scummvm
sextractor
sidplay
sidplay-libs
sip-tester
slony1
smsclient
sqlrelay
starfighter
swish-e
symmetrica
tack
tcpick
tcptrack
tetrinetx
tgif
tightvnc
timidity
tn5250
trueprint
uclmmbase
ude
uim
unicon
uucpsend
varkon
vbpp
user-mode-linux
vdr-plugin-weather
vdr-plugin-xineliboutput
viruskiller
vrflash
vtk
vzquota
w-bassman
wayv
welcome2l
wmfrog
xabacus
xball
xawtv
xbill
xcircuit
xfce4-mpc-plugin
xenomai
xgalaga
xmcd
xpilot-ng
xxgdb
yap
yasm
z88dk
mplayer
vlc
xtrkcad
apache2
apr
ekiga
esound
fetchmail
ggz-server
krb5
lirc
opal
quagga
vim
wacom-tools
webkit
aqualung
arrayprobe
boinc
calcurse
centerim
cfs
cpqarrayd
eggdrop
ffmpeg2theora
fluxconf
geany
glide
gpsd
gtklp
jpilot
libtrace3
mlt
naim
pavuk
procinfo
pure-ftpd
rudiments
saods9
stopmotion
unworkable
user-mode-linux
wireshark
wmnet
xlockmore
xosview
Daniel Leidert (dale) daniel.leid...@wgdd.de
   gabedit (U)

Laszlo Boszormenyi (GCS) g...@debian.hu
   cdw
   sidplay
   sidplay-libs

Adam Cécile (Le_Vert) gand...@le-vert.net
   aqualung
   audacious-plugins (U)

Masayuki Hatta (mhatta) mha...@debian.org
   abiword
   ebview
   insight

Dario Minnucci (midget) deb...@midworld.net
   echoping

Nicolas FRANCOIS (Nekral) nicolas.franc...@centraliens.net
   shadow (U)

Stefan Hornburg (Racke) ra...@linuxia.de
   pure-ftpd

J.H.M. Dassen (Ray) jdas...@debian.org
   scrollkeeper (U)

Marco Presi (Zufus) zu...@debian.org
   python-numpy (U)

Jari Aalto jari.aa...@cante.net
   wmfrog

Tim Abbott tabb...@mit.edu
   symmetrica

Moray Allan mo...@debian.org
   gpe-conf (U)

Russ Allbery r...@debian.org
   krb5 (U)

Bill Allombert ballo...@debian.org
   pari

Per Andersson avtob...@gmail.com
   micro-evtd

Domenico Andreoli ca...@debian.org
   curl

Kumar Appaiah aku...@debian.org
   python-numpy (U)

Hakan Ardo ha...@debian.org
   binutils-avr
   gdb-avr

Ben Armstrong