On Sat, Sep 28, 2002 at 06:33:18AM -0500, Debian Bug Tracking System wrote: > cgiemail (1.6-15) unstable; urgency=low > . > * QA upload. > * Null-terminate templatedir, and make sure it really does get checked > (closes: #160813).
Sorry, this should have been urgency=high. I think a stable-security upload will be needed as well. Here's the relevant part of the diff I used: --- cgiemail-1.6.orig/cgilib.c +++ cgiemail-1.6/cgilib.c @@ -489,6 +489,7 @@ if (endquotes) { strncpy(templatedir, inquotes, endquotes - inquotes); + templatedir[endquotes - inquotes] = 0; return(0); } } @@ -525,7 +526,7 @@ if (cgi_read_configuration(formp, templatedir, CGI_VARNAME_MAX - 1)) return(1); - if ((!templatedir) && + if ((!templatedir) || strncmp(templatefile, templatedir, strlen(templatedir)) || strstr(templatefile, "/../")) { However, on reflection I'm not sure if this fix is optimal. Thomas, was the !templatedir test supposed to deal with /etc/cgiemail.conf being missing? If so then perhaps this should be more like 'if ((!*templatedir) || ...)', and *templatedir will need to be initialized to 0 before calling cgi_read_configuration(). -- Colin Watson [EMAIL PROTECTED]