diff options
author | Efraim Flashner <efraim@flashner.co.il> | 2016-05-30 20:11:39 +0300 |
---|---|---|
committer | Efraim Flashner <efraim@flashner.co.il> | 2016-05-30 20:14:06 +0300 |
commit | c1dbd3a8709f143fa72b2f893a069ca5f1afe7ac (patch) | |
tree | 7e0bbffad2155d1a4d46d603b7ecc4442cd7040d /gnu/packages/patches/wordnet-CVE-2008-2149.patch | |
parent | 1f521b7055a464439774332f1a69ed31b565715f (diff) | |
download | guix-c1dbd3a8709f143fa72b2f893a069ca5f1afe7ac.tar guix-c1dbd3a8709f143fa72b2f893a069ca5f1afe7ac.tar.gz |
gnu: wordnet: Fix CVE-2008-2149, CVE-2008-3908.
* gnu/packages/wordnet.scm (wordnet)[source]: Add patches.
* gnu/packages/patches/wordnet-CVE-2008-2149.patch,
gnu/packages/patches/wordnet-CVE-2008-3908-pt1.patch,
gnu/packages/patches/wordnet-CVE-2008-3908-pt2.patch: New variables.
* gnu/local.mk (dist_patch_DATA): Add them.
Diffstat (limited to 'gnu/packages/patches/wordnet-CVE-2008-2149.patch')
-rw-r--r-- | gnu/packages/patches/wordnet-CVE-2008-2149.patch | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/gnu/packages/patches/wordnet-CVE-2008-2149.patch b/gnu/packages/patches/wordnet-CVE-2008-2149.patch new file mode 100644 index 0000000000..9828efa4bc --- /dev/null +++ b/gnu/packages/patches/wordnet-CVE-2008-2149.patch @@ -0,0 +1,19 @@ +Fix CVE-2008-2149: buffer overflows by limiting the length of the string in sprintf +format string +Closes: #481186 (CVE-2008-2149) +Please note: The WordNet code contains several other occurences of potentially +exploitable functions like strcpy()/strcat()/... and so even if there are no +known exploits the code needs a full security audit. + +--- a/src/wn.c ++++ b/src/wn.c +@@ -206,7 +206,8 @@ static int searchwn(int ac, char *av[]) + outsenses += do_search(av[1], optptr->pos, optptr->search, + whichsense, optptr->label); + } else { +- sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]); ++ /* Fix CVE-2008-2149: buffer overflows Andreas Tille <tille@debian.org> */ ++ sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]); + display_message(tmpbuf); + errcount++; + } |