[Secure-testing-team] [Secure-testing-commits] r7571 - data/CVE
Florian Weimer
fw at deneb.enyo.de
Mon Dec 24 19:45:23 UTC 2007
> CVE-2007-6109 (Buffer overflow in emacs allows attackers to have an unknown impact, ...)
> - TODO: check
> - NOTE: poked Marcus from Novell for the patch
> + - emacs22 <unfixed> (bug #455432)
> + - emacs21 <unfixed> (bug #455433)
> + - xemacs21 <not-affected> (Vulnerable code not present)
I'm sorry to report that xemacs21 is affected as well. The affected
code is in src/doprnt.c:
/* Mostly reconstruct the spec and use sprintf() to
format the string. */
*p++ = '%';
if (spec->plus_flag) *p++ = '+';
if (spec->space_flag) *p++ = ' ';
if (spec->number_flag) *p++ = '#';
if (spec->minus_flag) *p++ = '-';
if (spec->zero_flag) *p++ = '0';
if (spec->minwidth >= 0)
p = long_to_string (p, spec->minwidth);
if (spec->precision >= 0)
{
*p++ = '.';
p = long_to_string (p, spec->precision);
}
if (strchr (double_converters, ch))
{
*p++ = ch;
*p++ = '\0';
sprintf (text_to_print, constructed_spec, arg.d);
}
else
{
*p++ = 'l'; /* Always use longs with sprintf() */
*p++ = ch;
*p++ = '\0';
if (strchr (unsigned_int_converters, ch))
sprintf (text_to_print, constructed_spec, arg.ul);
else
sprintf (text_to_print, constructed_spec, arg.l);
}
I haven't compared it to the emacs21/emacs22 code, I don't know if the
same patch applies.
More information about the Secure-testing-team
mailing list