[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: http://x69.deja.com/=dnc/[ST_rn=ps,ST_m=ps]/getdoc.xp?AN=693368635&C

From: Thomas Dickey
Subject: Re: http://x69.deja.com/=dnc/[ST_rn=ps,ST_m=ps]/getdoc.xp?AN=693368635&CO
Date: Sat, 18 Nov 2000 19:33:53 -0500
User-agent: Mutt/1.2.5i

On Tue, Nov 14, 2000 at 11:01:39AM -0800, Kris Kennaway wrote:
> On Tue, Nov 14, 2000 at 06:58:09AM -0500, Thomas Dickey wrote:
> > > Fixing it is going to be annoying, though :-( It would help if I had a
> > > patch containing only the security fix that was applied to the
> > > snapshot (I should have asked you for this before now). I'm not even
> > > sure where the vulnerable code was, which makes it hard to fix in
> > > 3.x. :-)
> > 
> > I could unravel it, since I do keep both patches and rcs archives
> > (but it's sort of late for that).
> Well, that would make my job much easier. 3.x curses cannot be
> upgraded because it would break compatability but we have to support
> it, at least for now. :-(
> Kris

I put a patch (and related files) in

That covers these items (except that 20001007 patches only the C code - you
would have to modify your port to implement the '**' items):

        + add/use CharOf() macro to suppress sign-extension of char type on
          platforms where this is a problem in ctype macros, e.g., Solaris.
        + add a check in relative_move() to guard against buffer overflow in
          the overwrite logic.
20001021 5.2 release for upload to ftp.gnu.org
        + fix an uninitialized pointer in read_termcap.c (report by Todd C
          Miller, from report/patch by Philip Guenther <address@hidden>).

        + modify lib_tparm.c to use get_space() before writing terminating
          null character, both for consistency as well as to ensure that if
          save_char() was called immediately before, that the allocated memory
          is enough (patch by Sergei Ivanov).

        > patch by Todd Miller:
        + add a few missing use_terminfo_vars() and fixes up _nc_tgetent().
          Previously, _nc_cgetset() would still get called on cp so the
          simplest thing is to set cp to NULL if !use_terminfo_vars().
        + added checks for an empty $HOME environment variable.

***     + add configure option --disable-root-environ, which tells ncurses to
          disregard $TERMINFO and similar environment variables if the current
          user is root, or running setuid/setgid (based on discussion with
          several people).
***     + modified misc/run_tic.in to use tic -o, to eliminate dependency on
          $TERMINFO variable for installs.
        + modify parse_format() in lib_tparm.c to ignore precision if it is
          longer than 10000 (report by Jouko Pynnonen).
        + rewrote limit checks in lib_mvcur.c using new functions
          _nc_safe_strcat(), etc.  Made other related changes to check lengths
          used for strcat/strcpy (report by Jouko Pynnonen <address@hidden>).

        + add a check for empty buffers returned by fgets() in comp_scan.c
          next_char() function, in case tic is run on a non-text file (fixes
          a core dump reported by Aaron Campbell <address@hidden>).

        + modify tparm to disallow arithmetic on strings, analyze the varargs
          list to read strings as strings and numbers as numbers.
        + modify tparm's internal function spop() to treat a null pointer as
          an empty string.
        + add private entrypoint _nc_basename(), use to consolidate related
          code in progs, as well as accommodating OS/2 EMX pathnames.

        + change functions _nc_parse_entry() and postprocess_termcap() to avoid
          using strtok(), because it is non-reentrant (reported by Andrey A
          Chernov <address@hidden>).

Thomas E. Dickey <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]