summary refs log tree commit diff
path: root/gnu/packages/patches/wordnet-CVE-2008-2149.patch
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2016-05-30 20:11:39 +0300
committerEfraim Flashner <efraim@flashner.co.il>2016-05-30 20:14:06 +0300
commitc1dbd3a8709f143fa72b2f893a069ca5f1afe7ac (patch)
tree7e0bbffad2155d1a4d46d603b7ecc4442cd7040d /gnu/packages/patches/wordnet-CVE-2008-2149.patch
parent1f521b7055a464439774332f1a69ed31b565715f (diff)
downloadguix-c1dbd3a8709f143fa72b2f893a069ca5f1afe7ac.tar.gz
gnu: wordnet: Fix CVE-2008-2149, CVE-2008-3908.
* gnu/packages/wordnet.scm (wordnet)[source]: Add patches.
* gnu/packages/patches/wordnet-CVE-2008-2149.patch,
gnu/packages/patches/wordnet-CVE-2008-3908-pt1.patch,
gnu/packages/patches/wordnet-CVE-2008-3908-pt2.patch: New variables.
* gnu/local.mk (dist_patch_DATA): Add them.
Diffstat (limited to 'gnu/packages/patches/wordnet-CVE-2008-2149.patch')
-rw-r--r--gnu/packages/patches/wordnet-CVE-2008-2149.patch19
1 files changed, 19 insertions, 0 deletions
diff --git a/gnu/packages/patches/wordnet-CVE-2008-2149.patch b/gnu/packages/patches/wordnet-CVE-2008-2149.patch
new file mode 100644
index 0000000000..9828efa4bc
--- /dev/null
+++ b/gnu/packages/patches/wordnet-CVE-2008-2149.patch
@@ -0,0 +1,19 @@
+Fix CVE-2008-2149: buffer overflows by limiting the length of the string in sprintf
+format string
+Closes: #481186 (CVE-2008-2149)
+Please note: The WordNet code contains several other occurences of potentially
+exploitable functions like strcpy()/strcat()/...  and so even if there are no
+known exploits the code needs a full security audit.
+
+--- a/src/wn.c
++++ b/src/wn.c
+@@ -206,7 +206,8 @@ static int searchwn(int ac, char *av[])
+ 		    outsenses += do_search(av[1], optptr->pos, optptr->search,
+ 					    whichsense, optptr->label);
+ 	    } else {
+-		sprintf(tmpbuf, "wn: invalid search option: %s\n", av[j]);
++		/* Fix CVE-2008-2149: buffer overflows Andreas Tille <tille@debian.org> */
++		sprintf(tmpbuf, "wn: invalid search option: %.200s\n", av[j]);
+ 		display_message(tmpbuf);
+ 		errcount++;
+ 	    }