Hello community, here is the log from the commit of package libsmi for openSUSE:Factory checked in at Mon Nov 15 15:57:25 CET 2010. -------- --- libsmi/libsmi.changes 2010-10-06 12:04:59.000000000 +0200 +++ /mounts/work_src_done/STABLE/libsmi/libsmi.changes 2010-11-11 11:36:59.000000000 +0100 @@ -1,0 +2,5 @@ +Thu Nov 11 10:38:11 UTC 2010 - nadvornik@novell.com + +- fixed buffer overflow CVE-2010-2891 (bnc#649867) + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- libsmi-CVE-2010-2891.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsmi.spec ++++++ --- /var/tmp/diff_new_pack.BHzPLR/_old 2010-11-15 15:57:08.000000000 +0100 +++ /var/tmp/diff_new_pack.BHzPLR/_new 2010-11-15 15:57:08.000000000 +0100 @@ -20,7 +20,7 @@ Name: libsmi Version: 0.4.8 -Release: 1 +Release: 2 AutoReqProv: on Group: System/Libraries License: MIT @@ -29,6 +29,7 @@ Source: %{name}-%{version}.tar.gz Patch0: libsmi-0.4.8-parser.patch Patch1: libsmi-0.4.8-gnu-source.patch +Patch2: libsmi-CVE-2010-2891.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison flex @@ -95,6 +96,7 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 %build autoreconf --force --install ++++++ libsmi-CVE-2010-2891.patch ++++++ Index: lib/smi.c =================================================================== --- lib/smi.c (revision 29144) +++ lib/smi.c (working copy) @@ -1793,10 +1793,15 @@ } if (isdigit((int)node2[0])) { - for (oidlen = 0, p = strtok(node2, ". "); p; + for (oidlen = 0, p = strtok(node2, ". "); + p && oidlen < sizeof(oid)/sizeof(oid[0]); oidlen++, p = strtok(NULL, ". ")) { oid[oidlen] = strtoul(p, NULL, 0); } + if (p) { + /* the numeric OID is too long */ + return NULL; + } nodePtr = getNode(oidlen, oid); if (nodePtr) { if (modulePtr) { ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org