Hello community,
here is the log from the commit of package cscope
checked in at Tue Aug 29 18:00:11 CEST 2006.
--------
--- cscope/cscope.changes 2006-05-29 17:21:14.000000000 +0200
+++ cscope/cscope.changes 2006-08-29 17:06:17.000000000 +0200
@@ -1,0 +2,5 @@
+Tue Aug 29 16:53:48 CEST 2006 - anosek@suse.de
+
+- fixed multiple buffer overflows [#200534] (CVE-2006-4262.pach)
+
+-------------------------------------------------------------------
New:
----
cscope-15.5-CVE-2006-4262.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cscope.spec ++++++
--- /var/tmp/diff_new_pack.63wPJ2/_old 2006-08-29 17:58:26.000000000 +0200
+++ /var/tmp/diff_new_pack.63wPJ2/_new 2006-08-29 17:58:26.000000000 +0200
@@ -15,7 +15,7 @@
Group: Development/Tools/Navigators
Autoreqprov: on
Version: 15.5
-Release: 92
+Release: 94
Summary: Interactive Tool for Browsing C Source Code
Source: cscope-%{version}.tar.bz2
Patch: cscope-tmpfile.patch
@@ -23,6 +23,7 @@
Patch2: cscope-%{version}-gcc-warnings.patch
Patch3: cscope-%{version}-vpath.patch
Patch4: cscope-%{version}-sprintf.patch
+Patch5: cscope-15.5-CVE-2006-4262.patch
URL: http://cscope.sourceforge.net/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define _prefix /usr
@@ -48,6 +49,7 @@
%patch2
%patch3
%patch4
+%patch5
%build
%{?suse_update_config:%{suse_update_config}}
@@ -72,6 +74,8 @@
%{_prefix}/bin/cscope
%changelog -n cscope
+* Tue Aug 29 2006 - anosek@suse.de
+- fixed multiple buffer overflows [#200534] (CVE-2006-4262.pach)
* Mon May 29 2006 - mmarek@suse.cz
- replace sprintf() with snprintf() (patch taken from debian
package) to avoid buffer overflows such as CVE-2004-2541
++++++ cscope-15.5-CVE-2006-4262.patch ++++++
--- src/build.c
+++ src/build.c
@@ -115,7 +115,7 @@
}
/* see if the name list is the same */
for (i = 0; i < count; ++i) {
- if (fscanf(oldrefs, "%s", oldname) != 1 ||
+ if (! fgets(oldname, sizeof(oldname), oldrefs)||
strnotequal(oldname, names[i])) {
return(NO);
}
@@ -223,7 +223,7 @@
/* if there is an old cross-reference and its current directory matches */
/* or this is an unconditional build */
if ((oldrefs = vpfopen(reffile, "rb")) != NULL && unconditional == NO &&
- fscanf(oldrefs, "cscope %d %s", &fileversion, olddir) == 2 &&
+ fscanf(oldrefs, "cscope %d %" PATHLEN_STR "s", &fileversion, olddir) == 2 &&
(strcmp(olddir, currentdir) == 0 || /* remain compatible */
strcmp(olddir, newdir) == 0)) {
/* get the cross-reference file's modification time */
@@ -292,7 +292,7 @@
/* see if the list of source files is the same and
none have been changed up to the included files */
for (i = 0; i < nsrcfiles; ++i) {
- if (fscanf(oldrefs, "%s", oldname) != 1 ||
+ if (! fgets(oldname, sizeof(oldname), oldrefs) ||
strnotequal(oldname, srcfiles[i]) ||
lstat(srcfiles[i], &statstruct) != 0 ||
statstruct.st_mtime > reftime) {
@@ -301,7 +301,7 @@
}
/* the old cross-reference is up-to-date */
/* so get the list of included files */
- while (i++ < oldnum && fscanf(oldrefs, "%s", oldname) == 1) {
+ while (i++ < oldnum && fgets(oldname, sizeof(oldname), oldrefs)) {
addsrcfile(oldname);
}
(void) fclose(oldrefs);
--- src/command.c
+++ src/command.c
@@ -45,7 +45,7 @@
#endif
#include
-static char const rcsid[] = "$Id: command.c,v 1.19 2002/07/28 15:40:07 broeker Exp $";
+static char const rcsid[] = "$Id: command.c,v 1.32 2006/08/20 15:00:33 broeker Exp $";
int selecting;
@@ -707,7 +707,8 @@
(void) fprintf(script, "ed - <<\\!\n");
*oldfile = '\0';
seekline(1);
- for (i = 0; fscanf(refsfound, "%s%*s%s%*[^\n]", newfile, linenum) == 2;
+ for (i = 0;
+ fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s%*[^\n]", newfile, linenum) == 2;
++i) {
/* see if the line is to be changed */
if (change[i] == YES) {
--- src/constants.h
+++ src/constants.h
@@ -30,7 +30,7 @@
DAMAGE.
=========================================================================*/
-/* $Id: constants.h,v 1.12 2002/07/11 14:23:45 broeker Exp $ */
+/* $Id: constants.h,v 1.15 2006/08/20 15:00:34 broeker Exp $ */
/* cscope - interactive C symbol cross-reference
*
@@ -68,6 +68,7 @@
#define NUMLEN 5 /* line number length */
#define PATHLEN 250 /* file pathname length */
#define PATLEN 250 /* symbol pattern length */
+#define TEMPSTRING_LEN 8191 /* max strlen() of the global temp string */
#define REFFILE "cscope.out" /* cross-reference output file */
#define NAMEFILE "cscope.files" /* default list-of-files file */
#define INVNAME "cscope.in.out" /* inverted index to the database */
@@ -77,6 +78,13 @@
#define STMTMAX 10000 /* maximum source statement length */
+#define STR2(x) #x
+#define STRINGIZE(x) STR2(x)
+#define PATLEN_STR STRINGIZE(PATLEN)
+#define PATHLEN_STR STRINGIZE(PATHLEN)
+#define NUMLEN_STR STRINGIZE(NUMLEN)
+#define TEMPSTRING_LEN_STR STRINGIZE(TEMPSTRING_LEN)
+
/* screen lines */
#define FLDLINE (LINES - FIELDS - 1) /* first input field line */
#define MSGLINE 0 /* message line */
--- src/dir.c
+++ src/dir.c
@@ -43,7 +43,7 @@
#include "global.h"
#include "vp.h" /* vpdirs and vpndirs */
-static char const rcsid[] = "$Id: dir.c,v 1.19 2003/06/02 10:42:59 broeker Exp $";
+static char const rcsid[] = "$Id: dir.c,v 1.28 2006/08/20 15:00:34 broeker Exp $";
#define DIRSEPS " ,:" /* directory list separators */
#define DIRINC 10 /* directory list size increment */
@@ -319,7 +319,7 @@
/* Parse whitespace-terminated strings in line: */
point_in_line = line;
- while (sscanf(point_in_line, "%s", path) == 1) {
+ while (sscanf(point_in_line, "%" PATHLEN_STR "s", path) == 1) {
/* Have to store this length --- inviewpath() will
* modify path, later! */
length_of_name = strlen(path);
--- src/display.c
+++ src/display.c
@@ -54,7 +54,7 @@
#include
#include
-static char const rcsid[] = "$Id: display.c,v 1.22 2003/06/12 17:11:38 broeker Exp $";
+static char const rcsid[] = "$Id: display.c,v 1.29 2006/08/20 15:00:34 broeker Exp $";
int booklen; /* OGS book name display field length */
int *displine; /* screen line of displayed reference */
@@ -216,7 +216,7 @@
disprefs < mdisprefs && screenline <= lastdispline;
++disprefs, ++screenline) {
/* read the reference line */
- if (fscanf(refsfound, "%s%s%s %[^\n]", file, function,
+ if (fscanf(refsfound, "%" PATHLEN_STR "s%" PATHLEN_STR "s%" NUMLEN_STR "s %" TEMPSTRING_LEN_STR "[^\n]", file, function,
linenum, tempstring) < 4) {
break;
}
--- src/edit.c
+++ src/edit.c
@@ -42,7 +42,7 @@
#include
#endif
-static char const rcsid[] = "$Id: edit.c,v 1.5 2001/03/27 14:09:19 broeker Exp $";
+static char const rcsid[] = "$Id: edit.c,v 1.6 2006/08/20 15:00:34 broeker Exp $";
/* edit this displayed reference */
@@ -60,7 +60,7 @@
seekline(i + topline);
/* get the file name and line number */
- if (fscanf(refsfound, "%s%*s%s", file, linenum) == 2) {
+ if (fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s", file, linenum) == 2) {
edit(file, linenum); /* edit it */
}
seekline(topline); /* restore the line pointer */
@@ -83,7 +83,7 @@
seekline(1);
/* get each file name and line number */
- while (fscanf(refsfound, "%s%*s%s%*[^\n]", file, linenum) == 2) {
+ while (fscanf(refsfound, "%" PATHLEN_STR "s%*s%" NUMLEN_STR "s%*[^\n]", file, linenum) == 2) {
edit(file, linenum); /* edit it */
if (editallprompt == YES) {
addstr("Type ^D to stop editing all lines, or any other character to continue: ");
--- src/input.c
+++ src/input.c
@@ -47,7 +47,7 @@
#include
#endif
-static char const rcsid[] = "$Id: input.c,v 1.9 2001/07/05 16:47:04 broeker Exp $";
+static char const rcsid[] = "$Id: input.c,v 1.15 2006/08/20 15:00:34 broeker Exp $";
static jmp_buf env; /* setjmp/longjmp buffer */
static int prevchar; /* previous, ungotten character */
@@ -289,8 +289,8 @@
else { /* get the home directory of the login name */
v = logdir(out);
}
- /* copy the directory name */
- if (v != NULL) {
+ /* copy the directory name if it isn't too big */
+ if (v != NULL && strlen(v) < (lastchar - out)) {
(void) strcpy(out - 1, v);
out += strlen(v) - 1;
}
@@ -313,12 +313,14 @@
}
*s = '\0';
- /* get its value */
- if ((v = getenv(out)) != NULL) {
+ /* get its value, but only it isn't too big */
+ if ((v = getenv(out)) != NULL && strlen(v) < (lastchar - out)) {
(void) strcpy(out - 1, v);
out += strlen(v) - 1;
}
- else { /* var not found, so $ must be part of the file name */
+ else {
+ /* var not found, or too big, so assume $ must be part of the
+ * file name */
out += strlen(out);
}
}
--- src/main.c
+++ src/main.c
@@ -61,7 +61,7 @@
#define DFLT_INCDIR "/usr/include"
#endif
-static char const rcsid[] = "$Id: main.c,v 1.31 2003/08/14 14:36:17 broeker Exp $";
+static char const rcsid[] = "$Id: main.c,v 1.41 2006/08/20 15:00:34 broeker Exp $";
/* note: these digraph character frequencies were calculated from possible
printable digraphs in the cross-reference for the C compiler */
@@ -103,7 +103,7 @@
char temp2[PATHLEN + 1]; /* temporary file name */
long totalterms; /* total inverted index terms */
BOOL trun_syms; /* truncate symbols to 8 characters */
-char tempstring[8192]; /* use this as a buffer, instead of 'yytext',
+char tempstring[TEMPSTRING_LEN + 1]; /* use this as a buffer, instead of 'yytext',
* which had better be left alone */
char *tmpdir; /* temporary directory */
@@ -247,6 +247,12 @@
switch (c) {
case 'f': /* alternate cross-reference file */
reffile = s;
+ if (strlen(reffile) > sizeof(path) - 1) {
+ printf("\
+ cscope: reffile too long, cannot be > %d characters\n", sizeof(path) - 1);
+ exit(1);
+ /* NOTREACHED */
+ }
(void) strcpy(path, s);
#ifdef SHORT_NAMES_ONLY
/* System V has a 14 character limit */
@@ -490,11 +496,11 @@
|| (names = vpfopen(NAMEFILE, "r")) != NULL) {
/* read any -p option from it */
- while (fscanf(names, "%s", path) == 1 && *path == '-') {
+ while (fgets(path, sizeof(path), names) != NULL && *path == '-') {
i = path[1];
s = path + 2; /* for "-Ipath" */
if (*s == '\0') { /* if "-I path" */
- (void) fscanf(names, "%s", path);
+ (void) fgets(path, sizeof(path), names);
s = path;
}
switch (i) {
@@ -511,7 +517,7 @@
}
else {
for (i = 0; i < nsrcfiles; ++i) {
- if (fscanf(oldrefs, "%s", path) != 1) {
+ if (!fgets(path, sizeof(path), oldrefs) ) {
posterr("cscope: cannot read source file name from file %s\n", reffile);
myexit(1);
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org