Hello,
I have confirmed that the recently-reported vulnerability in Elm is also
present in Elm-ME+ and thus also in Debian GNU/Linux version 1.2, prerelease
version 1.3, and development tree "unstable".
Below is a short diff to correct the problem.
Debian GNU/Linux 1.2.x uses stock Elm 2.4pl25. Users of that version of Elm
should upgrade to Elm-ME+ as detailed below.
Debian 1.3 (currently in prerelease) will come with Elm-ME+. You should
upgrade to the latest Elm-ME+.
You can download the binary package immediately from:
ftp://happy.cs.twsu.edu/pub/Debian/binaries/elm-me+_2.4pl25ME+31-5_i386.deb
Updated source packages and diffs are under /pub/Debian/sources on the same
server.
I have released the updated package to Debian''s master server, and
should
show up in distributions shortly.
John Goerzen
--- elm-me+-2.4pl25ME+31.orig/src/curses.c
+++ elm-me+-2.4pl25ME+31/src/curses.c
@@ -131,7 +131,7 @@
if ((termenv = getenv("TERM")) == NULL) return(-1);
- if (strcpy(termname, termenv) == NULL)
+ if (strncpy(termname, termenv, sizeof(termname)) == NULL)
return(-1);
if ((err = tgetent(_terminal, termname)) != 1)
John Goerzen:> Hello, > > I have confirmed that the recently-reported vulnerability in Elm is also > present in Elm-ME+ and thus also in Debian GNU/Linux version 1.2, prerelease > version 1.3, and development tree "unstable".OK. I made fix to Elm 2.4ME+ PL32 (25) Posted to alt.sources and comp.mail.elm with Message-ID: <elm2.4ME+/PL32/1@ozone.FMI.FI> Archive-name: elm2.4ME+/PL32 Available on ftp.ozone.FMI.FI via anonymous ftp directory KEH/ files elm-2.4ME+32.tar.gz and elm-2.4ME+PL32.patch.gz Also available with <URL: http://www.ozone.FMI.FI/KEH/elm-2.4ME+32.tar.gz > and <URL: http://www.ozone.FMI.FI/KEH/elm-2.4ME+PL32.patch.gz > via WWW. / Kari Hurtta -------------------------------------------------------------- Version Elm2.4ME+ PL0 (25) is based to version Elm2.4 PL24 ME8b+. Version Elm2.4 PL24 ME8b+ is based to version Elm2.4 PL24 ME8b. Version Elm2.4 PL24 ME8b is done by Michael Elkins <elkins.aero.org>. For details, look file ANNOUNCE.ME [ Equivalent of MIME code in Elm2.4 PL24 ME8b is posted to Elm Development Cordinator ] Version Elm2.4 PL24 ME8b is based to version Elm2.4 PL24. Version Elm2.4ME+ PLx (25) includes patch of version Elm2.4 PL25. Changes of Elm2.4ME+ PL32 (25) compared to Elm2.4ME+ PL31 (25) --------------------------------------------------------------- - Incorrect Content-length: -header was causing corruption of folders. From: Guy Harris <guy@netapp.com> - argv_from_to was not handled '','' in comments correctly. Detected from report of Gary Casterline <casterln@nature.Berkeley.EDU> > Use rfc822_toklen instead of len_next_part - SECURITY: strcpy -> strfcpy changes of Elm2.4ME+ PL29 (25) was not done for curses.c in this source tree. Bug report on List <BUGTRAQ@NETSPACE.ORG>. From: John Goerzen <jgoerzen@happy.cs.twsu.edu> - Some changes on curses.c (bl -- bell) - Change output of option -v - "If you use ''answer -u'', then every user name is truncated to three letters." ... "Change line 232 to: " ... From: Jean-Pierre Radley <jpr@jpr.com> [ Suggested fix was incorrect. ] - "Configure always has had a problem on Linux systems, extracting names in a usuable format (from /usr/lib/libc.so). The following small change fixes this." From: Bauke Jan Douma <bjdouma@xs4all.nl> - "In Solaris enviroment NIS+ is now used instead of Yellow Pages so I have modified Configure to reflect this and allow to use niscat in the same fashion as ypcat was." From: Jerzy Sobczyk <J.Sobczyk@ia.pw.edu.pl> - Compilation of filter (actions.c) fail. Reported by: Arnout Boer <arnoutb@xs4all.nl> - Typo mismatch in lib/strftime.c From: Yuval Shamir <yuvals@iil.intel.com> - [wordwrap.c, bultin editor] "Wordwrap and delete at the beginning of the line does not work in PL31. Fix is below." From: "Zoltan T. Hidvegi" <hzoli@VNET.IBM.COM> [ I didn''t used supplied patch. ] - [builtin editor] There was ''sizeof buffer'' instead of ''buffer_size'' in get_with_expansion() - Add same fflush -fix to remail.c which is in mailmsg2.c