summaryrefslogtreecommitdiff
path: root/debian/patches/CVE-2018-1071.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/CVE-2018-1071.patch')
-rw-r--r--debian/patches/CVE-2018-1071.patch34
1 files changed, 34 insertions, 0 deletions
diff --git a/debian/patches/CVE-2018-1071.patch b/debian/patches/CVE-2018-1071.patch
new file mode 100644
index 000000000..89ca5853f
--- /dev/null
+++ b/debian/patches/CVE-2018-1071.patch
@@ -0,0 +1,34 @@
+Description: CVE-2018-1071
+ Check bounds when copying path in hashcmd().
+Origin: 679b71ec4d852037fe5f73d35bf557b0f406c8d4
+Author: Oliver Kiddle <okiddle@yahoo.co.uk>
+Bug-Debian: https://bugs.debian.org/894043
+Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083
+
+--- a/Src/exec.c
++++ b/Src/exec.c
+@@ -920,7 +920,7 @@
+ for (; *pp; pp++)
+ if (**pp == '/') {
+ s = buf;
+- strucpy(&s, *pp);
++ struncpy(&s, *pp, PATH_MAX);
+ *s++ = '/';
+ if ((s - buf) + strlen(arg0) >= PATH_MAX)
+ continue;
+--- a/Src/utils.c
++++ b/Src/utils.c
+@@ -2283,10 +2283,10 @@
+ {
+ char *u = *s;
+
+- while (n--)
+- *u++ = *t++;
++ while (n-- && (*u++ = *t++));
+ *s = u;
+- *u = '\0';
++ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
++ *u = '\0';
+ }
+
+ /* Return the number of elements in an array of pointers. *
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-25 07:21:35 +0000