diff -u gxine-0.5.1/debian/changelog gxine-0.5.1/debian/changelog --- gxine-0.5.1/debian/changelog +++ gxine-0.5.1/debian/changelog @@ -1,3 +1,15 @@ +gxine (0.5.1-0ubuntu15.1) dapper-security; urgency=low + + * SECURITY UPDATE: Buffer overflows allowing local users to cause a denial + of service, or possibly arbitrary code execution. + * src/client.c, src/server.c: Fix backported from upstream to ensure the + length of the socket filename isn't too long. + * References: + - http://xforce.iss.net/xforce/xfdb/31604 + - CVE-2007-0406 + + -- William Grant Sun, 11 Mar 2007 10:29:12 +1100 + gxine (0.5.1-0ubuntu15) dapper; urgency=low * Fix mismerge of patch 44 from #45149 (Closes: Malone #46461), and diff -u gxine-0.5.1/src/client.c gxine-0.5.1/src/client.c --- gxine-0.5.1/src/client.c +++ gxine-0.5.1/src/client.c @@ -64,6 +64,11 @@ /* server filename */ snprintf (filename, 1024, SOCKET_FILENAME, getenv ("HOME")); + if (strlen (filename) >= sizeof (cli_adr.sun_path)) + { + fputs (_("socket: name too long - cannot connect\n"), stderr); + exit (EXIT_FAILURE); + } printf (_("Connecting to %s...\n"), filename); diff -u gxine-0.5.1/src/server.c gxine-0.5.1/src/server.c --- gxine-0.5.1/src/server.c +++ gxine-0.5.1/src/server.c @@ -216,7 +216,14 @@ { char filename[FILENAME_MAX]; snprintf (filename, sizeof (filename), SOCKET_FILENAME, getenv ("HOME")); - gxsocket = make_socket (filename); + if (strlen (filename) >= sizeof (((struct sockaddr_un *)0)->sun_path)) + { + fputs (_("server: name too long - gxine_client will not be able to connect\n"), + stderr); + gxsocket = -1; + } + else + gxsocket = make_socket (filename); } void server_start (void) @@ -266,6 +273,8 @@ /* server filename */ snprintf (filename, 1024, SOCKET_FILENAME, getenv ("HOME")); + if (strlen (filename) >= sizeof (cli_adr.sun_path)) + return 0; /* no point in printing anything... */ logprintf ("server: trying to connect to already running instance of gxine (%s)...\n", filename); only in patch2: unchanged: