diff -u xfce4-panel-4.3.90.1svn+r21633/debian/changelog xfce4-panel-4.3.90.1svn+r21633/debian/changelog --- xfce4-panel-4.3.90.1svn+r21633/debian/changelog +++ xfce4-panel-4.3.90.1svn+r21633/debian/changelog @@ -1,3 +1,18 @@ +xfce4-panel (4.3.90.1svn+r21633-0ubuntu2.1) dapper-security; urgency=low + + * SECURITY UPDATE: + + debian/patches/CVE-2007-6531.patch + - Stack-based buffer overflow in the Panel (xfce4-panel) + component in Xfce before 4.4.2 might allow remote attackers to + execute arbitrary code via Launcher tooltips. NOTE: a second + buffer overflow (over-read) in the xfce_mkdirhier + function was also reported, but it might not be exploitable + for a crash or code execution, so it is not a vulnerability. + * References + + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-6531 + + -- Gauvain Pocentek Fri, 27 Jun 2008 22:26:10 +0200 + xfce4-panel (4.3.90.1svn+r21633-0ubuntu2) dapper; urgency=low * Add office category to the launcher icon selector to be in only in patch2: unchanged: --- xfce4-panel-4.3.90.1svn+r21633.orig/debian/patches/CVE_2007-6531.patch +++ xfce4-panel-4.3.90.1svn+r21633/debian/patches/CVE_2007-6531.patch @@ -0,0 +1,177 @@ +diff -Nur -x '*.orig' -x '*~' xfce4-panel-4.3.90.1svn+r21633/libxfce4panel/xfce-panel-plugin-iface.c xfce4-panel-4.3.90.1svn+r21633.new/libxfce4panel/xfce-panel-plugin-iface.c +--- xfce4-panel-4.3.90.1svn+r21633/libxfce4panel/xfce-panel-plugin-iface.c 2006-03-27 11:24:52.000000000 +0200 ++++ xfce4-panel-4.3.90.1svn+r21633.new/libxfce4panel/xfce-panel-plugin-iface.c 2008-06-27 22:18:38.000000000 +0200 +@@ -1079,7 +1079,7 @@ + { + char path[255]; + +- g_snprintf (path, 255, ++ g_snprintf (path, sizeof(path), + "xfce4" G_DIR_SEPARATOR_S + "panel" G_DIR_SEPARATOR_S + "%s-%s.rc", +@@ -1107,7 +1107,7 @@ + { + char path[255]; + +- g_snprintf (path, 255, ++ g_snprintf (path, sizeof(path), + "xfce4" G_DIR_SEPARATOR_S + "panel" G_DIR_SEPARATOR_S + "%s-%s.rc", +diff -Nur -x '*.orig' -x '*~' xfce4-panel-4.3.90.1svn+r21633/panel/panel.c xfce4-panel-4.3.90.1svn+r21633.new/panel/panel.c +--- xfce4-panel-4.3.90.1svn+r21633/panel/panel.c 2006-04-17 15:10:11.000000000 +0200 ++++ xfce4-panel-4.3.90.1svn+r21633.new/panel/panel.c 2008-06-27 22:22:21.000000000 +0200 +@@ -890,7 +890,7 @@ + static char id[30]; + + /* unique number: pseudo-random time() + counter */ +- g_snprintf (id, 30, "%ld%d", (glong) time (NULL), counter++); ++ g_snprintf (id, sizeof(id), "%ld%d", (glong) time (NULL), counter++); + + return id; + } +diff -Nur -x '*.orig' -x '*~' xfce4-panel-4.3.90.1svn+r21633/panel/panel-dialogs.c xfce4-panel-4.3.90.1svn+r21633.new/panel/panel-dialogs.c +--- xfce4-panel-4.3.90.1svn+r21633/panel/panel-dialogs.c 2006-05-05 10:50:23.000000000 +0200 ++++ xfce4-panel-4.3.90.1svn+r21633.new/panel/panel-dialogs.c 2008-06-27 22:21:15.000000000 +0200 +@@ -244,12 +244,12 @@ + + if (info->comment) + { +- g_snprintf (text, 512, "%s\n%s", info->display_name, ++ g_snprintf (text, sizeof(text), "%s\n%s", info->display_name, + info->comment); + } + else + { +- g_snprintf (text, 512, "%s", info->display_name); ++ g_snprintf (text, sizeof(text), "%s", info->display_name); + } + + g_object_set (cell, "markup", text, +@@ -1200,7 +1200,7 @@ + gtk_widget_set_size_request (scroll, req.width, -1); + } + +- g_snprintf (markup, 10, "%d", i + 1); ++ g_snprintf (markup, sizeof(markup), "%d", i + 1); + + ebox = gtk_event_box_new (); + style = gtk_widget_get_style (ebox); +@@ -1372,7 +1372,7 @@ + + panel_block_autohide (PANEL (g_ptr_array_index (pmd->panels, n))); + +- g_snprintf (name, 20, _("Panel %d"), pmd->panels->len); ++ g_snprintf (name, sizeof(name), _("Panel %d"), pmd->panels->len); + + gtk_combo_box_append_text (GTK_COMBO_BOX (pmd->panel_selector), name); + +@@ -1408,7 +1408,7 @@ + { + char name[20]; + +- g_snprintf (name, 20, _("Panel %d"), i + 1); ++ g_snprintf (name, sizeof(name), _("Panel %d"), i + 1); + + gtk_combo_box_append_text (GTK_COMBO_BOX (pmd->panel_selector), name); + } +@@ -1433,7 +1433,7 @@ + { + char name[20]; + +- g_snprintf (name, 20, _("Panel %d"), i + 1); ++ g_snprintf (name, sizeof(name), _("Panel %d"), i + 1); + + gtk_combo_box_append_text (GTK_COMBO_BOX (pmd->panel_selector), name); + } +diff -Nur -x '*.orig' -x '*~' xfce4-panel-4.3.90.1svn+r21633/plugins/clock/clock.c xfce4-panel-4.3.90.1svn+r21633.new/plugins/clock/clock.c +--- xfce4-panel-4.3.90.1svn+r21633/plugins/clock/clock.c 2006-03-27 11:24:52.000000000 +0200 ++++ xfce4-panel-4.3.90.1svn+r21633.new/plugins/clock/clock.c 2008-06-27 22:23:08.000000000 +0200 +@@ -106,7 +106,7 @@ + * %B : full month name + * %Y : four digit year + */ +- strftime(date_s, 255, _("%A %d %B %Y"), tm); ++ strftime(date_s, sizeof(date_s), _("%A %d %B %Y"), tm); + + /* Conversion to utf8 + * Patch by Oliver M. Bolzer +diff -Nur -x '*.orig' -x '*~' xfce4-panel-4.3.90.1svn+r21633/plugins/launcher/launcher.c xfce4-panel-4.3.90.1svn+r21633.new/plugins/launcher/launcher.c +--- xfce4-panel-4.3.90.1svn+r21633/plugins/launcher/launcher.c 2008-06-27 22:17:15.000000000 +0200 ++++ xfce4-panel-4.3.90.1svn+r21633.new/plugins/launcher/launcher.c 2008-06-27 22:25:42.000000000 +0200 +@@ -370,7 +370,7 @@ + { + char first[256]; + +- g_snprintf (first, 256, _("Could not run \"%s\""), entry->name); ++ g_snprintf (first, sizeof(first), _("Could not run \"%s\""), entry->name); + + xfce_message_dialog (NULL, _("Xfce Panel"), + GTK_STOCK_DIALOG_ERROR, first, error->message, +@@ -395,7 +395,7 @@ + { + char first[256]; + +- g_snprintf (first, 256, _("Error in command \"%s\""), ++ g_snprintf (first, sizeof(first), _("Error in command \"%s\""), + entry->real_exec); + + xfce_message_dialog (NULL, _("Xfce Panel"), +@@ -432,7 +432,7 @@ + { + char first[256]; + +- g_snprintf (first, 256, _("Could not run \"%s\""), entry->name); ++ g_snprintf (first, sizeof(first), _("Could not run \"%s\""), entry->name); + + xfce_message_dialog (NULL, _("Xfce Panel"), + GTK_STOCK_DIALOG_ERROR, first, error->message, +@@ -693,14 +693,14 @@ + if (entry->name) + { + if (entry->comment) +- g_snprintf (tip, 521, "%s\n%s", entry->name, entry->comment); ++ g_snprintf (tip, sizeof(tip), "%s\n%s", entry->name, entry->comment); + else +- g_strlcpy (tip, entry->name, 521); ++ g_strlcpy (tip, entry->name, sizeof(tip)); + + } + else + { +- g_strlcpy (tip, _("This item has not yet been configured"), 512); ++ g_strlcpy (tip, _("This item has not yet been configured"), sizeof(tip)); + } + + gtk_tooltips_set_tip (launcher->tips, launcher->iconbutton, tip, NULL); +@@ -973,7 +973,7 @@ + LauncherEntry *entry; + char group[10]; + +- g_snprintf (group, 10, "Entry %d", i); ++ g_snprintf (group, sizeof(group), "Entry %d", i); + + if (!xfce_rc_has_group (rc, group)) + break; +@@ -1042,7 +1042,7 @@ + { + LauncherEntry *entry = g_ptr_array_index (launcher->entries, i); + +- g_snprintf (group, 10, "Entry %d", i); ++ g_snprintf (group, sizeof(group), "Entry %d", i); + + xfce_rc_set_group (rc, group); + +diff -Nur -x '*.orig' -x '*~' xfce4-panel-4.3.90.1svn+r21633/plugins/launcher/launcher-dialog.c xfce4-panel-4.3.90.1svn+r21633.new/plugins/launcher/launcher-dialog.c +--- xfce4-panel-4.3.90.1svn+r21633/plugins/launcher/launcher-dialog.c 2008-06-27 22:17:15.000000000 +0200 ++++ xfce4-panel-4.3.90.1svn+r21633.new/plugins/launcher/launcher-dialog.c 2008-06-27 22:23:35.000000000 +0200 +@@ -1160,7 +1160,7 @@ + { + char last[3]; + +- g_snprintf (last, 3, "%d", ld->launcher->entries->len - 2); ++ g_snprintf (last, sizeof(last), "%d", ld->launcher->entries->len - 2); + path = gtk_tree_path_new_from_string (last); + } +