Format string bug in xscreensaver-text

Bug #781948 reported by Emanuel Bronshtein on 2011-05-12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xscreensaver (Ubuntu)

Bug Description

Binary package hint: xscreensaver-data

/usr/bin/xscreensaver-text have format string bug .

test case :
emanuel@emanuel-desktop:~$ export HOME=/tmp
emanuel@emanuel-desktop:~$ echo "*textMode:Format_string_%n_bug" > /tmp/.xscreensaver
emanuel@emanuel-desktop:~$ xscreensaver-text --verbose --verbose
xscreensaver-text: reading /tmp/.xscreensaver
Modification of a read-only value attempted at /usr/bin/xscreensaver-text line 191.

the bug can be found at :
  if ($verbose > 1) {
    printf STDERR "$progname: mode: $text_mode\n";
    printf STDERR "$progname: literal: $text_literal\n";
    printf STDERR "$progname: file: $text_file\n";
    printf STDERR "$progname: program: $text_program\n";
    printf STDERR "$progname: url: $text_url\n";

Fix can be using print instead or add format %s to printf .

Changed in xscreensaver (Ubuntu):
status: New → Confirmed
Tormod Volden (tormodvolden) wrote :

Thanks for your report and suggested fix!

This has been fixed in my Debian tree and will be released in Debian in 5.15-4 or 5.19-1. Debian is in release freeze at the moment, but I have uploaded a preview package "5.19-1pre" to my PPA if anyone would like to test it:

Launchpad Janitor (janitor) wrote :
Download full text (5.4 KiB)

This bug was fixed in the package xscreensaver - 5.26-1ubuntu1

xscreensaver (5.26-1ubuntu1) utopic; urgency=low

  * Dropped Ubuntu changes:
    - Ubuntu delta to the screensavers sets.
    - Keep Debian Vcs-* links instead of the ~ubuntu-desktop team bzr
      repository: the Desktop team does not have interest any more.
    - The Ubuntu changes to the descriptions.
  * Merge from Debian unstable. (LP: #1283459) Remaining changes:
    - debian/control:
      + Breaks/Replaces: the old changes are not needed anymore, but the
        new changes the screensavers sets needs it.
    - debian/rules:
      + Use /usr/share/backgrounds as image directory.
      + Add translation domain to .desktop files.
    - debian/
      + Add apport hook.
    - debian/xscreensaver.dirs:
      + Install /usr/share/backgrounds. By default, settings search in
        /usr/share/backgrounds and without it, it displays an error.
    - debian/patch/90_ubuntu-branding.patch: Use Ubuntu branding.
    - debian/patches/60_sequential_glslideshow.patch:
      + Allow going through images sequentially rather than just at random in
        the GLSlideshow hack.

xscreensaver (5.26-1) unstable; urgency=low

  * New upstream release 5.26, changes since 5.23:
    - Updated feed-loading for recent Flickr changes.
    - Updated `webcollage' for recent Google changes.
    - Added Instagram and Bing as `webcollage' image sources.
    - Updated to latest autoconf.
    - Bug fixes.
  * Drop patch applied upstream:
    - debian/patches/12_upstream_use_cppflags.patch
  * Bump Standards-Version to 3.9.5 (no changes needed)

xscreensaver (5.23-1) unstable; urgency=low

  * New upstream release 5.23 (Closes: #729311)
    - New hack, geodesic
    - More heuristics for using RSS feeds as image sources
    - Improved Wikipedia parser
    - Updated webcollage for recent Flickr changes
    - Added Android to bsod
    - Made quasicrystal work on weak graphics cards
    - Better compression on icons, plists and XML files
    - Reverted that DEACTIVATE change. Bad idea.
    - Phosphor now supports amber as well as green
  * Dropped patches applied upstream:
    - 12_upstream_quasicrystal_texture_width.patch
    - 14_upstream_hexadrop_keyboard_exit.patch
    - 15_upstream_activate_faster_nontty.patch
  * debian/patches/12_upstream_use_cppflags.patch:
    Make sure CPPFLAGS are used (fixes hardening warnings)
  * debian/control: Update VCS fields (fixes Lintian warning)

xscreensaver (5.22-1) unstable; urgency=low

  * New upstream release 5.22 (Closes: #699833), changes since 5.15:
    - XInput devices now also ignore small mouse motions
    - Loading images via RSS feeds is much improved
    - Enlarged the texture image for lament
    - Made pipes be ridiculously less efficient, but spin
    - Added better mouse control to rubik, cube21, crackberg, and julia
    - Cosmetic improvements to queens and endgame
    - sonar can now ping local subnet on DHCP
    - Most savers now resize/rotate properly
    - New version of `fireworkx'
    - Minor fixes to `distort', `fontglide', `xmatrix'
    - New MacOS crash in `bsod'
    - New mode in `lcdscrub'
    - Gnome/KD...


Changed in xscreensaver (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers