mass bug filing for undefined sn?printf use
Kees Cook
I'd like to seek advice before I perform a mass-bug filing for this
unstable (though semi-common) use of "sprintf" and "snprintf":
sprintf(buf, "%s foo %d %d", buf, var1, var2);
This is used in many upstreams to perform a format-string-handling
version of strcat.
This was originally noticed by Anders Kaseorg in Ubuntu[1], since
-D_FORTIFY_SOURCE=2 triggers a change in behavior (buf is truncated before
handling the rest of the format string instead of performing the concat).
Upstream glibc points out[2] that using sprintf in this way is undefined
under C99, and the man pages have now been updated[3] to reflect this.
(Though I believe it is possible to patch glibc to avoid the change in
behavior, it's probably best to work on fixing all the upstreams.)
In Debian, some tools already compile natively with -D_FORTIFY_SOURCE=2,
and some have Build-Depends on "hardening-wrapper", which enables this
compiler flag. As such, it seems sensible to have all affected packages
fixed since the results of such a call could change. (Though it is not an
RC issue.)
And, a possible solution from Anders Kaseorg...
This example sprintf() call could be fixed as follows:
-sprintf(buf, "%s plus %d", buf, k);
+sprintf(buf + strlen(buf), " plus %d", k);
Similarly, an invalid snprintf() call could be fixed as follows:
-snprintf(buf, buflen, "%s plus %d", buf, k);
+snprintf(buf + strlen(buf), buflen - strlen(buf), " plus %d", k);
Attached is a list of affected packages, generated via:
pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
The logs for individual packages can be seen here[4]. I've tried to trim
out stuff that was Ubuntu-specific or not relevant, so apologies in advance
if there are incorrect (or missing) things in the list.
Thoughts?
Thanks,
-Kees
[1] https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/305901
[2] http://sourceware.org/bugzilla/show_bug.cgi?id=7075
[3] http://article.gmane.org/gmane.linux.man/639
[4] http://people.ubuntu.com/~kees/sprintf-glibc/logs/
--
Kees Cook @debian.org
Adeodato Simó
Piping through dd-list(1) gives:
Daniel Leidert (dale) <daniel....@wgdd.de>
gabedit (U)
openbabel (U)
Laszlo Boszormenyi (GCS) <g...@debian.hu>
cdw
sidplay
sidplay-libs
Adam Cécile (Le_Vert) <gan...@le-vert.net>
aqualung
audacious-plugins (U)
Masayuki Hatta (mhatta) <mha...@debian.org>
abiword
ebview
insight
Nicolas FRANCOIS (Nekral) <nicolas....@centraliens.net>
shadow (U)
J.H.M. Dassen (Ray) <jda...@debian.org>
scrollkeeper (U)
Jari Aalto <jari....@cante.net>
wmfrog
Tim Abbott <tab...@mit.edu>
symmetrica
Moray Allan <mo...@debian.org>
gpe-conf (U)
Bill Allombert <ball...@debian.org>
pari
Per Andersson <avto...@gmail.com>
micro-evtd
Domenico Andreoli <ca...@debian.org>
curl
Hakan Ardo <ha...@debian.org>
binutils-avr
gdb-avr
Ben Armstrong <sy...@sanctuary.nslug.ns.ca>
xpilot-ng
maximilian attems <ma...@debian.org>
linux-2.6 (U)
Michael Banck <mba...@debian.org>
gridengine (U)
openbabel (U)
Karl Bartel <ka...@gmx.net>
black-box
penguin-command
Andreas Barth <a...@not.so.argh.org>
db4.2 (U)
Daniel Baumann <dan...@debian.org>
tack
Christian Bayle <ba...@debian.org>
gatos
Christoph Berg <my...@debian.org>
oftc-hybrid
Armin Berres <trigger...@space-based.de>
kdeedu (U)
Sylvain Beucler <be...@beuc.net>
freedink (U)
Stephen Birch <sgb...@imsmail.org>
xball
Julien BLACHE <jbl...@debian.org>
unpaper
Bastian Blank <wa...@debian.org>
linux-2.6 (U)
Phil Blundell <p...@nexus.co.uk>
prismstumbler
Phil Blundell <p...@debian.org>
gpe-conf (U)
A. Maitland Bottoms <bot...@debian.org>
vtk
Gonéri Le Bouder <gon...@rulezlan.org>
barrage (U)
starfighter (U)
Fathi Boudra <fa...@debian.org>
kdeedu (U)
Alan Boudreault <aboud...@mapgears.com>
mapserver (U)
Nicholas Breen <nbr...@ofb.net>
gromacs (U)
Ludovic Brenta <lbr...@debian.org>
gnat-gps
Rogério Brito <rbr...@ime.usp.br>
avr-evtd
Cyril Brulebois <ki...@debian.org>
blender
desmume (U)
Krzysztof Burghardt <krzy...@burghardt.pl>
xawtv
Daniel Burrows <dbur...@debian.org>
criticalmass
Paul Cager <paul-...@home.paulcager.org>
afnix
Ondrej Certik <ond...@certik.cz>
openmx (U)
paraview (U)
Christian Holm Christensen <ch...@nbi.dk>
root-system
Tzafrir Cohen <tzafri...@xorcom.com>
asterisk (U)
Adam Conrad <adco...@0c3.net>
db4.2 (U)
samba (U)
Arnaud Cornet <aco...@debian.org>
ircd-ratbox
Leo Costela <cos...@debian.org>
tcptrack
Julien Cristau <jcri...@debian.org>
libx11 (U)
Marco d'Itri <m...@linux.it>
ifmail
Joost Yervante Damad <and...@debian.org>
timidity
Matthew Danish <m...@debian.org>
sdlperl (U)
Julien Danjou <ac...@debian.org>
tetrinetx
LI Daobing <lida...@gmail.com>
liblunar
openbabel (U)
Debian ACE+TAO maintainers <pkg-ac...@lists.alioth.debian.org>
ace
Debian Audacious Packagers <pkg-audaciou...@lists.alioth.debian.org>
audacious-plugins
Debian Berkeley DB Maintainers <pkg-db...@lists.alioth.debian.org>
db4.2
Debian Evolution Maintainers <pkg-evolutio...@lists.alioth.debian.org>
evolution-data-server
Debian Games Team <pkg-gam...@lists.alioth.debian.org>
barrage
billard-gl
desmume
freedink
plib (U)
starfighter
xbill
xgalaga
Debian GCC Maintainers <debia...@lists.debian.org>
gcc-3.3
gcc-3.4
gcc-4.1
gcc-4.2
gcc-4.3
gcc-snapshot
Debian GIS Project <pkg-gra...@lists.alioth.debian.org>
gdal
gmt
grass
mapserver
ogdi-dfsg
Debian GNOME Maintainers <pkg-gnome-...@lists.alioth.debian.org>
gnome-games (U)
scrollkeeper (U)
Debian GPE team <pkg-gpe-m...@lists.alioth.debian.org>
gpe-conf (U)
Debian Grid Engine Maintainers <pkg-griden...@lists.alioth.debian.org>
gridengine
Debian Kernel Team <debian...@lists.debian.org>
linux-2.6
Debian multimedia packages maintainers <pkg-multimedi...@lists.alioth.debian.org>
vlc
Debian MySQL Maintainers <pkg-mys...@lists.alioth.debian.org>
mysql-dfsg-5.0
Debian Nagios Maintainer Group <pkg-nagi...@lists.alioth.debian.org>
nagios-plugins
Debian Perl Group <pkg-perl-m...@lists.alioth.debian.org>
libpar-packer-perl
Debian Qt/KDE Maintainers <debian...@lists.debian.org>
kdeedu
Debian Ruby Extras Maintainers <pkg-ruby-extr...@lists.alioth.debian.org>
libgsl-ruby (U)
Debian Samba Maintainers <pkg-sam...@lists.alioth.debian.org>
samba
Debian Scientific Computing Team <pkg-scic...@lists.alioth.debian.org>
openmx
paraview
Debian SDL packages maintainers <pkg-sdl-m...@lists.alioth.debian.org>
sdlperl
Debian VDR Team <pkg-vdr-...@lists.alioth.debian.org>
vdr-plugin-weather
vdr-plugin-xineliboutput
Debian VoIP Team <pkg-voip-m...@lists.alioth.debian.org>
asterisk
iaxclient
Debian X Strike Force <debi...@lists.debian.org>
libx11
Debian Xfce Maintainers <pkg-xfc...@lists.alioth.debian.org>
xfce4-mpc-plugin
Debian-Med Packaging Team <debian-med...@lists.alioth.debian.org>
ctn
mafft
Debichem Team <debiche...@lists.alioth.debian.org>
gabedit
gromacs
openbabel
Barry deFreese <bdde...@comcast.net>
barrage (U)
billard-gl (U)
xbill (U)
Murat Demirten <mu...@debian.org>
ettercap
Mattia Dongili <mala...@debian.org>
user-mode-linux (U)
Ludovic Drolez <ldr...@debian.org>
swish-e
Sebastian Dröge <sl...@debian.org>
gnome-games (U)
Bernd Eckenfels <ec...@debian.org>
ircii
Mark W. Eichin <eic...@thok.org>
owl
Peter Eisentraut <pet...@debian.org>
psqlodbc
slony1
Rene Engelhard <re...@debian.org>
kover
Carey Evans <ca...@debian.org>
tn5250
Bartosz Fenski <fe...@debian.org>
billard-gl (U)
libstatgrab
starfighter (U)
Sean Finney <sea...@debian.org>
mysql-dfsg-5.0 (U)
nagios-plugins (U)
Pedro Fragoso <em...@ubuntu.com>
evolution-data-server (U)
Bdale Garbee <bd...@gag.com>
xtrkcad
Hector Garcia <hec...@debian.org>
mindi-busybox (U)
mondo (U)
David Moreno Garza <da...@debian.org>
gcolor2 (U)
Ionut Georgescu <geo...@pks.mpg.de>
grace
Pascal Giard <pas...@debian.org>
desmume (U)
Thomas Girard <thomas....@free.fr>
ace (U)
Oystein Gisnas <oys...@gisnas.net>
evolution-data-server (U)
Kevin Glynn <kev...@debian.org>
mozart
Rudy Godoy <ru...@kernel-panik.org>
xfce4-mpc-plugin (U)
John Goerzen <jgoe...@complete.org>
libcdk5
Evgeni Golov <sarg...@die-welt.net>
desmume (U)
Andreas "Jimmy" Gredler <ji...@g-tec.co.at>
gcom
Tobias Grimm <et...@debian.org>
vdr-plugin-xineliboutput (U)
Tobias Grimm <t...@e-tobi.net>
vdr-plugin-weather (U)
Debian QA Group <pack...@qa.debian.org>
adplug
gamix
gdb-m68hc1x
gtk-imonc
htdig
mp3splt
pload
plotmtv
sqlrelay
tcpick
tgif
ude
varkon
vbpp
xmcd
Yu Guanghui <y...@debian.org>
unicon
Aurélien GÉRÔME <a...@roxor.cx>
restartd
Aurélien GÉRÔME <a...@debian.org>
ircd-hybrid (U)
Thomas Günther <t...@toms-cafe.de>
vdr-plugin-weather (U)
vdr-plugin-xineliboutput (U)
Henrique Haas <med...@gnoia.org>
trueprint
Steve Halasz <deb...@adkgis.org>
gdal (U)
grass (U)
Christian Hammers <c...@debian.org>
mysql-dfsg-5.0 (U)
Sam Hartman <hart...@debian.org>
barnowl
Heikki Henriksen <hei...@gmail.com>
evolution-data-server (U)
M. Alex Hermosilla <sash...@gmail.com>
multi-aterm
gregor herrmann <gre...@debian.org>
libpar-packer-perl (U)
Mike Hommey <glan...@debian.org>
xulrunner
Simon Huggins <hug...@earth.li>
xfce4-mpc-plugin (U)
Zephaniah E. Hull <wa...@debian.org>
sdlperl (U)
Mark Hymers <m...@debian.org>
gridengine (U)
Ervin Hearn III <nol...@korongil.net>
pennmush
Damyan Ivanov <d...@debian.org>
libpar-packer-perl (U)
Shaun Jackman <sjac...@debian.org>
pocketpc-binutils
pocketpc-gas
Daniel Jacobowitz <d...@debian.org>
binutils (U)
gdb
Michael Janssen <jam...@debian.org>
player
Aurelien Jarno <aur...@debian.org>
med-fichier
sdlperl (U)
Joerg Jaspert <jo...@debian.org>
epiphany
Steffen Joeris <wh...@debian.org>
dc-qt
LaMont Jones <lam...@debian.org>
4g8
packit
Guillem Jover <gui...@debian.org>
bochs
Morten Kjeldgaard <mo...@ubuntu.com>
cbflib
Matthias Klose <do...@debian.org>
binutils
curl (U)
gcc-3.3 (U)
gcc-3.4 (U)
gcc-4.1 (U)
gcc-4.2 (U)
gcc-4.3 (U)
gcc-snapshot (U)
isdnutils (U)
rudiments
Daniel Kobras <kob...@debian.org>
dx
Alexander Kotelnikov <sa...@debian.org>
fvwm (U)
Kilian Krause <kil...@debian.org>
asterisk (U)
iaxclient (U)
Joshua Kwan <jo...@triplehelix.org>
abiword (U)
ircd-hybrid
Noèl Köthe <no...@debian.org>
gdis
lftp
samba (U)
Torsten Landschoff <tor...@debian.org>
gmt (U)
Mario Lang <ml...@debian.org>
espeak
screader
Steve Langasek <vor...@debian.org>
samba (U)
unixodbc
Ron Lee <r...@debian.org>
cpad-kernel
wacom-tools
Andree Leidenfrost <and...@debian.org>
mindi-busybox
mondo
Faidon Liambotis <para...@debian.org>
asterisk (U)
iaxclient (U)
Arthur Loiret <arthur...@gmail.com>
binutils-m68hc1x
gcc-m68hc1x
Ana Beatriz Guerrero Lopez <a...@debian.org>
kdeedu (U)
Martin Loschwitz <mad...@debian.org>
xfce4-mpc-plugin (U)
Francesco P. Lovergine <fra...@debian.org>
gmt (U)
Francesco Paolo Lovergine <fra...@debian.org>
gdal (U)
grass (U)
mapserver (U)
ogdi-dfsg (U)
Robert Luberda <rob...@debian.org>
afterstep
dwww
man2html
welcome2l
Ola Lundqvist <op...@debian.org>
dact (U)
vzquota
xabacus (U)
Tyler 'Crackerjack' MacDonald <crack...@crackerjack.net>
mod-bt
Pierre Machard <pmac...@debian.org>
mozart (U)
Mikael Magnusson <mi...@users.sourceforge.net>
iaxclient (U)
Camm Maguire <ca...@enhanced.com>
gcl
gclcvs
Adam Majer <ad...@zombino.com>
mysql-gui-tools
Jose Luis Blanco (University of Malaga) <joselui...@gmail.com>
mrpt
Jordi Mallach <jo...@debian.org>
evolution-data-server (U)
Lionel Elie Mamane <lio...@mamane.lu>
xabacus (U)
Margarita Manterola <deb...@marga.com.ar>
evolution-data-server (U)
Konstantinos Margaritis <mar...@debian.org>
ace (U)
Christian Marillat <mari...@debian.org>
cricket
Bart Martens <ba...@debian.org>
bomberclone
rockdodger
Jonathan McDowell <noo...@earth.li>
l2tpns
smsclient
Jose Carlos Medeiros <deb...@psabs.com.br>
dact
xabacus
Remco van de Meent <re...@debian.org>
libsmi
A Mennucc1 <menn...@debian.org>
mplayer
Loic Minier <lo...@dooz.org>
evolution-data-server (U)
scrollkeeper (U)
vlc (U)
Atsushi Mitsuka <mit...@misao.gr.jp>
canna
Ricardo Mones <mo...@debian.org>
epiphany (U)
David Martínez Moreno <en...@debian.org>
uclmmbase
Daigo Moriwaki <da...@debian.org>
libgsl-ruby
Josselin Mouette <jo...@debian.org>
gnome-games
sdlperl (U)
Christophe Mutricy <xto...@videolan.org>
vlc (U)
Francesco Namuri <fran...@namuri.it>
lopster
Brian Nelson <py...@debian.org>
ace (U)
Jan Christoph Nordholz <he...@pool.math.tu-berlin.de>
hypermail
David Nusinow <dnus...@debian.org>
libx11 (U)
Masahito Omote <om...@debian.org>
uim
Jonathan Oxer <j...@debian.org>
lcdproc (U)
Sam Hocevar (Debian packages) <sam...@zoy.org>
genesis
lesstif2
sdlperl (U)
starfighter (U)
vlc (U)
yasm
Kari Pahula <ka...@debian.org>
crossfire
Jiri Palecek <jpal...@web.de>
ltp
David Paleino <d.pa...@gmail.com>
mafft (U)
Gerrit Pape <pa...@smarden.org>
cfs
Eloy A. Paris <pe...@debian.org>
samba (U)
Guilherme de S. Pastore <gpas...@debian.org>
eggdrop
Javier Fernandez-Sanguino Pen~a <j...@computer.org>
cal
Víctor Pérez Pereira <vpe...@debianvenezuela.org>
grmonitor
Yves-Alexis Perez <cor...@debian.org>
evolution-data-server (U)
xfce4-mpc-plugin (U)
Christian Perrier <bub...@debian.org>
samba (U)
shadow (U)
Frederic Peters <fpe...@debian.org>
gaby
William Pitcock <nen...@dereferenced.org>
audacious-plugins (U)
Charles Plessy <ple...@debian.org>
mafft (U)
Christophe Prud'homme <prud...@debian.org>
openmx (U)
paraview (U)
Justin Pryzby <justin...@users.sf.net>
sextractor
Mark Purcell <m...@debian.org>
asterisk (U)
iaxclient (U)
mp3rename
Andreas Putzo <and...@putzo.net>
mapserver (U)
Martin Quinson <mqui...@debian.org>
nws
shadow (U)
Florian Ragwitz <ra...@debianforum.de>
viruskiller
Thierry Randrianiriana <randria...@gmail.com>
gnuplot (U)
qpopper
Thierry Reding <thi...@doppeltgemoppelt.de>
billard-gl (U)
Petter Reinholdtsen <pe...@debian.org>
gdal (U)
mapserver (U)
Sebastian Rittau <sri...@debian.org>
netatalk (U)
Emanuele Rocca <e...@debian.org>
xfce4-mpc-plugin (U)
Roland Rosenfeld <rol...@debian.org>
emil
Matthew Rosewarne <mrose...@inoutbox.com>
kdeedu (U)
Piotr Roszatycki <dex...@debian.org>
z88dk (U)
Nick Rusnov <nickr...@debian.org>
wayv
Hendrik Sattler <deb...@hendrik-sattler.de>
libopenobex
Daniel Schepler <sche...@debian.org>
kdeedu (U)
Alexander Schmehl <tol...@debian.org>
starfighter (U)
Thomas Schmidt <tsch...@debian.org>
vdr-plugin-weather (U)
vdr-plugin-xineliboutput (U)
Andreas Schuldei <and...@debian.org>
curl (U)
Ryan Schultz <schult...@gmail.com>
pcsx-df
psemu-video-x11
Joey Schulze <jo...@debian.org>
xxgdb
Martin Schulze <jo...@debian.org>
uucpsend
Frederik Schüler <f...@debian.org>
linux-2.6 (U)
Riccardo Setti <gis...@debian.org>
evolution-data-server (U)
Shadow package maintainers <pkg-shad...@lists.alioth.debian.org>
shadow
Jamey Sharp <shar...@debian.org>
libx11 (U)
Gustavo Noronha Silva <k...@debian.org>
scrollkeeper (U)
Guus Sliepen <gu...@debian.org>
blobandconquer
blobwars
Paul Slootman <pa...@debian.org>
isdnutils
isdnutils (U)
Jonas Smedegaard <d...@jones.dk>
netatalk
netatalk (U)
vrflash
Bradley Smith <brad...@debian.org>
gnuchess
gnuplot
Bradley Smith <br...@brad-smith.co.uk>
plib
scrollkeeper
Carlos C Soto <cs...@sia-solutions.com>
gcolor2
Manoj Srivastava <sriv...@debian.org>
fvwm
fvwm (U)
Christian T. Steigies <c...@debian.org>
bumprace
luola
Clément Stenac <zor...@debian.org>
vlc (U)
Roland Stigge <sti...@antcom.de>
xenomai
Philippe De Swert <philipp...@scarlet.be>
gpe-conf (U)
Matt Taggart <tag...@debian.org>
arrayprobe
cpqarrayd
Jose Luis Tallon <jlta...@adv-solutions.net>
lcdproc
Reinhard Tartler <sire...@tauware.de>
desmume (U)
Michael Tautschnig <m...@debian.org>
binutils-h8300-hms
Monty Taylor <mor...@inaugust.com>
mysql-dfsg-5.0 (U)
Andreas Tille <ti...@debian.org>
ctn (U)
Gerhard Tonn <g...@debian.org>
gcc-3.3 (U)
gcc-3.4 (U)
Fabio Tranchitella <kob...@debian.org>
gdal (U)
mapserver (U)
Ralf Treinen <tre...@debian.org>
yap
Norbert Tretkowski <no...@debian.org>
mysql-dfsg-5.0 (U)
Josh Triplett <jo...@freedesktop.org>
libx11 (U)
Mohammed Adnène Trojette <adn...@diwi.org>
vlc (U)
Guido Trotter <ultr...@debian.org>
nagios-plugins (U)
James Troup <ja...@nocrew.org>
binutils (U)
Niko Tyni <nt...@debian.org>
libpar-packer-perl (U)
Aaron M. Ucko <uc...@debian.org>
ncbi-tools6
User Mode Linux Maintainers <pkg-um...@lists.alioth.debian.org>
user-mode-linux
Wouter Verhelst <wou...@debian.org>
logtool
Sune Vuorela <deb...@pusling.com>
kdeedu (U)
Jan Wagner <wa...@cyconet.org>
nagios-plugins (U)
Florian Weimer <f...@deneb.enyo.de>
db4.2 (U)
Torsten Werner <twe...@debian.org>
grace (U)
Matthew Wilcox <wi...@debian.org>
db4.2 (U)
Jamie Wilkinson <j...@debian.org>
osiris
Lawrence Williams <lawrence_ce...@hotmail.com>
sdlperl (U)
Neil Williams <code...@debian.org>
gpe-conf
Alexander Wirt <form...@debian.org>
nagios-plugins (U)
Paul Wise <pa...@debian.org>
gdal (U)
mapserver (U)
xgalaga (U)
Krystian Wlosek <tyg...@waw.pdi.net>
z88dk
ARAKI Yasuhiro <a...@debian.org>
sip-tester
NIIBE Yutaka <gni...@fsij.org>
gplcver
Oohara Yuuma <ooh...@debian.org>
w-bassman
Stefano Zacchiroli <za...@debian.org>
wmi (U)
James R. Van Zandt <j...@debian.org>
gpstrans
Bernd Zeimetz <bz...@debian.org>
wmi (U)
Zenoss Packaging Team <pkg-zen...@lists.alioth.debian.org>
wmi
Massimo Dal Zotto <d...@debian.org>
nap
Michal Čihař <ni...@debian.org>
gammu
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
Listening to: Javier Álvarez - Las casas de cartón
--
To UNSUBSCRIBE, email to debian-dev...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Josselin Mouette
> gnome-games
They are from the bundled copy of gnuchess, which is not built.
--
.''`.
: :' : We are debian.org. Lower your prices, surrender your code.
`. `' We will add your hardware and software distinctiveness to
`- our own. Resistance is futile.
Mike Hommey
> Mike Hommey <glan...@debian.org>
> xulrunner
./xulrunner-1.8.1.16+nobinonly/toolkit/mozapps/installer/unix/wizard/nsXIEngine.cpp:
sprintf(libpath, "%s/%s", libpath, XPISTUB);
./xulrunner-1.8.1.16+nobinonly/xpinstall/wizard/unix/src2/nsXIEngine.cpp:
sprintf(libpath, "%s/%s", libpath, XPISTUB);
We don't care for these, they are not built.
Mike
Miguel Figueiredo
> Hi,
>
> I'd like to seek advice before I perform a mass-bug filing for this
> unstable (though semi-common) use of "sprintf" and "snprintf":
>
> sprintf(buf, "%s foo %d %d", buf, var1, var2);
>
> This is used in many upstreams to perform a format-string-handling
> version of strcat.
[...]
This will be reported upstream?
David Paleino
> > Attached is a list of affected packages,
>
> Piping through dd-list(1) gives:
>
> [..]
>
> Debian-Med Packaging Team <debian-med...@lists.alioth.debian.org>
> ctn
> mafft
>
> Andreas Tille <ti...@debian.org>
> ctn (U)
>
> David Paleino <d.pa...@gmail.com>
> mafft (U)
>
> Charles Plessy <ple...@debian.org>
> mafft (U)
As regards ctn, it is from a bundled app we're not building (nor upstream's Makefiles do):
$ pcregrep -rnM 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,' .
./apps/spray_image/spray_image.c:465: return sprintf(uid, "%s.%d", uid, studyNum);
./apps/spray_image/spray_image.c:471: return sprintf(uid, "%s.%d.%d", uid, studyNum, seriesNum);
./apps/spray_image/spray_image.c:477: return sprintf(uid, "%s.%d.%d.%d", uid, studyNum, seriesNum, instanceNum);
$ grep -inR spray_image *
apps/spray_image/Makefile:3:NAME = spray_image
apps/spray_image/Makefile:47: ./spray_image -q -r -a DRNO -c DRNO drno 2100 a.dcm
apps/spray_image/spray_image.c:55:** Source File: $RCSfile: spray_image.c,v $
apps/spray_image/spray_image.c:60:static char rcsid[] = "$Revision: 1.4 $ $RCSfile: spray_image.c,v $";
$ apt-file list ctn | grep spray
$
mafft has been fixed in Debian-Med's svn, thank you.
Kindly,
David
--
. ''`. Debian maintainer | http://wiki.debian.org/DavidPaleino
: :' : Linuxer #334216 --|-- http://www.hanskalabs.net/
`. `'` GPG: 1392B174 ----|---- http://snipr.com/qa_page
`- 2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174
Neil Williams
Kees Cook <ke...@outflux.net> wrote:
> I'd like to seek advice before I perform a mass-bug filing for this
> unstable (though semi-common) use of "sprintf" and "snprintf":
>
> sprintf(buf, "%s foo %d %d", buf, var1, var2);
>
> This is used in many upstreams to perform a format-string-handling
> version of strcat.
>
> This was originally noticed by Anders Kaseorg in Ubuntu[1], since
> -D_FORTIFY_SOURCE=2 triggers a change in behavior (buf is truncated before
> handling the rest of the format string instead of performing the concat).
>
> Upstream glibc points out[2] that using sprintf in this way is undefined
> under C99, and the man pages have now been updated[3] to reflect this.
> (Though I believe it is possible to patch glibc to avoid the change in
> behavior, it's probably best to work on fixing all the upstreams.)
>
> In Debian, some tools already compile natively with -D_FORTIFY_SOURCE=2,
> and some have Build-Depends on "hardening-wrapper", which enables this
> compiler flag. As such, it seems sensible to have all affected packages
> fixed since the results of such a call could change. (Though it is not an
> RC issue.)
By all affected packages, do you mean packages that use the code or
packages that use the code *AND* compile with or
Build-Depend on hardening-wrapper?
IMHO any bugs filed merely due to the presence of the code without the
means to trigger the error in normal builds should be wishlist.
Re:
Debian GPE team <pkg-gpe-m...@lists.alioth.debian.org>
gpe-conf (U)
gpe-conf, being Gtk+ and therefore GLib can simply switch to using
g_strconcat or g_sn?printf or g_strdup_printf and avoid all these
problems. In the specific case of gpe-conf, only two of the files using
this code do not already include gtk/gtk.h or glib/glib.h so it is only
sensible to use the GLib functions instead for most if not all
occurrences. (Indeed, in many cases, the use of a newly allocated
string to be freed later, instead of a static fixed buffer has other
benefits elsewhere.)
> And, a possible solution from Anders Kaseorg...
> This example sprintf() call could be fixed as follows:
> -sprintf(buf, "%s plus %d", buf, k);
> +sprintf(buf + strlen(buf), " plus %d", k);
> Similarly, an invalid snprintf() call could be fixed as follows:
> -snprintf(buf, buflen, "%s plus %d", buf, k);
> +snprintf(buf + strlen(buf), buflen - strlen(buf), " plus %d", k);
>
> Attached is a list of affected packages, generated via:
>
> pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
> pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
>
> The logs for individual packages can be seen here[4]. I've tried to trim
> out stuff that was Ubuntu-specific or not relevant, so apologies in advance
> if there are incorrect (or missing) things in the list.
>
> Thoughts?
Split the list according to packages that merely match the regexp and
those that match the regexp *AND* match a second regexp indicating that
the build system either uses -D_FORTIFY_SOURCE=2 or hardening-wrapper?
--
Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/
Julien BLACHE
Hi,
> Julien BLACHE <jbl...@debian.org>
> unpaper
Patch sent.
JB.
--
Julien BLACHE - Debian & GNU/Linux Developer - <jbl...@debian.org>
Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
Tzafrir Cohen
> asterisk
The relevant code is only:
channels/misdn_config.c: sprintf(tempbuf, "%s%s, ", tempbuf, iter->msn);
chan_misdn is not built on the the Debian package (though IIRC it is
built in some unofficial builds). Nevertheless the code exists in
upstream trunk and should be fixed.
> iaxclient
A single hit in simpleclient/WinIAX/WinIAX.cpp . That's a sample win32
code, and I guess we don't build it yet.
--
Tzafrir Cohen | tza...@jabber.org | VIM is
http://tzafrir.org.il | | a Mutt's
tza...@cohens.org.il | | best
ICQ# 16849754 | | friend
José Luis Tallón
contrib/interface-demo2/if_demo.c: sprintf(buffer,
"%s,%s", buffer, if_list[i].if_name);
which resulting code is not even installed in binary form.
> Thoughts?
>
> Thanks,
>
Thank you for taking the time to investigate this issue.
Thomas Viehmann
> Attached is a list of affected packages, generated via:
>
> pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
> pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
>
> The logs for individual packages can be seen here[4]. I've tried to trim
> out stuff that was Ubuntu-specific or not relevant, so apologies in advance
> if there are incorrect (or missing) things in the list.
>
> Thoughts?
How about either matching stuff against the build logs or recompiling
with a compiler that actually fails when asked to compile a file that
matches? That would seem to have potential for reducing the number of
false positives.
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Cyril Brulebois
> > Attached is a list of affected packages,
> blender
Bleh… Already pointed out upstream some time ago, but since they don't
care about security at all… I guess I'll have to maintain another sec
patch for years…
> desmume (U)
Evgeni might take care of this one, I think he's very close to upstream.
Mraw,
KiBi.
Steve Langasek
> This example sprintf() call could be fixed as follows:
> -sprintf(buf, "%s plus %d", buf, k);
> +sprintf(buf + strlen(buf), " plus %d", k);
> Similarly, an invalid snprintf() call could be fixed as follows:
> -snprintf(buf, buflen, "%s plus %d", buf, k);
> +snprintf(buf + strlen(buf), buflen - strlen(buf), " plus %d", k);
> Attached is a list of affected packages, generated via:
> pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
> pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
I would note that this regexp, and the proposed solution, will not match
i18nized format strings; i.e.,
sprintf(buf, _("%s plus %d"), buf, k);
I don't know whether these are also a problem in practice - but if so, using
sprintf(buf + strlen(buf) [...]) is definitely wrong.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slan...@ubuntu.com vor...@debian.org
Michal Čihař
Dne Sun, 28 Dec 2008 09:53:40 +0100
Adeodato Simó <da...@net.com.org.es> napsal(a):
> Michal Čihař <ni...@debian.org>
> gammu
Affected code is only in some example, however I will fix it upstream...
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
Steve Langasek
Another false positive, AFAICS:
$ pcregrep -rM 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,' source
source/libads/kerberos.c: fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain);
$
Perhaps adding a \b to the front of the regexp would be appropriate?
Adam Borowski
> On Sun, Dec 28, 2008 at 12:42:46AM -0800, Kees Cook wrote:
> > pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
> > pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
>
> I would note that this regexp, and the proposed solution, will not match
> i18nized format strings; i.e.,
>
> sprintf(buf, _("%s plus %d"), buf, k);
If _any_ of the translations doesn't start with %s, it will break. Oh, and
you used sprintf() not snprintf() -- it's a guaranteed trample&segfault
here. From what I've seen, many languages like to quote things not usually
quoted in English, so the core will be filled with '`', '“' or '»'.
The sprintf(buf, "%s foo", buf) hack is indeed something that should be
rooted out. It happens to work on glibc (usually), but it's neither
portable nor sane.
> I don't know whether these are also a problem in practice - but if so, using
> sprintf(buf + strlen(buf) [...]) is definitely wrong.
In that case, I see no choice but using a second buffer...
--
1KB // Microsoft corollary to Hanlon's razor:
// Never attribute to stupidity what can be
// adequately explained by malice.
Evgeni Golov
> Evgeni Golov <sarg...@die-welt.net>
> desmume (U)
Forwarded upstream, they'll fix that asap.
Kees Cook
> On Sun, Dec 28, 2008 at 12:42:46AM -0800, Kees Cook wrote:
> > samba
>
> Another false positive, AFAICS:
>
> $ pcregrep -rM 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,' source
> source/libads/kerberos.c: fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain);
Thanks, I've marked samba and wmi as false alarms.
> Perhaps adding a \b to the front of the regexp would be appropriate?
I didn't include a word-break intentionally; I think the benefits are
greater, since it catches luckily-named variations like g_sprintf (which
I knew of ahead of time) and ircsprintf (found during search).
-Kees
--
Kees Cook @debian.org
Kees Cook
On Sun, Dec 28, 2008 at 03:10:37PM +0100, Thomas Viehmann wrote:
> How about either matching stuff against the build logs or recompiling
I didn't have the resources to do this, but it's be great if someone could.
> with a compiler that actually fails when asked to compile a file that
> matches? That would seem to have potential for reducing the number of
> false positives.
I'd really love that too -- I just don't know how to modify the compiler to
do it. :)
-Kees
--
Kees Cook @debian.org
Kees Cook
> On Sun, 28 Dec 2008 00:42:46 -0800 Kees Cook <ke...@outflux.net> wrote:
> > In Debian, some tools already compile natively with -D_FORTIFY_SOURCE=2,
> > and some have Build-Depends on "hardening-wrapper", which enables this
> > compiler flag. As such, it seems sensible to have all affected packages
> > fixed since the results of such a call could change. (Though it is not an
> > RC issue.)
>
> By all affected packages, do you mean packages that use the code or
> packages that use the code *AND* compile with or
> Build-Depend on hardening-wrapper?
>
> IMHO any bugs filed merely due to the presence of the code without the
> means to trigger the error in normal builds should be wishlist.
Sorry for the confusion -- I meant "present in the code", not "actively
broken". I agree it's not a "normal" bug, but I'd like to see the bug at
least as "low" since (with a stock glibc) the bug would appear if a
maintainer decided to use "hardening-wrapper".
> > Thoughts?
>
> Split the list according to packages that merely match the regexp and
> those that match the regexp *AND* match a second regexp indicating that
> the build system either uses -D_FORTIFY_SOURCE=2 or hardening-wrapper?
Good idea, those can be opened with "normal" severity.
Asheesh Laroia
> Hi,
>
> On Sun, Dec 28, 2008 at 03:10:37PM +0100, Thomas Viehmann wrote:
>> How about either matching stuff against the build logs or recompiling
>
> I didn't have the resources to do this, but it's be great if someone could.
I'll work on this now.
-- Asheesh.
--
Your ignorance cramps my conversation.
LI Daobing (李道兵)
>> Attached is a list of affected packages,
>
> Piping through dd-list(1) gives:
>
> liblunar
forwarded to upstream, and he will fix it in next release.
> openbabel (U)
left to debichem team.
--
Best Regards,
LI Daobing
Thomas Viehmann
Kees Cook wrote:
> On Sun, Dec 28, 2008 at 03:10:37PM +0100, Thomas Viehmann wrote:
>> How about either matching stuff against the build logs or recompiling
> I didn't have the resources to do this, but it's be great if someone could.
If you have the means of recompiling, say with pbuilder, that should
give you logs to look at.
>> with a compiler that actually fails when asked to compile a file that
>> matches? That would seem to have potential for reducing the number of
>> false positives.
>
> I'd really love that too -- I just don't know how to modify the compiler to
> do it. :)
You could try to use a wrapper for the various gcc binaries that greps
through the *.c?? it is passed with your regexp, logging the matches and
then calling the real binary. But then maybe I just don't have a clue
how to do it better.
It'll still have false positives from the regexp itself, but you'll
exclude code that isn't used.
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Arthur de Jong
> I don't know whether these are also a problem in practice - but if so,
> using sprintf(buf + strlen(buf) [...]) is definitely wrong.
I don't know if any of my code uses such a construct but why is that
wrong as long as [...] doesn't contain buf? (assuming proper bound
checks are done and other parameters are sane)
Thanks.
--
-- arthur - ade...@debian.org - http://people.debian.org/~adejong --
Steve Langasek
> On Sun, 2008-12-28 at 12:02 -0600, Steve Langasek wrote:
> > I don't know whether these are also a problem in practice - but if so,
> > using sprintf(buf + strlen(buf) [...]) is definitely wrong.
> I don't know if any of my code uses such a construct but why is that
> wrong as long as [...] doesn't contain buf?
That's not the context of this discussion; we were talking about buggy code
that *did* use buf as one of the args to the format string.
Arthur de Jong
> On Tue, Dec 30, 2008 at 10:06:41AM +0100, Arthur de Jong wrote:
> > On Sun, 2008-12-28 at 12:02 -0600, Steve Langasek wrote:
> > > I don't know whether these are also a problem in practice - but if so,
> > > using sprintf(buf + strlen(buf) [...]) is definitely wrong.
>
> > I don't know if any of my code uses such a construct but why is that
> > wrong as long as [...] doesn't contain buf?
>
> That's not the context of this discussion; we were talking about buggy code
> that *did* use buf as one of the args to the format string.
Ok, I misunderstood. Thanks.
In that case there can be a great number of situations in which the
buffer may be filled with it's own content (eg. pass the same array as
two arguments to a function and use the above construct in that
function, assignments to temporary variables, etc, etc). Very hard to
check for.
Perhaps this would be a good test for tools such as split, rats or
flawfinder (none of them currently warn about this problem and neither
do any gcc flags that I commonly use). Those kind of tools already to
quite some analysis of source code so perhaps it isn't too difficult to
implement it there.
I've just performed a test with the following code on my system (sid,
hardening-wrapper not installed, compiled with gcc without any extra
flags):
char buf[20];
strcpy(buf,"FOO");
snprintf(buf,sizeof(buf),"%s%s",buf,"BAR");
printf("%s\n",buf);
strcpy(buf,"BAR");
snprintf(buf,sizeof(buf),"%s%s","FOO",buf);
printf("%s\n",buf);
which returned
BAR
FOOFOO
so in any case the behaviour is not as could be naively expected
(FOOBAR).
Reinhard Tartler
> On Sun, 28 Dec 2008 09:53:40 +0100 Adeodato Simó wrote:
>
>> Evgeni Golov <sarg...@die-welt.net>
>> desmume (U)
>
> Forwarded upstream, they'll fix that asap.
thanks for taking care for this!
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
Kees Cook
> I've just performed a test with the following code on my system (sid,
> hardening-wrapper not installed, compiled with gcc without any extra
> flags):
>
> char buf[20];
> strcpy(buf,"FOO");
> snprintf(buf,sizeof(buf),"%s%s",buf,"BAR");
> printf("%s\n",buf);
> strcpy(buf,"BAR");
> snprintf(buf,sizeof(buf),"%s%s","FOO",buf);
> printf("%s\n",buf);
>
> which returned
>
> BAR
> FOOFOO
Changing your code to "sprintf" (since snprintf unfortunately tends to be
in the minority still), the output for the first changes to "FOOBAR".
--
Kees Cook @debian.org
Aurelien Jarno
> > Attached is a list of affected packages,
>
> Piping through dd-list(1) gives:
> med-fichier
> sdlperl (U)
>
sdlperl is fixed in both unstable and experimental.
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' aur...@debian.org | aure...@aurel32.net
`- people.debian.org/~aurel32 | www.aurel32.net
Nicholas Breen
>
> I'd like to seek advice before I perform a mass-bug filing for this
> unstable (though semi-common) use of "sprintf" and "snprintf":
> pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
While fixing one of the affected packages, I discovered that it was
using similarly problematic syntax to act as a strcat replacement of the
form 'sprintf(buf, "%s\n", buf)', which that regexp didn't catch. I
can't imagine that's a common mistake, but it's easy enough to match on
as well:
pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*[,)]'
> gabedit
> gromacs
> openbabel
All pending upload, thanks.
--
Nicholas Breen
nbr...@ofb.net
Kees Cook
> While fixing one of the affected packages, I discovered that it was
> using similarly problematic syntax to act as a strcat replacement of the
> form 'sprintf(buf, "%s\n", buf)', which that regexp didn't catch. I
> can't imagine that's a common mistake, but it's easy enough to match on
> as well:
>
> pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*[,)]'
Oh! Good catch, thank you. I've started a re-run with the regex changed.
So far, it's already caught new stuff. I'll post updated details once it
has finished.
--
Kees Cook @debian.org
Paul Wise
> Oh! Good catch, thank you. I've started a re-run with the regex changed.
> So far, it's already caught new stuff. I'll post updated details once it
> has finished.
Could this test be added to lintian?
--
bye,
pabs
http://wiki.debian.org/PaulWise
Russ Allbery
> On Fri, Jan 2, 2009 at 3:50 AM, Kees Cook <ke...@outflux.net> wrote:
>> Oh! Good catch, thank you. I've started a re-run with the regex
>> changed. So far, it's already caught new stuff. I'll post updated
>> details once it has finished.
> Could this test be added to lintian?
The thread so far seems to indicate the false positive rate isn't great.
People usually find Lintian checks with a lot of false positives rather
annoying. It can be worth it if the problem is sufficiently severe, but
it always makes me nervous to add.
We could possibly add an experimental tag, though, to get an idea of what
the false positive rate looks like. We're trying that with a few other
ones at the moment.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
George Danchev
> "Paul Wise" <pa...@debian.org> writes:
> > On Fri, Jan 2, 2009 at 3:50 AM, Kees Cook <ke...@outflux.net> wrote:
> >> Oh! Good catch, thank you. I've started a re-run with the regex
> >> changed. So far, it's already caught new stuff. I'll post updated
> >> details once it has finished.
> >
> > Could this test be added to lintian?
>
> The thread so far seems to indicate the false positive rate isn't great.
> People usually find Lintian checks with a lot of false positives rather
> annoying. It can be worth it if the problem is sufficiently severe, but
> it always makes me nervous to add.
FYI: such a check will be added to cppcheck too.
--
pub 4096R/0E4BD0AB 2003-03-18 <people.fccf.net/danchev/key pgp.mit.edu>
Julien Cristau
> Debian X Strike Force <debi...@lists.debian.org>
> libx11
>
Fixed upstream and in experimental.
(http://bugs.freedesktop.org/show_bug.cgi?id=14898)
Cheers,
Julien
Kees Cook
> On Wed, Dec 31, 2008 at 07:01:44PM -0800, Nicholas Breen wrote:
> > While fixing one of the affected packages, I discovered that it was
> > using similarly problematic syntax to act as a strcat replacement of the
> > form 'sprintf(buf, "%s\n", buf)', which that regexp didn't catch. I
> > can't imagine that's a common mistake, but it's easy enough to match on
> > as well:
> >
> > pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*[,)]'
>
> Oh! Good catch, thank you. I've started a re-run with the regex changed.
> So far, it's already caught new stuff. I'll post updated details once it
> has finished.
Attached is the updated list, which includes 57 new hits, and adds
additional lines of affected code to gabedit, blender, desmume, and
gpe-conf. I have a dump of the diff between the logs here[1]. The old
logs have been moved to the "2008-12" subdirectory[2].
The "handled" list is here[3] and should reflect all the replies to
this thread so far (if I missed something, please let me know and I'll
get it fixed). The current list of affected Debian packages is here[4],
attached, and also with the dd-list output.
At what point should I convert this list into an actual mass-bug-filing?
Thanks!
-Kees
[1] http://people.ubuntu.com/~kees/sprintf-glibc/changed.diff
[2] http://people.ubuntu.com/~kees/sprintf-glibc/2008-12/
[3] http://people.ubuntu.com/~kees/sprintf-glibc/data/handled.pkgs
[4] http://people.ubuntu.com/~kees/sprintf-glibc/debian
--
Kees Cook @debian.org
gregor herrmann
> Attached is the updated list,
libpar-packer-perl:
Ryan Niebur has kindly provided a patch, and I've built, tested and
uploaded 0.982-2 with the patch included.
Cheers,
gregor
--
.''`. Home: http://info.comodo.priv.at/{,blog/} / GPG Key ID: 0x00F3CFE4
: :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/
`. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
`- NP: Joint Venture: Deine Frau
Michael Tautschnig
> Michael Tautschnig <m...@debian.org>
> binutils-h8300-hms
>
[...]
Fixed in unstable.
Best,
Michael
Joost Yervante Damad
> Joost Yervante Damad <and...@debian.org>
> timidity
Fixed locally, but quite intrusive, will need some more time; also will be
combined with other fixes.
Joost
Aaron M. Ucko
> Aaron M. Ucko <uc...@debian.org>
> ncbi-tools6
Not any more; I uploaded a fixed version (6.1.20080302-4) more than a
week ago, and it's even propagated to lenny because the release team
honored my request to unblock it. (Thanks!) I just hadn't previously
bothered replying to the thread, even privately.
--
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
http://www.mit.edu/~amu/ | http://stuff.mit.edu/cgi/finger/?a...@monk.mit.edu