diff -Nru libguac-0.6.0/debian/changelog libguac-0.6.0/debian/changelog --- libguac-0.6.0/debian/changelog 2012-06-01 20:52:13.000000000 +0000 +++ libguac-0.6.0/debian/changelog 2012-09-11 18:30:15.000000000 +0000 @@ -1,3 +1,11 @@ +libguac (0.6.0-2) unstable; urgency=high + + * CVE-2012-4415: Buffer overflow in guac_client_plugin_open + - debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch, + thanks to Timo Juhani Lindfors for discovering the flaw + + -- Michael Jumper Sun, 26 Aug 2012 18:47:52 -0700 + libguac (0.6.0-1) unstable; urgency=low * Merged latest changes from 0.6.0 diff -Nru libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch --- libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch 2012-09-11 18:28:19.000000000 +0000 @@ -0,0 +1,82 @@ +From 7dcefa744b4a38825619c00ae8b47e5bae6e38c0 Mon Sep 17 00:00:00 2001 +From: Michael Jumper +Date: Thu, 23 Aug 2012 11:50:06 -0700 +Subject: [PATCH] Define library prefix/suffix with macros, explicitly define and enforce limit on protocol name length, and overall library name length. + +--- + include/client.h | 32 ++++++++++++++++++++++++++++++++ + src/client.c | 9 +++++---- + 2 files changed, 37 insertions(+), 4 deletions(-) + +diff --git a/include/client.h b/include/client.h +index 57852c5..1ceafe9 100644 +--- a/include/client.h ++++ b/include/client.h +@@ -50,6 +50,38 @@ + * @file client.h + */ + ++/** ++ * String prefix which begins the library filename of all client plugins. ++ */ ++#define GUAC_PROTOCOL_LIBRARY_PREFIX "libguac-client-" ++ ++/** ++ * String suffix which ends the library filename of all client plugins. ++ */ ++#define GUAC_PROTOCOL_LIBRARY_SUFFIX ".so" ++ ++/** ++ * The maximum number of characters (COUNTING NULL TERMINATOR) to allow ++ * for protocol names within the library filename of client plugins. ++ */ ++#define GUAC_PROTOCOL_NAME_LIMIT 256 ++ ++/** ++ * The maximum number of characters (INCLUDING NULL TERMINATOR) that a ++ * character array containing the concatenation of the library prefix, ++ * protocol name, and suffix can contain, assuming the protocol name is ++ * limited to GUAC_PROTOCOL_NAME_LIMIT characters. ++ */ ++#define GUAC_PROTOCOL_LIBRARY_LIMIT ( \ ++ \ ++ sizeof(GUAC_PROTOCOL_LIBRARY_PREFIX) - 1 /* "libguac-client-" */ \ ++ + GUAC_PROTOCOL_NAME_LIMIT - 1 /* [up to 256 chars] */ \ ++ + sizeof(GUAC_PROTOCOL_LIBRARY_SUFFIX) - 1 /* ".so" */ \ ++ + 1 /* NULL terminator */ \ ++ \ ++) ++ ++ + typedef struct guac_client guac_client; + typedef struct guac_client_plugin guac_client_plugin; + +diff --git a/src/client.c b/src/client.c +index 759c4f3..90491b5 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -164,16 +164,17 @@ guac_client_plugin* guac_client_plugin_open(const char* protocol) { + const char** client_args; + + /* Pluggable client */ +- char protocol_lib[256] = "libguac-client-"; +- ++ char protocol_lib[GUAC_PROTOCOL_LIBRARY_LIMIT] = ++ GUAC_PROTOCOL_LIBRARY_PREFIX; ++ + union { + guac_client_init_handler* client_init; + void* obj; + } alias; + + /* Add protocol and .so suffix to protocol_lib */ +- strcat(protocol_lib, protocol); +- strcat(protocol_lib, ".so"); ++ strncat(protocol_lib, protocol, GUAC_PROTOCOL_NAME_LIMIT-1); ++ strcat(protocol_lib, GUAC_PROTOCOL_LIBRARY_SUFFIX); + + /* Load client plugin */ + client_plugin_handle = dlopen(protocol_lib, RTLD_LAZY); +-- +1.7.2.5 + diff -Nru libguac-0.6.0/debian/patches/series libguac-0.6.0/debian/patches/series --- libguac-0.6.0/debian/patches/series 2012-05-31 06:47:45.000000000 +0000 +++ libguac-0.6.0/debian/patches/series 2012-09-11 18:28:19.000000000 +0000 @@ -1 +1,2 @@ 0001-remove-requirement-for-m4-dir.patch +0002-guac_client_plugin_open-buffer-overflow.patch