Subject: Re: PR/34030 CVS commit: src/gnu/dist/xcvs/src
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,>
From: Takehiko NOZAKI <th-nozaki@netwrk.co.jp>
List: netbsd-bugs
Date: 07/19/2006 13:50:03
The following reply was made to PR bin/34030; it has been noted by GNATS.
From: Takehiko NOZAKI <th-nozaki@netwrk.co.jp>
To: gnats-bugs@NetBSD.org
Cc: christos@netbsd.org
Subject: Re: PR/34030 CVS commit: src/gnu/dist/xcvs/src
Date: Wed, 19 Jul 2006 22:47:11 +0900
--Multipart_Wed_Jul_19_22:47:11_2006-1
Content-Type: text/plain; charset=US-ASCII
hi,
> The following reply was made to PR bin/34030; it has been noted by GNATS.
>
> From: Christos Zoulas <christos@netbsd.org>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: PR/34030 CVS commit: src/gnu/dist/xcvs/src
> Date: Tue, 18 Jul 2006 16:27:19 +0000 (UTC)
>
> Module Name: src
> Committed By: christos
> Date: Tue Jul 18 16:27:19 UTC 2006
>
> Modified Files:
> src/gnu/dist/xcvs/src: client.c
>
> Log Message:
> PR/34030: Takehiko NOZAKI: double-free bugs in CVS 1.11.22
> Don't free/trash the password if we did not allocate it using scramble().
>
>
> To generate a diff of this commit:
> cvs rdiff -r1.7 -r1.8 src/gnu/dist/xcvs/src/client.c
>
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
>
>
thanks for your fix.
but i think it's insufficient for ``paranoia'' :-).
cvs_password should be filled with zero.
--Multipart_Wed_Jul_19_22:47:11_2006-1
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="patch-cvs"
Content-Transfer-Encoding: 7bit
Index: gnu/dist/xcvs/src/login.c
===================================================================
RCS file: /cvsroot/src/gnu/dist/xcvs/src/login.c,v
retrieving revision 1.2
diff -u -r1.2 login.c
--- gnu/dist/xcvs/src/login.c 4 May 2006 15:39:34 -0000 1.2
+++ gnu/dist/xcvs/src/login.c 19 Jul 2006 13:37:33 -0000
@@ -569,6 +569,7 @@
memset (typed_password, 0, strlen (typed_password));
free (typed_password);
+ memset (cvs_password, 0, strlen (cvs_password));
free (cvs_password);
free (cvsroot_canonical);
cvs_password = NULL;
--Multipart_Wed_Jul_19_22:47:11_2006-1
Content-Type: text/plain; charset=US-ASCII
very truly yours.
--
Takehiko NOZAKI <tnozaki@NetBSD.org>
--Multipart_Wed_Jul_19_22:47:11_2006-1--