Subject: Re: PR/34030 CVS commit: src/gnu/dist/xcvs/src
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,>
From: Takehiko NOZAKI <th-nozaki@netwrk.co.jp>
List: netbsd-bugs
Date: 07/19/2006 13:50:03
The following reply was made to PR bin/34030; it has been noted by GNATS.

From: Takehiko NOZAKI <th-nozaki@netwrk.co.jp>
To: gnats-bugs@NetBSD.org
Cc: christos@netbsd.org
Subject: Re: PR/34030 CVS commit: src/gnu/dist/xcvs/src
Date: Wed, 19 Jul 2006 22:47:11 +0900

 --Multipart_Wed_Jul_19_22:47:11_2006-1
 Content-Type: text/plain; charset=US-ASCII
 
 hi,
 
 > The following reply was made to PR bin/34030; it has been noted by GNATS.
 > 
 > From: Christos Zoulas <christos@netbsd.org>
 > To: gnats-bugs@NetBSD.org
 > Cc: 
 > Subject: PR/34030 CVS commit: src/gnu/dist/xcvs/src
 > Date: Tue, 18 Jul 2006 16:27:19 +0000 (UTC)
 > 
 >  Module Name:	src
 >  Committed By:	christos
 >  Date:		Tue Jul 18 16:27:19 UTC 2006
 >  
 >  Modified Files:
 >  	src/gnu/dist/xcvs/src: client.c
 >  
 >  Log Message:
 >  PR/34030: Takehiko NOZAKI: double-free bugs in CVS 1.11.22
 >  Don't free/trash the password if we did not allocate it using scramble().
 >  
 >  
 >  To generate a diff of this commit:
 >  cvs rdiff -r1.7 -r1.8 src/gnu/dist/xcvs/src/client.c
 >  
 >  Please note that diffs are not public domain; they are subject to the
 >  copyright notices on the relevant files.
 >  
 > 
 
 thanks for your fix.
 but i think it's insufficient for ``paranoia'' :-).
 cvs_password should be filled with zero.
 
 
 --Multipart_Wed_Jul_19_22:47:11_2006-1
 Content-Type: application/octet-stream
 Content-Disposition: attachment; filename="patch-cvs"
 Content-Transfer-Encoding: 7bit
 
 Index: gnu/dist/xcvs/src/login.c
 ===================================================================
 RCS file: /cvsroot/src/gnu/dist/xcvs/src/login.c,v
 retrieving revision 1.2
 diff -u -r1.2 login.c
 --- gnu/dist/xcvs/src/login.c	4 May 2006 15:39:34 -0000	1.2
 +++ gnu/dist/xcvs/src/login.c	19 Jul 2006 13:37:33 -0000
 @@ -569,6 +569,7 @@
      memset (typed_password, 0, strlen (typed_password));
      free (typed_password);
  
 +    memset (cvs_password, 0, strlen (cvs_password));
      free (cvs_password);
      free (cvsroot_canonical);
      cvs_password = NULL;
 
 --Multipart_Wed_Jul_19_22:47:11_2006-1
 Content-Type: text/plain; charset=US-ASCII
 
 
 very truly yours.
 --
 Takehiko NOZAKI <tnozaki@NetBSD.org>
 
 --Multipart_Wed_Jul_19_22:47:11_2006-1--