Subject: pkg/35451: devel/cscope is broken (Includes fix)
To: None <,,>
From: None <>
List: pkgsrc-bugs
Date: 01/20/2007 21:35:00
>Number:         35451
>Category:       pkg
>Synopsis:       devel/cscope is broken (Includes fix)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jan 20 21:35:00 +0000 2007
>Release:        NetBSD 4.99.5
System: NetBSD 4.99.5 NetBSD 4.99.5 (ATLAS) #0: Sat Dec 2 22:16:36 CET 2006 i386
Architecture: i386
Machine: i386
  cscope-15.6 is broken, to the point of being completely useless. A simple
  helloworld.c brings it to its knees, causing it to dump core unless cscope
  is called with the -k argument (causing it to skip /usr/include in its
  search path for headerfiles).

  The cause is a security fix backfiring: someone replaced instances of
  sprintf with snprintf, but goofed up in this case: The *arguments* match
  snprintf, but the call still reads sprintf. See Fix.

  I wonder how this managed to slip through. As it's trivially easy to trigger
  this bug, I can't imagine that this has been getting a lot of testing - if
  any at all.

  cd /tmp
  echo '#include <stdio.h>' > helloworld.c
  echo 'int main(void) { printf ("Hello world!\n"); return 0; }' >> helloworld.c
  cscope -b

  apply the following patch in /usr/pkgsrc/devel/cscope:

Index: distinfo
RCS file: /cvsroot/pkgsrc/devel/cscope/distinfo,v
retrieving revision 1.16
diff -r1.16 distinfo
< SHA1 (patch-ah) = 90c3caf336edde19b56b751bac528cf48e0b2e60
> SHA1 (patch-ah) = a79523d1a7d685eab31f06085547f91a2fbb01ff
Index: patches/patch-ah
RCS file: /cvsroot/pkgsrc/devel/cscope/patches/patch-ah,v
retrieving revision 1.6
diff -r1.6 patch-ah
< +	    sprintf(path, sizeof(path), "%.*s/%s",
> +	    snprintf(path, sizeof(path), "%.*s/%s",