Bug#497441: Broken security patch for WordNet

Andreas Tille tillea at rki.de
Fri Sep 5 13:30:07 UTC 2008


in http://bugs.debian.org/497441 a patch is provided that should fix
several security problems.  When investigating into the problem that
WordNet stopped working as usual when looking for synonym sets like
for instance

    $ wordnet test -synsn

which should not only print

    6 senses of test

but also the six senses with explanation I found the critical part
in the provided patch.  I extracted it to


and I would like you to pronounce your opinion to my comment in the
header which says:

   This part of the patch is completely broken, breaks funktionality of
      wordnet test -synsn
   and I really wonder in how far a "strcpy(bufstart, tmpbuf);" is a
   security fix compared to "strncpy(bufstart, tmpbuf, strlen(tmpbuf));"
   Who did this patch????

I have no idea who did this patch and how to reach this person, but besides
breaking the functionality of the program IMHO this is a terrible thing
security wise.  I would really like to get this patch revised for further
problems like this.

What would be the best strategy to fix the packages in Debian?
I could upload packages to unstable without this part of the
patch - it's just in SVN.  But I have serious doubt about the
remaining parts.

Kind regards



More information about the debian-science-maintainers mailing list