[Secure-testing-team] [Secure-testing-commits] r7571 - data/CVE

[Florian Weimer]

* Nico Golde:

> Thanks very much for finding that. I did not see it when 
> checking the xemacs code because the code is located 
> somewhere else and the code itself is also different. This 
> also means that we have to write our own patch or do you 
> have one?

Sorry, I haven't.  The easiest route would probably replace the sprintf
calls with snprintf, and erroring out when the buffer is not large
enough.

> How did you spot that?

On a hunch, I tried to trigger the bug on XEmacs.  Perhaps I
misremembered the reproducer, but it eventually crashed.