I have confirmed that the recently-reported vulnerability in Elm is also
present in Elm-ME+ and thus also in Debian GNU/Linux version 1.2, prerelease
version 1.3, and development tree "unstable".
Below is a short diff to correct the problem.
Debian GNU/Linux 1.2.x uses stock Elm 2.4pl25. Users of that version of Elm
should upgrade to Elm-ME+ as detailed below.
Debian 1.3 (currently in prerelease) will come with Elm-ME+. You should
upgrade to the latest Elm-ME+.
You can download the binary package immediately from:
ftp://happy.cs.twsu.edu/pub/Debian/binaries/elm-me+_2.4pl25ME+31-5_i386.deb
Updated source packages and diffs are under /pub/Debian/sources on the same
server.
I have released the updated package to Debian's master server, and should
show up in distributions shortly.
John Goerzen
--- elm-me+-2.4pl25ME+31.orig/src/curses.c
+++ elm-me+-2.4pl25ME+31/src/curses.c
@@ -131,7 +131,7 @@
if ((termenv = getenv("TERM")) == NULL) return(-1);
- if (strcpy(termname, termenv) == NULL)
+ if (strncpy(termname, termenv, sizeof(termname)) == NULL)
return(-1);
if ((err = tgetent(_terminal, termname)) != 1)