I have confirmed that the recently-reported vulnerability in Elm is also
present in Elm-ME+ and thus also in Debian GNU/Linux version 1.2, prerelease
version 1.3, and development tree "unstable".
Below is a short diff to correct the problem.
Debian GNU/Linux 1.2.x uses stock Elm 2.4pl25.  Users of that version of Elm
should upgrade to Elm-ME+ as detailed below.
Debian 1.3 (currently in prerelease) will come with Elm-ME+.  You should
upgrade to the latest Elm-ME+.
You can download the binary package immediately from:
ftp://happy.cs.twsu.edu/pub/Debian/binaries/elm-me+_2.4pl25ME+31-5_i386.deb
Updated source packages and diffs are under /pub/Debian/sources on the same
server.
I have released the updated package to Debian's master server, and should
show up in distributions shortly.
John Goerzen
--- elm-me+-2.4pl25ME+31.orig/src/curses.c
+++ elm-me+-2.4pl25ME+31/src/curses.c
@@ -131,7 +131,7 @@
        if ((termenv = getenv("TERM")) == NULL) return(-1);
-       if (strcpy(termname, termenv) == NULL)
+       if (strncpy(termname, termenv, sizeof(termname)) == NULL)
                return(-1);
        if ((err = tgetent(_terminal, termname)) != 1)