The `imake-tmpdir.patch' patch that is included in the following patch tarballs creates a fixed-sized buffer, but does not check the size of data it copies there. If `$TMPDIR' is longer than 242 bytes, imake will write past the end of `aout[255]'. XFree86-4.2.1-patches-1.2.tar.bz2 XFree86-4.2.99.4-patches-1.1.tar.bz2 102_all_4.2.0-imake-tmpdir.patch.bz2 XFree86-4.3.0-patches-1.1.3.tar.bz2 XFree86-4.3.0-patches-1.1.7.tar.bz2 092_all_4.2.0-imake-tmpdir.patch XFree86-4.3.0-patches-2.1.6.tar.bz2 XFree86-4.3.0-patches-2.1.10.tar.bz2 0128_all_4.2.0-imake-tmpdir.patch XFree86-4.3.0-patches-2.1.11.tar.bz2 0128_all_4.2.0-imake-tmpdir.patch There is no such patch in `XFree86-4.3.99.11-patches-0.8.tar.bz2' (but see bug #28482)
Created attachment 17595 [details] imake-test.sh test case
Created attachment 17596 [details, diff] imake-tmpdir.patch improved `imake-tmpdir.patch', with some extra checks added
Thanks much...added to 4.3.99.12 and 4.3.0-r{2,3}.
