Vendor-Sec reports: several problems have been fixed between version 4.5.55 and 4.6.0 of mc. Andrew V. Samoilov picked out several ones for which the corrections are attached. It's not unlikely that there are more problems but we'll probably fix these and then see whether more problems pop up in the future. * Upstream CVS revision in angle brackets * Corrected format string problems [src/utilunix.c<1.38>, vfs/fish.c<1.96>, CAN-2004-1004] * Corrected buffer overflows [src/wtools.c<1.28>, src/utilunix.c<1.76>, src/boxes.c<1.54>, src/charsets.c<1.16>, CAN-2004-1005] * Applied upstream patch by Andrew V. Samoilov to prevent a buffer overflow [src/key.c<1.29>, CAN-2004-1005, http://bugzilla.gnome.org/show_bug.cgi?id=60932] * Corrected an infinite loop [gtkedit/syntax.c, CAN-2004-1009] * Applied upstream patch by Andrew V. Samoilov <sav@bcs.zp.ua> to fix crash caused by a corrupted section header [src/profile.c<1.9>, CAN-2004-1090] * Applied upstream patch by Pavel Roskin <proski@gnu.org> to fix potential crash by null dereference when panalising an arbitrary directory [src/find.c<1.60>, CAN-2004-1091] * Check for return code when a temporary file is requested in case this fails, prevents freeing unallocated memory [gtkedit/editcmd.c, CAN-2004-1092] * Prevent crash by using already freed memory [src/key.c<1.32>, CAN-2004-1093]
We're at 4.6.0 level since August 2002... so I suppose we're safe ?
Closing, I must need more caffeine:-)
