I demand that Udo Richter may or may not have written... > C.Y.M wrote: >> - setMax(minsize[colorid].y2, yp + len - 1); >> + setMax(minsize[colorid].y2, yp); > This looks like a minor performance bug fix, as the written area is a > horizontal line, not a box. > > +static bool OsdMatchesArea(cOsd *osd, tArea &area) > This (plus remainings of patch) re-allocates the osd if the new area > doesnt fit into the old osd. This may be a bug, if this actually occurs. > As far as I understand it, the dvbspu.c translates subpictures to osd > bitmaps, though I dont really know who actually uses this. Maybe DVD > plugin? Not sure, but it's one of Reinhard Nissl's patches. > The second patch is a security patch, described here: > http://www.debian.org/security/2005/dsa-656 >> - FILE *f = fopen(FileName, "wb"); >> + int fd = open(FileName, O_CREAT | O_EXCL | O_TRUNC | O_RDWR, 00640); >> + if (fd > -1) { >> + FILE *f = fdopen(fd, "wb"); > This seems to force creating a new GRAB file with (00640 & ~umask) access > rights, while fopen always uses (00666 & ~umask). Additionally, this > version fails if the GRAB file already exists. (vdradmin-am wont work with > this, as the file is pre-allocated by vdradmin-am. ;) ) > I don't agree with this fix, </AOL>. > because (1) insecure SVDRP access is IMHO a security hole in any case, True. (Klaus?) > (2) if VDR runs properly as restricted user, there shouldn't be any > critical files with write access, True, *but* it's still possible to overwrite files which are, quite properly, owned by vdr. > and (3) though the patched version cannot overwrite existing files, it > still can create new files anywhere, and thats IMHO not much better. Agreed again. My VDR builds have used a similar patch (attached) which restricts where these files can be written for some time now; vdradmin shouldn't have a problem with it. vdr-xine users will find a commented-out O_EXCL in xineLib.c - you should uncomment this and replace it with O_NOFOLLOW. (My package already has this patch; the official Debian package will too.) (We still need a send-snap-as-base64 version. Both vdr and vdr-xine will require modification for this; when I last looked at this, I came to the conclusion that a file _handle_ needs to be passed to the snapshot-creation code.) -- | Darren Salt | d youmustbejoking,demon,co,uk | nr. Ashington, | Debian, | s zap,tartarus,org | Northumberland | RISC OS | @ | Toon Army | I don't ask for much, just untold riches... Wanted: used electrons. Give generously. begin 644 02_CAN-2005-0071.dpatch,fff M(R$@+V)I;B]S:"`O=7-R+W-H87)E+V1P871C:"]D<&%T8V@M<G5N"B,C(#`Q M7T-!3BTR,#`U+3`P-S$N9'!A=&-H(&)Y($1A<G)E;B!386QT"B,C"B,C($%L M;"!L:6YE<R!B96=I;FYI;F<@=VET:"!@(R,@1%`Z)R!A<F4@82!D97-C<FEP M=&EO;B!O9B!T:&4@<&%T8V@N"B,C($10.B!&:7AE<R!#04XM,C`P-2TP,#<Q M+@HC(R!$4#H@270@:7,@;F\@;&]N9V5R('!O<W-I8FQE('1O(&]V97)W<FET M92!F:6QE<R!W:71H('1H92!'4D%"(&-O;6UA;F0N"@I`1%!!5$-(0`ID:69F M("UU<DYA9"!V9'(M,2XS+C(U+V1V8F1E=FEC92YC("]T;7`O9'!E<"Y'0C8U M5C8O=F1R+3$N,RXR-2]D=F)D979I8V4N8PHM+2T@=F1R+3$N,RXR-2]D=F)D M979I8V4N8PDR,#`U+3`U+3,P(#$T.C(W.C4U+C@X-C4W-SDR,"`K,#$P,`HK M*RL@+W1M<"]D<&5P+D="-C56-B]V9'(M,2XS+C(U+V1V8F1E=FEC92YC"3(P M,#4M,#4M,S`@,30Z,C<Z-38N-C<P,S<R,#8X("LP,3`P"D!`("TU-#@L."`K M-30X+#D@0$`*("`@("`@("`@("`@("`@475A;&ET>2`](#$P,#L*(`H@("`@ M("`@("`@("!I<WES;&]G*")G<F%B8FEN9R!T;R`E<R`H)7,@)60@)60@)60I M(BP@1FEL94YA;64L($IP96<@/R`B2E!%1R(@.B`B4$Y-(BP@475A;&ET>2P@ M=FTN=VED=&@L('9M+FAE:6=H="D["BT@("`@("`@("`@($9)3$4@*F8@/2!F M;W!E;BA&:6QE3F%M92P@(G=B(BD["BT@("`@("`@("`@(&EF("AF*2!["BL@ M("`@("`@("`@(&EN="!F9"`](&]P96X@*$9I;&5.86UE+"!/7T-214%4('P@ M3U].3T9/3$Q/5R!\($]?5%)53D,@?"!/7U)$5U(L(#`V-#0I.PHK("`@("`@ M("`@("!&24Q%("IF.PHK("`@("`@("`@("!I9B`H9F0@(3T@+3$@)B8@*&8@ M/2!F9&]P96XH9F0L(")W8B(I*2D@>PH@("`@("`@("`@("`@("!I9B`H2G!E M9RD@>PH@("`@("`@("`@("`@("`@("`O+R!W<FET92!*4$5'(&9I;&4Z"B`@ M("`@("`@("`@("`@("`@('-T<G5C="!J<&5G7V-O;7!R97-S7W-T<G5C="!C M:6YF;SL*0$`@+34X-BPV("LU.#<L."!`0`H@("`@("`@("`@("`@("!]"B`@ M("`@("`@("`@(&5L<V4@>PH@("`@("`@("`@("`@("!,3T=?15)23U)?4U12 M*$9I;&5.86UE*3L**R`@("`@("`@("`@("`@:68@*&9D("$]("TQ("8F(&-L M;W-E("AF9"DI"BL@("`@("`@("`@("`@("`@($Q/1U]%4E)/4E]35%(H1FEL M94YA;64I.PH@("`@("`@("`@("`@("!R97-U;'0@?#T@,3L*("`@("`@("`@ M("`@("`@?0H@("`@("`@("`@("!M=6YM87`H;65M+"!M<VEZ92D["F1I9F8@ M+75R3F%D('9D<BTQ+C,N,C4O<W9D<G`N8R`O=&UP+V1P97`N1T(V-58V+W9D M<BTQ+C,N,C4O<W9D<G`N8PHM+2T@=F1R+3$N,RXR-2]S=F1R<"YC"3(P,#4M M,#4M,S`@,30Z,C<Z-34N.#@X-3<W,SDU("LP,3`P"BLK*R`O=&UP+V1P97`N M1T(V-58V+W9D<BTQ+C,N,C4O<W9D<G`N8PDR,#`U+3`U+3,P(#$T.C(W.C4V M+C8W,3,W,3@P-B`K,#$P,`I`0"`M-C`V+#$P("LV,#8L-34@0$`*("`@("`@ M("`@4F5P;'DH-3`Q+"`B56YE>'!E8W1E9"!P87)A;65T97(@7"(E<UPB(BP@ M<"D["B`@("`@("`@(')E='5R;CL*("`@("`@("`@?0HM("`@("!I9B`H8T1E M=FEC93HZ4')I;6%R>41E=FEC92@I+3Y'<F%B26UA9V4H1FEL94YA;64L($IP M96<L(%%U86QI='DL(%-I>F58+"!3:7IE62DI"BL**R`@("`@8VAA<B`J9&ER M+"`J9G!A=&@@/2!.54Q,.PHK("`@("!A<W!R:6YT9B`H)F1I<BP@(B5S+W-N M87!S+F1I<B(L(%9I9&5O1&ER96-T;W)Y*3L**R`@("`@:68@*&UK9&ER("AD M:7(L(#`W-34I("8F(&5R<FYO("$]($5%6$E35"D**R`@("`@('L**PE,3T=? M15)23U)?4U12*&1I<BD["BL)4F5P;'DH-#4Q+"`B1W)A8B!I;6%G92!F86EL M960B*3L**PEF<F5E("AD:7(I.PHK"7)E='5R;CL**R`@("`@('T**R`@("`@ M:68@*"I&:6QE3F%M92`A/2`G+R<I"BL)87-P<FEN=&8@*"9F<&%T:"P@(B5S M+R5S(BP@9&ER+"!&:6QE3F%M92D["BL@("`@("\O(&9P871H(#T@9G5L;"!P M871H;F%M92`H;F]T(&-A;F]N:6-A;&ES960I(&]R($Y53$P**PHK("`@("!C M:&%R("IT;7`@/2!S=')R8VAR("AF<&%T:"`_(&9P871H(#H@1FEL94YA;64L M("<O)RD[("\O('1H97)E(&ES(&]N90HK("`@("`J=&UP(#T@,#L**R`@("`@ M8VAA<B!P871H6U!!5$A?34%873L**R`@("`@:68@*"%R96%L<&%T:"`H9G!A M=&@@/R!F<&%T:"`Z($9I;&5.86UE+"!P871H*2D@+R\@8V%N;VYI8V%L:7-E M('!A=&AN86UE"BL@("`@("!["BL)4F5P;'DH-3`Q+"`B26YV86QI9"!F:6QE M;F%M92(I.PHK"69R964@*&9P871H*3L**PEF<F5E("AD:7(I.PHK"7)E='5R M;CL**R`@("`@('T**R`@("`@+R\**R`@("`@87-P<FEN=&8@*"9T;7`L("(E M<R\E<R(L('!A=&@L('1M<"`K(#$I.PHK("`@("!F<F5E("AF<&%T:"D["BL@ M("`@(&9P871H(#T@=&UP.R`O+R!F=6QL('!A=&AN86UE("AC86YO;FEC86QI M<V5D*0HK"BL@("`@(')E86QP871H("AD:7(L('!A=&@I.R`O+R!D:7(@;F%M M92`H8V%N;VYI8V%L:7-E9"D**R`@("`@:68@*"%S=')N8VUP("AF<&%T:"P@ M<&%T:"P@<W1R;&5N("AP871H*2D@)B8@9G!A=&A;<W1R;&5N("AP871H*5T@ M/3T@)R\G*0HK("`@("`@>PHK("`@("`@("`O*B!N;W1H:6YG("HO"BL@("`@ M("!]"BL@("`@(&5L<V4@:68@*'-T<FYC;7`@*&9P871H+"`B+W1M<"\B+"`U M*2D**R`@("`@('L**PE297!L>2@U,#$L("));G9A;&ED(&9I;&5N86UE(BD[ M"BL)9G)E92`H9G!A=&@I.PHK"69R964@*&1I<BD["BL)<F5T=7)N.PHK("`@ M("`@?0HK("`@("!F<F5E("AD:7(I.PHK"BL@("`@(&EF("AC1&5V:6-E.CI0 M<FEM87)Y1&5V:6-E*"DM/D=R86));6%G92AF<&%T:"P@2G!E9RP@475A;&ET M>2P@4VEZ95@L(%-I>F59*2D*("`@("`@("`@4F5P;'DH,C4P+"`B1W)A8F)E M9"!I;6%G92`E<R(L($]P=&EO;BD["B`@("`@(&5L<V4*("`@("`@("`@4F5P M;'DH-#4Q+"`B1W)A8B!I;6%G92!F86EL960B*3L**PHK("`@("!F<F5E("AF M<&%T:"D["B`@("`@('T*("`@96QS90H@("`@("!297!L>2@U,#$L(")-:7-S 0:6YG(&9I;&5N86UE(BD["B`@ ` end
