https://sources.debian.org/data/main/p/plib/1.8.5-8/debian/patches/05_CVE-2012-4552.diff

diff -up plib-1.8.5/src/ssg/ssgParser.cxx~ plib-1.8.5/src/ssg/ssgParser.cxx
--- plib-1.8.5/src/ssg/ssgParser.cxx~	2008-03-11 03:06:23.000000000 +0100
+++ plib-1.8.5/src/ssg/ssgParser.cxx	2012-11-01 15:33:12.424483374 +0100
@@ -57,18 +57,16 @@ void _ssgParser::error( const char *form
   char msgbuff[ 255 ];
   va_list argp;
 
-  char* msgptr = msgbuff;
-  if (linenum)
-  {
-    msgptr += sprintf ( msgptr,"%s, line %d: ",
-      path, linenum );
-  }
-
   va_start( argp, format );
-  vsprintf( msgptr, format, argp );
+  vsnprintf( msgbuff, sizeof(msgbuff), format, argp );
   va_end( argp );
 
-  ulSetError ( UL_WARNING, "%s", msgbuff ) ;
+  if (linenum)
+  {
+    ulSetError ( UL_WARNING, "%s, line %d: %s", path, linenum, msgbuff ) ;
+  } else {
+    ulSetError ( UL_WARNING, "%s", msgbuff ) ;
+  }
 }
 
 
@@ -78,18 +76,16 @@ void _ssgParser::message( const char *fo
   char msgbuff[ 255 ];
   va_list argp;
 
-  char* msgptr = msgbuff;
-  if (linenum)
-  {
-    msgptr += sprintf ( msgptr,"%s, line %d: ",
-      path, linenum );
-  }
-
   va_start( argp, format );
-  vsprintf( msgptr, format, argp );
+  vsnprintf( msgbuff, sizeof(msgbuff), format, argp );
   va_end( argp );
 
-  ulSetError ( UL_DEBUG, "%s", msgbuff ) ;
+  if (linenum)
+  {
+    ulSetError ( UL_DEBUG, "%s, line %d: %s", path, linenum, msgbuff ) ;
+  } else {
+    ulSetError ( UL_DEBUG, "%s", msgbuff ) ;
+  }
 }
 
 // Opens the file and does a few internal calculations based on the spec.
ss='form'><form class='right' method='get' action='/guix/log/gnu/build/linux-initrd.scm'>
<input type='hidden' name='id' value='f9dc378cb43dd84ad3e7195762fe2aeb9ee109bd'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=f9dc378cb43dd84ad3e7195762fe2aeb9ee109bd'>root</a>/<a href='/guix/log/gnu?id=f9dc378cb43dd84ad3e7195762fe2aeb9ee109bd'>gnu</a>/<a href='/guix/log/gnu/build?id=f9dc378cb43dd84ad3e7195762fe2aeb9ee109bd'>build</a>/<a href='/guix/log/gnu/build/linux-initrd.scm?id=f9dc378cb43dd84ad3e7195762fe2aeb9ee109bd'>linux-initrd.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/build/linux-initrd.scm?id=f9dc378cb43dd84ad3e7195762fe2aeb9ee109bd&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2020-12-15 17:32:10 +0100'>2020-12-15</span></td><td><a href='/guix/commit/gnu/build/linux-initrd.scm?id=6a060ff27ff68384d7c90076baa36c349fff689d'>store-copy: 'populate-store' can optionally deduplicate files.</a><span class='msg-avail'>...<span class='msg-tooltip'>Until now deduplication was performed as an additional pass after
copying files, which involve re-traversing all the files that had just
been copied.

* guix/store/deduplication.scm (copy-file/deduplicate): New procedure.
* tests/store-deduplication.scm ("copy-file/deduplicate"): New test.
* guix/build/store-copy.scm (populate-store): Add #:deduplicate?
parameter and honor it.
* tests/gexp.scm ("gexp-&gt;derivation, store copy"): Pass #:deduplicate? #f
to 'populate-store'.
* gnu/build/image.scm (initialize-root-partition): Pass #:deduplicate?
to 'populate-store'.  Pass #:deduplicate? #f to 'register-closure'.
* gnu/build/vm.scm (root-partition-initializer): Likewise.
* gnu/build/install.scm (populate-single-profile-directory): Pass
 #:deduplicate? #f to 'populate-store'.
* gnu/build/linux-initrd.scm (build-initrd): Likewise.
* guix/scripts/pack.scm (self-contained-tarball)[import-module?]: New
procedure.
[build]: Pass it as an argument to 'source-module-closure'.
* guix/scripts/pack.scm (squashfs-image)[build]: Wrap in
'with-extensions'.
* gnu/system/linux-initrd.scm (expression-&gt;initrd)[import-module?]: New
procedure.
[builder]: Pass it to 'source-module-closure'.
* gnu/system/install.scm (cow-store-service-type)[import-module?]: New
procedure.  Pass it to 'source-module-closure'.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2020-11-21 12:39:14 +0100'>2020-11-21</span></td><td><a href='/guix/commit/gnu/build/linux-initrd.scm?id=2200bb214690ebc78b9fa42887ac9dfb8035bd4f'>linux-initrd: Remove unnecessary timestamp reset phase.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/build/linux-initrd.scm (write-cpio-archive): Mention timestamps in
docstring.
(build-initrd): Remove unnecessary timestamp reset phase.
</span></span></td><td>Ludovic Courtès</td></tr>