Date: 18 Feb 2001 04:31:04 -0000 From: matt@LUCIDA.CA To: FreeBSD-gnats-submit@freebsd.org Subject: ports/25181: PORT SECURITY UPDATE: www/analog Message-ID: <20010218043104.28989.qmail@epsilon.lucida.ca>
next in thread | raw e-mail | index | archive | help
>Number: 25181 >Category: ports >Synopsis: Security fix of remote exploit in analog versions < 4.16 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Feb 17 20:40:00 PST 2001 >Closed-Date: >Last-Modified: >Originator: Matt Heckaman >Release: FreeBSD 4.2-STABLE i386 >Organization: Lucida Communications >Environment: Tested on FreeBSD 4.2-STABLE Feb 9, do not have access to other FreeBSD machines to do 3.x testing. >Description: All versions of the 'analog' package below 4.16 contain a buffer overflow that can be remotely exploited. The relevent URL for this bug is: http://www.analog.cx/security2.html The version of analog in ports-current was 4.11, this patch upgrades the port to version 4.16 which contains the fix as well as some enhancements in foreign language support and OS detection. >How-To-Repeat: N/A >Fix: diff -urN analog.orig/Makefile analog/Makefile --- analog.orig/Makefile Tue Jan 16 12:32:52 2001 +++ analog/Makefile Sat Feb 17 23:06:36 2001 @@ -6,7 +6,7 @@ # PORTNAME= analog -PORTVERSION= 4.11 +PORTVERSION= 4.16 CATEGORIES= www MASTER_SITES= http://www.analog.cx/ \ http://brendanr.simplenet.com/analog/ \ diff -urN analog.orig/distinfo analog/distinfo --- analog.orig/distinfo Sun Jun 4 15:21:06 2000 +++ analog/distinfo Sat Feb 17 23:05:18 2001 @@ -1 +1 @@ -MD5 (analog-4.11.tar.gz) = 1eb98a1c2f44f3a846b27e257a458e4a +MD5 (analog-4.16.tar.gz) = e951152629b1b23ef09b17f32d9310c4 diff -urN analog.orig/files/patch-aa analog/files/patch-aa --- analog.orig/files/patch-aa Sat Apr 15 03:28:01 2000 +++ analog/files/patch-aa Sat Feb 17 23:10:42 2001 @@ -1,5 +1,5 @@ ---- Makefile.orig Thu Mar 30 17:59:16 2000 -+++ Makefile Sat Apr 15 11:09:28 2000 +--- Makefile.orig Sat Feb 17 23:07:59 2001 ++++ Makefile Sat Feb 17 23:09:37 2001 @@ -7,7 +7,7 @@ # -Ae (HP/UX 10); BS2000/OSD requires -XLLML -XLLMK; # NeXTSTEP apparently needs... @@ -7,20 +7,20 @@ -DEFS = # any of -DNOPIPES -DNODNS -DNODIRENT -DNOOPEN ... +#DEFS = # any of -DNOPIPES -DNODNS -DNODIRENT -DNOOPEN ... # ... -DEBCDIC -DNOGMTIME -DNEED_STRCMP -DNEED_MEMMOVE ... - # ... -DNEED_STRTOUL -DNEED_DIFFTIME -DNEED_FLOATINGPOINT_H - # Solaris 2 (SunOS 5) might need DEFS = -DNEED_STRCMP -@@ -15,6 +15,10 @@ - # DEFS = -DNEED_MEMMOVE -DNEED_STRTOUL -DNEED_DIFFTIME -DNEED_FLOATINGPOINT_H + # ... -DNEED_STRTOUL -DNEED_DIFFTIME -DHAVE_ADDR_T ... + # ... -DNEED_FLOATINGPOINT_H +@@ -18,6 +18,10 @@ # DYNIX/ptx reportedly needs -D_SOCKET_VERSION=11 + # MPE/iX needs -D_POSIX_SOURCE -D_SOCKET_SOURCE # All the options are explained at the bottom of this file. -+DEFS = -DANALOGDIR=\"$(PREFIX)/lib/analog/\" \ ++DEFS = -DANALOGDIR=\"$(PREFIX)/lib/analog/\" \ + -DLOGFILE=\"/var/log/httpd-access.log\" \ + -DIMAGEDIR=\"/images/\" \ + -DDEFAULTCONFIGFILE=\"$(PREFIX)/etc/analog.cfg\" - OS = UNIX # Operating system: UNIX, DOS, WIN32, MAC, OS2, VMS - # RISCOS, BEOS, NEXTSTEP, BS2000 + OS = UNIX # Operating system: UNIX, DOS, WIN32, MAC, OS2, OSX, VMS, + # RISCOS, BEOS, NEXTSTEP, MPEIX, BS2000, AS400 LIBS = # extra libraries needed; Solaris 2 (SunOS 5) needs -@@ -29,7 +33,7 @@ +@@ -33,7 +37,7 @@ input.o macinput.o macstuff.o output.o output2.o pcre.o process.o \ settings.o sort.o tree.o utils.o win32.o HEADERS = anlghead.h anlghea2.h anlghea3.h anlghea4.h macdir.h pcre.h @@ -28,4 +28,4 @@ +CFLAGS += $(DEFS) -D$(OS) $(PROGRAM): $(OBJS) $(HEADERS) Makefile - $(CC) $(CEXTRAFLAGS) $(OBJS) -o $(PROGRAM) $(LIBS) + $(CC) $(CEXTRAFLAGS) -o $(PROGRAM) $(OBJS) $(LIBS) diff -urN analog.orig/pkg-plist analog/pkg-plist --- analog.orig/pkg-plist Sun Jun 4 15:21:07 2000 +++ analog/pkg-plist Sat Feb 17 23:18:01 2001 @@ -6,14 +6,23 @@ lib/analog/lang/am.lng lib/analog/lang/amdom.tab lib/analog/lang/ba.lng +lib/analog/lang/bg.lng +lib/analog/lang/bgdom.tab +lib/analog/lang/bgh.lng +lib/analog/lang/bghdom.tab lib/analog/lang/br.lng lib/analog/lang/bra.lng +lib/analog/lang/bradom.tab +lib/analog/lang/brdom.tab lib/analog/lang/brh.lng +lib/analog/lang/brhdom.tab lib/analog/lang/cat.lng lib/analog/lang/cata.lng +lib/analog/lang/catadom.tab +lib/analog/lang/catdom.tab lib/analog/lang/cath.lng -lib/analog/lang/cns.lng -lib/analog/lang/cnt.lng +lib/analog/lang/cathdom.tab +lib/analog/lang/cn.lng lib/analog/lang/cz.lng lib/analog/lang/cz1250.lng lib/analog/lang/cza.lng @@ -36,7 +45,10 @@ lib/analog/lang/eshdom.tab lib/analog/lang/fi.lng lib/analog/lang/fia.lng +lib/analog/lang/fiadom.tab +lib/analog/lang/fidom.tab lib/analog/lang/fih.lng +lib/analog/lang/fihdom.tab lib/analog/lang/fr.lng lib/analog/lang/fra.lng lib/analog/lang/fradom.tab @@ -46,12 +58,12 @@ lib/analog/lang/frhdom.tab lib/analog/lang/gr.lng lib/analog/lang/gra.lng +lib/analog/lang/hr.lng lib/analog/lang/hu.cfg lib/analog/lang/hu.lng lib/analog/lang/hua.lng lib/analog/lang/huadom.tab lib/analog/lang/hudom.tab -lib/analog/lang/itform.html lib/analog/lang/is.lng lib/analog/lang/isa.lng lib/analog/lang/ish.lng @@ -59,6 +71,7 @@ lib/analog/lang/ita.lng lib/analog/lang/itadom.tab lib/analog/lang/itdom.tab +lib/analog/lang/itform.html lib/analog/lang/ith.lng lib/analog/lang/ithdom.tab lib/analog/lang/jp.lng @@ -81,7 +94,10 @@ lib/analog/lang/pldom.tab lib/analog/lang/pt.lng lib/analog/lang/pta.lng +lib/analog/lang/ptadom.tab +lib/analog/lang/ptdom.tab lib/analog/lang/pth.lng +lib/analog/lang/pthdom.tab lib/analog/lang/ro.lng lib/analog/lang/rodom.tab lib/analog/lang/ru.lng @@ -102,20 +118,27 @@ lib/analog/lang/ska.lng lib/analog/lang/tr.lng lib/analog/lang/tra.lng +lib/analog/lang/tw.lng +lib/analog/lang/twdom.tab lib/analog/lang/ua.lng lib/analog/lang/uk.lng lib/analog/lang/uka.lng lib/analog/lang/ukdom.tab lib/analog/lang/us.lng lib/analog/lang/usa.lng +lib/analog/lang/usdom.tab lib/analog/lang/usform.html lib/analog/lang/yu.lng lib/analog/lang/yua.lng lib/analog/lang/yudom.tab +@dirrm lib/analog/lang +@dirrm lib/analog share/doc/analog/Licence.txt share/doc/analog/Readme.html share/doc/analog/acknow.html share/doc/analog/alias.html +share/doc/analog/analogo.gif +share/doc/analog/anlgdocs.css share/doc/analog/args.html share/doc/analog/bara8.gif share/doc/analog/barb1.gif @@ -137,6 +160,7 @@ share/doc/analog/domfile.html share/doc/analog/errors.html share/doc/analog/faq.html +share/doc/analog/favicon.ico share/doc/analog/form.html share/doc/analog/helpers.html share/doc/analog/hierreps.html @@ -165,6 +189,7 @@ share/doc/analog/webworks.html share/doc/analog/whatsnew.html share/doc/analog/whole.html +@dirrm share/doc/analog www/data/images/analogo.gif www/data/images/bara1.gif www/data/images/bara16.gif @@ -215,9 +240,6 @@ www/data/images/barh4.gif www/data/images/barh8.gif www/data/images/html2.gif -@dirrm lib/analog/lang -@dirrm lib/analog -@dirrm share/doc/analog @unexec rmdir %D/www/data/images 2>/dev/null || true @unexec rmdir %D/www/data 2>/dev/null || true @unexec rmdir %D/www 2>/dev/null || true >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010218043104.28989.qmail>