From owner-freebsd-ports-bugs@FreeBSD.ORG  Thu Feb  2 20:50:10 2012
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 886D31065673
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Thu,  2 Feb 2012 20:50:10 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 61E1E8FC12
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Thu,  2 Feb 2012 20:50:10 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q12KoAtH037043
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Thu, 2 Feb 2012 20:50:10 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q12KoA9N037042;
	Thu, 2 Feb 2012 20:50:10 GMT (envelope-from gnats)
Resent-Date: Thu, 2 Feb 2012 20:50:10 GMT
Resent-Message-Id: <201202022050.q12KoA9N037042@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Steve Wills <swills@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B0CB1106564A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu,  2 Feb 2012 20:41:53 +0000 (UTC) (envelope-from steve@mouf.net)
Received: from mouf.net (unknown [IPv6:2607:fc50:0:4400:216:3eff:fe69:33b2])
	by mx1.freebsd.org (Postfix) with ESMTP id A45DE8FC16
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu,  2 Feb 2012 20:41:52 +0000 (UTC)
Received: from meatwad.mouf.net (cpe-024-162-230-236.nc.res.rr.com
	[24.162.230.236])
	by mouf.net (8.14.4/8.14.4) with ESMTP id q12KfjJs053419
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Thu, 2 Feb 2012 15:41:46 -0500 (EST)
	(envelope-from steve@meatwad.mouf.net)
Received: (from steve@localhost)
	by meatwad.mouf.net (8.14.5/8.14.5/Submit) id q12Kffc0033074;
	Thu, 2 Feb 2012 15:41:41 -0500 (EST) (envelope-from steve)
Message-Id: <201202022041.q12Kffc0033074@meatwad.mouf.net>
Date: Thu, 2 Feb 2012 15:41:41 -0500 (EST)
From: Steve Wills <swills@FreeBSD.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: sylvio@FreeBSD.org
Subject: ports/164719: [PATCH] irc/bip: update to fix CVE-2012-0806
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2012 20:50:10 -0000


>Number:         164719
>Category:       ports
>Synopsis:       [PATCH] irc/bip: update to fix CVE-2012-0806
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 02 20:50:10 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Steve Wills
>Release:        FreeBSD 10.0-CURRENT amd64
>Organization:
>Environment:
System: FreeBSD meatwad.mouf.net 10.0-CURRENT FreeBSD 10.0-CURRENT #8: Mon Dec 19 15:53:28 EST 2011
>Description:
see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0806
patch from: https://projects.duckcorp.org/projects/bip/repository/revisions/222a33cb84a2e52ad55a88900b7895bf9dd0262c
(I just concatenated the 3 patches)

Added file(s):
- files/patch-bip-269

Port maintainer (sylvio@FreeBSD.org) is cc'd.

Generated with FreeBSD Port Tools 0.99
>How-To-Repeat:
>Fix:

--- bip-0.8.8_1.patch begins here ---
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/irc/bip/Makefile,v
retrieving revision 1.19
diff -u -u -r1.19 Makefile
--- Makefile	23 Sep 2011 22:23:32 -0000	1.19
+++ Makefile	2 Feb 2012 20:40:30 -0000
@@ -7,6 +7,7 @@
 
 PORTNAME=	bip
 PORTVERSION=	0.8.8
+PORTREVISION=	1
 CATEGORIES=	irc
 MASTER_SITES=	https://projects.duckcorp.org/attachments/download/39/
 
@@ -14,6 +15,7 @@
 COMMENT=	A simple IRC proxy with SSL support
 
 LICENSE=	GPLv2
+
 GNU_CONFIGURE=	yes
 LDFLAGS+=	-L${LOCALBASE}/lib
 USE_GMAKE=	yes
@@ -21,6 +23,7 @@
 
 USE_OPENSSL=	yes
 
+PATCH_STRIP=	-p1
 PLIST_FILES=	bin/bip bin/bipmkpw
 SUB_FILES=	pkg-message
 MAN1=		bip.1 bipmkpw.1
Index: files/patch-bip-269
===================================================================
RCS file: files/patch-bip-269
diff -N files/patch-bip-269
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-bip-269	2 Feb 2012 20:40:30 -0000
@@ -0,0 +1,139 @@
+commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c
+Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
+Date:   Sat Jan 7 11:41:02 2012 +0100
+
+    Buffer Overflow: check against the implicit size of select() arrays
+    
+    Reported by Julien Tinnes (Fix #269)
+    exit is called when the listening socket can not be created
+
+diff --git a/src/bip.c b/src/bip.c
+index d46ee2b..b4ac706 100644
+--- a/src/bip.c
++++ b/src/bip.c
+@@ -1311,7 +1311,7 @@ int main(int argc, char **argv)
+ 	close(fd);
+ 
+ 	bip.listener = listen_new(conf_ip, conf_port, conf_css);
+-	if (!bip.listener)
++	if (!bip.listener || bip.listener->connected == CONN_ERROR)
+ 		fatal("Could not create listening socket");
+ 
+ 	for (;;) {
+commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c
+Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
+Date:   Sat Jan 7 11:41:02 2012 +0100
+
+    Buffer Overflow: check against the implicit size of select() arrays
+    
+    Reported by Julien Tinnes (Fix #269)
+    exit is called when the listening socket can not be created
+
+diff --git a/src/connection.c b/src/connection.c
+index 07ab431..5c4c24a 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -124,6 +124,18 @@ static void connect_trynext(connection_t *cn)
+ 			continue;
+ 		}
+ 
++		if (cn->handle >= FD_SETSIZE) {
++			mylog(LOG_WARN, "too many fd used, close socket %d",
++					cn->handle);
++
++			if (close(cn->handle) == -1)
++				mylog(LOG_WARN, "Error on socket close: %s",
++						strerror(errno));
++
++			cn->handle = -1;
++			break;
++		}
++
+ 		socket_set_nonblock(cn->handle);
+ 
+ 		if (cn->connecting_data->src) {
+@@ -789,13 +801,8 @@ list_t *wait_event(list_t *cn_list, int *msec, int *nc)
+ 		/*
+ 		 * This shouldn't happen ! just in case...
+ 		 */
+-		if (cn->handle < 0) {
+-			mylog(LOG_WARN, "wait_event invalid socket %d",
+-					cn->handle);
+-			if (cn_is_connected(cn))
+-				cn->connected = CONN_ERROR;
+-			continue;
+-		}
++		if (cn->handle < 0 || cn->handle >= FD_SETSIZE)
++			fatal("wait_event invalid socket %d", cn->handle);
+ 
+ 		/* exceptions are OOB and disconnections */
+ 		FD_SET(cn->handle, &fds_except);
+@@ -966,6 +973,18 @@ static void create_listening_socket(char *hostname, char *port,
+ 			continue;
+ 		}
+ 
++		if (cn->handle >= FD_SETSIZE) {
++			mylog(LOG_WARN, "too many fd used, close listening socket %d",
++					cn->handle);
++
++			if (close(cn->handle) == -1)
++				mylog(LOG_WARN, "Error on socket close: %s",
++						strerror(errno));
++
++			cn->handle = -1;
++			break;
++		}
++
+ 		if (setsockopt(cn->handle, SOL_SOCKET, SO_REUSEADDR,
+ 					(char *)&multi_client,
+ 					sizeof(multi_client)) < 0) {
+@@ -1113,10 +1132,21 @@ connection_t *accept_new(connection_t *cn)
+ 
+ 	mylog(LOG_DEBUG, "Trying to accept new client on %d", cn->handle);
+ 	err = accept(cn->handle, &sa, &sa_len);
++
+ 	if (err < 0) {
+-		mylog(LOG_ERROR, "accept failed: %s", strerror(errno));
++		fatal("accept failed: %s", strerror(errno));
++	}
++
++	if (err >= FD_SETSIZE) {
++		mylog(LOG_WARN, "too many client connected, close %d", err);
++
++		if (close(err) == -1)
++			mylog(LOG_WARN, "Error on socket close: %s",
++					strerror(errno));
++
+ 		return NULL;
+ 	}
++
+ 	socket_set_nonblock(err);
+ 
+ 	conn = connection_init(cn->anti_flood, cn->ssl, cn->timeout, 0);
+commit 222a33cb84a2e52ad55a88900b7895bf9dd0262c
+Author: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
+Date:   Sat Jan 7 11:41:02 2012 +0100
+
+    Buffer Overflow: check against the implicit size of select() arrays
+    
+    Reported by Julien Tinnes (Fix #269)
+    exit is called when the listening socket can not be created
+
+diff --git a/src/irc.c b/src/irc.c
+index ebc1b34..147a315 100644
+--- a/src/irc.c
++++ b/src/irc.c
+@@ -2439,9 +2439,10 @@ void bip_on_event(bip_t *bip, connection_t *conn)
+ 
+ 	if (conn == bip->listener) {
+ 		struct link_client *n = irc_accept_new(conn);
+-		assert(n);
+-		list_add_last(&bip->conn_list, CONN(n));
+-		list_add_last(&bip->connecting_client_list, n);
++		if (n) {
++			list_add_last(&bip->conn_list, CONN(n));
++			list_add_last(&bip->connecting_client_list, n);
++		}
+ 		return;
+ 	}
+ 
--- bip-0.8.8_1.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted: