Date: Sun, 19 May 2013 14:10:01 GMT From: dfilter@FreeBSD.ORG (dfilter service) To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/178710: commit references a PR Message-ID: <201305191410.r4JEA15Y013693@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/178710; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/178710: commit references a PR Date: Sun, 19 May 2013 14:06:45 +0000 (UTC) Author: rakuco Date: Sun May 19 14:06:36 2013 New Revision: 318524 URL: http://svnweb.freebsd.org/changeset/ports/318524 Log: Patch multiple vulnerabilities in x11-toolkits/plib. PR: ports/178710 Submitted by: Denny Lin <dennylin93@hs.ntnu.edu.tw> Added: head/x11-toolkits/plib/files/patch-src-ssg-ssgParser.cxx (contents, props changed) head/x11-toolkits/plib/files/patch-src-util-ulError.cxx (contents, props changed) Modified: head/security/vuxml/vuln.xml head/x11-toolkits/plib/Makefile Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun May 19 13:37:05 2013 (r318523) +++ head/security/vuxml/vuln.xml Sun May 19 14:06:36 2013 (r318524) @@ -51,6 +51,75 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="c72a2494-c08b-11e2-bb21-083e8ed0f47b"> + <topic>plib -- stack-based buffer overflow</topic> + <affects> + <package> + <name>plib</name> + <range><lt>1.8.5_4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>CVE reports:</p> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4552">; + <p>Stack-based buffer overflow in the error function in + ssg/ssgParser.cxx in PLIB 1.8.5 allows remote attackers to + execute arbitrary code via a crafted 3d model file that + triggers a long error message, as demonstrated by a .ase + file.</p> + </blockquote> + </body> + </description> + <references> + <bid>55839</bid> + <cvename>CVE-2012-4552</cvename> + <mlist>http://www.openwall.com/lists/oss-security/2012/10/29/8</mlist>; + </references> + <dates> + <discovery>2012-10-09</discovery> + <entry>2013-05-19</entry> + </dates> + </vuln> + + <vuln vid="13bf0602-c08a-11e2-bb21-083e8ed0f47b"> + <topic>plib -- buffer overflow</topic> + <affects> + <package> + <name>plib</name> + <range><lt>1.8.5_4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Secunia reports:</p> + <blockquote cite="https://secunia.com/advisories/47297">; + <p>A vulnerability has been discovered in PLIB, which can be + exploited by malicious people to compromise an application + using the library. The vulnerability is caused due to a + boundary error within the "ulSetError()" function + (src/util/ulError.cxx) when creating the error message, + which can be exploited to overflow a static buffer.</p> + <p>Successful exploitation allows the execution of arbitrary + code but requires that the attacker can e.g. control the + content of an overly long error message passed to the + "ulSetError()" function.</p> + <p>The vulnerability is confirmed in version 1.8.5. Other + versions may also be affected.</p> + <p>Originally reported in TORCS by Andres Gomez.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2011-4620</cvename> + <mlist>http://openwall.com/lists/oss-security/2011/12/21/2</mlist>; + </references> + <dates> + <discovery>2011-12-21</discovery> + <entry>2013-05-19</entry> + </dates> + </vuln> + <vuln vid="a8818f7f-9182-11e2-9bdf-d48564727302"> <topic>optipng -- use-after-free vulnerability</topic> <affects> Modified: head/x11-toolkits/plib/Makefile ============================================================================== --- head/x11-toolkits/plib/Makefile Sun May 19 13:37:05 2013 (r318523) +++ head/x11-toolkits/plib/Makefile Sun May 19 14:06:36 2013 (r318524) @@ -7,7 +7,7 @@ PORTNAME= plib PORTVERSION= 1.8.5 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= x11-toolkits MASTER_SITES= http://plib.sourceforge.net/dist/ Added: head/x11-toolkits/plib/files/patch-src-ssg-ssgParser.cxx ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11-toolkits/plib/files/patch-src-ssg-ssgParser.cxx Sun May 19 14:06:36 2013 (r318524) @@ -0,0 +1,60 @@ +Index: src/ssg/ssgParser.cxx +=================================================================== +--- src/ssg/ssgParser.cxx.orig ++++ src/ssg/ssgParser.cxx +@@ -57,18 +57,18 @@ void _ssgParser::error( const char *form + char msgbuff[ 255 ]; + va_list argp; + +- char* msgptr = msgbuff; +- if (linenum) +- { +- msgptr += sprintf ( msgptr,"%s, line %d: ", +- path, linenum ); +- } +- + va_start( argp, format ); +- vsprintf( msgptr, format, argp ); ++ vsnprintf( msgbuff, sizeof(msgbuff)-1, format, argp ); + va_end( argp ); ++ ++ msgbuff[sizeof(msgbuff)-1] = '\0'; + +- ulSetError ( UL_WARNING, "%s", msgbuff ) ; ++ if (linenum) ++ { ++ ulSetError ( UL_WARNING, "%s, line %d: %s", path, linenum, msgbuff ) ; ++ } else { ++ ulSetError ( UL_WARNING, "%s", msgbuff ) ; ++ } + } + + +@@ -78,18 +78,18 @@ void _ssgParser::message( const char *fo + char msgbuff[ 255 ]; + va_list argp; + +- char* msgptr = msgbuff; +- if (linenum) +- { +- msgptr += sprintf ( msgptr,"%s, line %d: ", +- path, linenum ); +- } +- + va_start( argp, format ); +- vsprintf( msgptr, format, argp ); ++ vsnprintf( msgbuff, sizeof(msgbuff)-1, format, argp ); + va_end( argp ); ++ ++ msgbuff[sizeof(msgbuff)-1] = '\0'; + +- ulSetError ( UL_DEBUG, "%s", msgbuff ) ; ++ if (linenum) ++ { ++ ulSetError ( UL_DEBUG, "%s, line %d: %s", path, linenum, msgbuff ) ; ++ } else { ++ ulSetError ( UL_DEBUG, "%s", msgbuff ) ; ++ } + } + + // Opens the file and does a few internal calculations based on the spec. Added: head/x11-toolkits/plib/files/patch-src-util-ulError.cxx ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/x11-toolkits/plib/files/patch-src-util-ulError.cxx Sun May 19 14:06:36 2013 (r318524) @@ -0,0 +1,18 @@ +Index: src/util/ulError.cxx +=================================================================== +--- src/util/ulError.cxx.orig ++++ src/util/ulError.cxx +@@ -39,9 +39,11 @@ void ulSetError ( enum ulSeverity severi + { + va_list argp; + va_start ( argp, fmt ) ; +- vsprintf ( _ulErrorBuffer, fmt, argp ) ; ++ vsnprintf ( _ulErrorBuffer, sizeof(_ulErrorBuffer)-1, fmt, argp ) ; + va_end ( argp ) ; +- ++ ++ _ulErrorBuffer[sizeof(_ulErrorBuffer)-1] = '\0'; ++ + if ( _ulErrorCB ) + { + (*_ulErrorCB)( severity, _ulErrorBuffer ) ; _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305191410.r4JEA15Y013693>