Date: Sun, 24 Oct 2004 23:40:17 +0400 From: Roman Bogorodskiy <bogorodskiy@inbox.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/73091: [ maintainer ] fix audio/mpg123 vulnerabilities Message-ID: <E1CLoDw-000G9N-00.bogorodskiy-inbox-ru@mx2.mail.ru> Resent-Message-ID: <200410241940.i9OJeVrr053704@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 73091 >Category: ports >Synopsis: [ maintainer ] fix audio/mpg123 vulnerabilities >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sun Oct 24 19:40:30 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Roman Bogorodskiy >Release: FreeBSD 5.3-BETA7 i386 >Organization: >Environment: System: FreeBSD lame.novel.ru 5.3-BETA7 FreeBSD 5.3-BETA7 #12: Sat Oct 16 20:09:15 MSD 2004 root@lame.novel.ru:/usr/obj/usr/home/novel/current/src/sys/NOVEL i386 >Description: Fix two mpg123 vulnerabilities[1], pointed out/helped to fix: simon. [1] http://www.vuxml.org/freebsd/20d16518-2477-11d9-814e-0001020eed82.html >How-To-Repeat: >Fix: diff -ru mpg123.orig/files/patch-httpget.c mpg123/files/patch-httpget.c --- mpg123.orig/files/patch-httpget.c Sun Oct 24 19:25:52 2004 +++ mpg123/files/patch-httpget.c Sun Oct 24 23:24:40 2004 @@ -1,6 +1,6 @@ ---- httpget.c.orig 2003-11-13 18:34:37.000000000 +0000 -+++ httpget.c 2003-11-13 18:35:10.000000000 +0000 -@@ -55,11 +55,10 @@ void readstring (char *string, int maxle +--- httpget.c.orig Sun Oct 24 19:33:47 2004 ++++ httpget.c Sun Oct 24 19:34:18 2004 +@@ -55,11 +55,10 @@ #endif int pos = 0; @@ -13,7 +13,7 @@ break; } } -@@ -68,6 +67,7 @@ void readstring (char *string, int maxle +@@ -68,6 +67,7 @@ exit(1); } } @@ -21,3 +21,32 @@ #if 0 do { result = fgets(string, maxlen, f); +@@ -126,7 +126,13 @@ + if( url[i] == '/' ) + return 0; + } +- strncpy(auth,url,pos-url); ++ ++ /* cut up the string to prevent scary BOF */ ++ if (pos-url > 255) ++ strncpy(auth,url,255); ++ else ++ strncpy(auth,url,pos-url); ++ + auth[pos-url] = 0; + strcpy(url,pos+1); + return 1; +@@ -292,11 +298,11 @@ + } + strcat (request, sptr); + } +- sprintf (request + strlen(request), ++ snprintf (request + strlen(request), linelength - strlen(request), + " HTTP/1.0\r\nUser-Agent: %s/%s\r\n", + prgName, prgVersion); + if (host) { +- sprintf(request + strlen(request), ++ snprintf(request + strlen(request), linelength - strlen(request), + "Host: %s:%s\r\n", host, myport); + #if 0 + free (host); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1CLoDw-000G9N-00.bogorodskiy-inbox-ru>