Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 Jul 2002 22:19:56 +0200 (CEST)
From:      Thierry Thomas <thierry@pompo.net>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        security@FreeBSD.org
Subject:   news/newsx: security patch for newsx version 1.4
Message-ID:  <20020715201956.D6EFC7520@graf.pompo.net>

next in thread | raw e-mail | index | archive | help

>Submitter-Id:	current-users
>Originator:	Thierry Thomas
>Organization:	Kabbale Eros
>Confidential:	no 
>Synopsis:	news/newsx: security patch for newsx version 1.4
>Severity:	serious
>Priority:	high
>Category:	ports
>Class:		maintainer-update
>Release:	FreeBSD 4.6-STABLE i386
>Environment:
System: FreeBSD graf.pompo.net 4.6-STABLE FreeBSD 4.6-STABLE #0: Sun Jun 16 15:14:29 CEST 2002 root@graf.pompo.net:/usr/obj/mntsrc/src/sys/GRAF010429 i386


	
>Description:
	Message from the author:
The attached patch fixes a security vulnerability with newsx version 1.4.
It also applies to earlier newsx versions.

The vulnerability is primarily local - it is not obvious that it may also
apply for remote exploits - but on the other hand this cannot be totally
ruled out either.

Thanks to zillion@snosoft.com for pointing this out.

Egil Kvaleberg <egil@beta.kvaleberg.no>

>How-To-Repeat:
	N./A.

>Fix:

	Please apply the attached patch:


diff -urN /usr/ports/news/newsx.orig/Makefile /usr/ports/news/newsx/Makefile
--- /usr/ports/news/newsx.orig/Makefile	Sun Jul  7 22:00:46 2002
+++ /usr/ports/news/newsx/Makefile	Mon Jul 15 21:51:29 2002
@@ -6,10 +6,10 @@
 #
 
 PORTNAME=	newsx
-PORTVERSION=	1.4.6
+PORTVERSION=	1.4.8
 CATEGORIES=	news
 MASTER_SITES=	ftp://ftp.kvaleberg.com/pub/
-DISTNAME=	${PORTNAME}-${PORTVERSION:S/.6/pl6/}
+DISTNAME=	${PORTNAME}-${PORTVERSION:S/.8/pl6/}
 
 MAINTAINER=	thierry@pompo.net
 
diff -urN /usr/ports/news/newsx.orig/files/patch-configure.in /usr/ports/news/newsx/files/patch-configure.in
--- /usr/ports/news/newsx.orig/files/patch-configure.in	Thu Jan 31 21:55:12 2002
+++ /usr/ports/news/newsx/files/patch-configure.in	Mon Jul 15 21:47:42 2002
@@ -1,5 +1,14 @@
 --- configure.in.orig	Tue Jan 29 20:15:19 2002
-+++ configure.in	Thu Jan 31 01:05:04 2002
++++ configure.in	Mon Jul 15 21:46:55 2002
+@@ -167,7 +167,7 @@
+ dnl
+ AC_INIT(FAQ)
+ 
+-AM_INIT_AUTOMAKE(newsx, 1.4pl6)
++AM_INIT_AUTOMAKE(newsx, 1.4pl8)
+ AM_CONFIG_HEADER(config.h)
+ dnl Only most recent year required:
+ COPYRIGHT="Copyright 2002 Egil Kvaleberg <egil@kvaleberg.no>"
 @@ -189,7 +189,7 @@
  dnl  Default list of locations to visit in search of the
  dnl  news configuration file
diff -urN /usr/ports/news/newsx.orig/files/patch-src_logmsg.c /usr/ports/news/newsx/files/patch-src_logmsg.c
--- /usr/ports/news/newsx.orig/files/patch-src_logmsg.c	Thu Jan  1 01:00:00 1970
+++ /usr/ports/news/newsx/files/patch-src_logmsg.c	Mon Jul 15 21:40:27 2002
@@ -0,0 +1,74 @@
+--- src/logmsg.c.orig	Wed Feb 14 07:55:40 2001
++++ src/logmsg.c	Mon Jul 15 21:38:30 2002
+@@ -1,4 +1,4 @@
+-/*  VER 079  TAB P   $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $
++/*  VER 080  TAB P   $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $
+  *
+  *  handle error messages and such...
+  *
+@@ -60,9 +60,9 @@
+     /* 
+      *  try to make a surrogate 
+      *  we assume that on those architectures where this trick
+-     *  doesn't work there we will surely have stdarg.h or varargs.h
++     *  doesn't work there we will surely be stdarg.h or varargs.h
+      */
+-#define vsprintf(buf,  fmt, ap) sprintf(buf,  fmt, arg1, arg2, arg3, arg4)
++#define vsnprintf(buf,siz,fmt,ap) snprintf(buf,siz,fmt, arg1,arg2,arg3,arg4)
+ #define vfprintf(file, fmt, ap) fprintf(file, fmt, arg1, arg2, arg3, arg4)
+ #endif
+ 
+@@ -156,7 +156,7 @@
+ #endif
+ {
+     int e;
+-    char buf[BUFSIZ]; /* BUG: do we risk overwriting it? */
++    char buf[BUFSIZ];
+ 
+ #if HAVE_VPRINTF
+     va_list ap;
+@@ -176,34 +176,33 @@
+     case L_ERRno:
+     case L_ERR:
+ 	e = errno;
+-	vsprintf(buf, fmt, ap);
+-	if (type == L_ERRno) {
+-	    sprintf(buf + strlen (buf), ": %s", str_error(e));
+-	}
+-	strcat(buf, "\n");
++	vsnprintf(buf, sizeof(buf), fmt, ap);
+ #if HAVE_SYSLOG_H
+ 	if (!debug_opt) {
+-	    syslog(LOG_ERR, buf);
++	    syslog(LOG_ERR, "%s%s%s\n", buf,
++					((type==L_ERRno) ? ": ":""),
++					((type==L_ERRno) ? str_error(e):""));
+ 	} else 
+ #endif
+ 	{
+ 	    clean_line();
+-	    fprintf(stderr, "%s: %s", pname, buf);
++	    fprintf(stderr, "%s: %s%s%s\n", pname, buf,
++					((type==L_ERRno) ? ": ":""),
++					((type==L_ERRno) ? str_error(e):""));
+ 	    fflush(stderr);
+ 	}
+ 	break;
+ 
+     case L_INFO:
+-	vsprintf(buf, fmt, ap);
+-	strcat(buf, "\n");
++	vsnprintf(buf, sizeof(buf), fmt, ap);
+ #if HAVE_SYSLOG_H
+ 	if (!debug_opt) {
+-	    syslog(LOG_INFO, buf);
++	    syslog(LOG_INFO, "%s\n", buf);
+ 	} else 
+ #endif
+ 	{
+ 	    clean_line();
+-	    fprintf(stderr, "%s", buf);
++	    fprintf(stderr, "%s\n", buf);
+ 	    fflush(stderr);
+ 	}
+ 	break;

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020715201956.D6EFC7520>