From owner-freebsd-security Mon Jul 15 13:22:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC41637B400; Mon, 15 Jul 2002 13:22:10 -0700 (PDT) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 289D043E4A; Mon, 15 Jul 2002 13:22:10 -0700 (PDT) (envelope-from thierry@pompo.net) Received: from graf.pompo.net (lyon-2-a7-62-147-23-232.dial.proxad.net [62.147.23.232]) by postfix3-2.free.fr (Postfix) with ESMTP id 49C9317FCB; Mon, 15 Jul 2002 22:22:06 +0200 (CEST) Received: by graf.pompo.net (Postfix, from userid 1001) id D6EFC7520; Mon, 15 Jul 2002 22:19:56 +0200 (CEST) To: FreeBSD-gnats-submit@freebsd.org Subject: news/newsx: security patch for newsx version 1.4 From: Thierry Thomas Reply-To: Thierry Thomas Cc: security@FreeBSD.org X-send-pr-version: 3.113 X-GNATS-Notify: Message-Id: <20020715201956.D6EFC7520@graf.pompo.net> Date: Mon, 15 Jul 2002 22:19:56 +0200 (CEST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Submitter-Id: current-users >Originator: Thierry Thomas >Organization: Kabbale Eros >Confidential: no >Synopsis: news/newsx: security patch for newsx version 1.4 >Severity: serious >Priority: high >Category: ports >Class: maintainer-update >Release: FreeBSD 4.6-STABLE i386 >Environment: System: FreeBSD graf.pompo.net 4.6-STABLE FreeBSD 4.6-STABLE #0: Sun Jun 16 15:14:29 CEST 2002 root@graf.pompo.net:/usr/obj/mntsrc/src/sys/GRAF010429 i386 >Description: Message from the author: The attached patch fixes a security vulnerability with newsx version 1.4. It also applies to earlier newsx versions. The vulnerability is primarily local - it is not obvious that it may also apply for remote exploits - but on the other hand this cannot be totally ruled out either. Thanks to zillion@snosoft.com for pointing this out. Egil Kvaleberg >How-To-Repeat: N./A. >Fix: Please apply the attached patch: diff -urN /usr/ports/news/newsx.orig/Makefile /usr/ports/news/newsx/Makefile --- /usr/ports/news/newsx.orig/Makefile Sun Jul 7 22:00:46 2002 +++ /usr/ports/news/newsx/Makefile Mon Jul 15 21:51:29 2002 @@ -6,10 +6,10 @@ # PORTNAME= newsx -PORTVERSION= 1.4.6 +PORTVERSION= 1.4.8 CATEGORIES= news MASTER_SITES= ftp://ftp.kvaleberg.com/pub/ -DISTNAME= ${PORTNAME}-${PORTVERSION:S/.6/pl6/} +DISTNAME= ${PORTNAME}-${PORTVERSION:S/.8/pl6/} MAINTAINER= thierry@pompo.net diff -urN /usr/ports/news/newsx.orig/files/patch-configure.in /usr/ports/news/newsx/files/patch-configure.in --- /usr/ports/news/newsx.orig/files/patch-configure.in Thu Jan 31 21:55:12 2002 +++ /usr/ports/news/newsx/files/patch-configure.in Mon Jul 15 21:47:42 2002 @@ -1,5 +1,14 @@ --- configure.in.orig Tue Jan 29 20:15:19 2002 -+++ configure.in Thu Jan 31 01:05:04 2002 ++++ configure.in Mon Jul 15 21:46:55 2002 +@@ -167,7 +167,7 @@ + dnl + AC_INIT(FAQ) + +-AM_INIT_AUTOMAKE(newsx, 1.4pl6) ++AM_INIT_AUTOMAKE(newsx, 1.4pl8) + AM_CONFIG_HEADER(config.h) + dnl Only most recent year required: + COPYRIGHT="Copyright 2002 Egil Kvaleberg " @@ -189,7 +189,7 @@ dnl Default list of locations to visit in search of the dnl news configuration file diff -urN /usr/ports/news/newsx.orig/files/patch-src_logmsg.c /usr/ports/news/newsx/files/patch-src_logmsg.c --- /usr/ports/news/newsx.orig/files/patch-src_logmsg.c Thu Jan 1 01:00:00 1970 +++ /usr/ports/news/newsx/files/patch-src_logmsg.c Mon Jul 15 21:40:27 2002 @@ -0,0 +1,74 @@ +--- src/logmsg.c.orig Wed Feb 14 07:55:40 2001 ++++ src/logmsg.c Mon Jul 15 21:38:30 2002 +@@ -1,4 +1,4 @@ +-/* VER 079 TAB P $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $ ++/* VER 080 TAB P $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $ + * + * handle error messages and such... + * +@@ -60,9 +60,9 @@ + /* + * try to make a surrogate + * we assume that on those architectures where this trick +- * doesn't work there we will surely have stdarg.h or varargs.h ++ * doesn't work there we will surely be stdarg.h or varargs.h + */ +-#define vsprintf(buf, fmt, ap) sprintf(buf, fmt, arg1, arg2, arg3, arg4) ++#define vsnprintf(buf,siz,fmt,ap) snprintf(buf,siz,fmt, arg1,arg2,arg3,arg4) + #define vfprintf(file, fmt, ap) fprintf(file, fmt, arg1, arg2, arg3, arg4) + #endif + +@@ -156,7 +156,7 @@ + #endif + { + int e; +- char buf[BUFSIZ]; /* BUG: do we risk overwriting it? */ ++ char buf[BUFSIZ]; + + #if HAVE_VPRINTF + va_list ap; +@@ -176,34 +176,33 @@ + case L_ERRno: + case L_ERR: + e = errno; +- vsprintf(buf, fmt, ap); +- if (type == L_ERRno) { +- sprintf(buf + strlen (buf), ": %s", str_error(e)); +- } +- strcat(buf, "\n"); ++ vsnprintf(buf, sizeof(buf), fmt, ap); + #if HAVE_SYSLOG_H + if (!debug_opt) { +- syslog(LOG_ERR, buf); ++ syslog(LOG_ERR, "%s%s%s\n", buf, ++ ((type==L_ERRno) ? ": ":""), ++ ((type==L_ERRno) ? str_error(e):"")); + } else + #endif + { + clean_line(); +- fprintf(stderr, "%s: %s", pname, buf); ++ fprintf(stderr, "%s: %s%s%s\n", pname, buf, ++ ((type==L_ERRno) ? ": ":""), ++ ((type==L_ERRno) ? str_error(e):"")); + fflush(stderr); + } + break; + + case L_INFO: +- vsprintf(buf, fmt, ap); +- strcat(buf, "\n"); ++ vsnprintf(buf, sizeof(buf), fmt, ap); + #if HAVE_SYSLOG_H + if (!debug_opt) { +- syslog(LOG_INFO, buf); ++ syslog(LOG_INFO, "%s\n", buf); + } else + #endif + { + clean_line(); +- fprintf(stderr, "%s", buf); ++ fprintf(stderr, "%s\n", buf); + fflush(stderr); + } + break; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message