ports/73091: [ maintainer ] fix audio/mpg123 vulnerabilities
Roman Bogorodskiy
bogorodskiy at inbox.ru
Sun Oct 24 19:40:31 UTC 2004
>Number: 73091
>Category: ports
>Synopsis: [ maintainer ] fix audio/mpg123 vulnerabilities
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sun Oct 24 19:40:30 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Roman Bogorodskiy
>Release: FreeBSD 5.3-BETA7 i386
>Organization:
>Environment:
System: FreeBSD lame.novel.ru 5.3-BETA7 FreeBSD 5.3-BETA7 #12: Sat Oct 16 20:09:15 MSD 2004 root at lame.novel.ru:/usr/obj/usr/home/novel/current/src/sys/NOVEL i386
>Description:
Fix two mpg123 vulnerabilities[1], pointed out/helped to fix: simon.
[1] http://www.vuxml.org/freebsd/20d16518-2477-11d9-814e-0001020eed82.html
>How-To-Repeat:
>Fix:
diff -ru mpg123.orig/files/patch-httpget.c mpg123/files/patch-httpget.c
--- mpg123.orig/files/patch-httpget.c Sun Oct 24 19:25:52 2004
+++ mpg123/files/patch-httpget.c Sun Oct 24 23:24:40 2004
@@ -1,6 +1,6 @@
---- httpget.c.orig 2003-11-13 18:34:37.000000000 +0000
-+++ httpget.c 2003-11-13 18:35:10.000000000 +0000
-@@ -55,11 +55,10 @@ void readstring (char *string, int maxle
+--- httpget.c.orig Sun Oct 24 19:33:47 2004
++++ httpget.c Sun Oct 24 19:34:18 2004
+@@ -55,11 +55,10 @@
#endif
int pos = 0;
@@ -13,7 +13,7 @@
break;
}
}
-@@ -68,6 +67,7 @@ void readstring (char *string, int maxle
+@@ -68,6 +67,7 @@
exit(1);
}
}
@@ -21,3 +21,32 @@
#if 0
do {
result = fgets(string, maxlen, f);
+@@ -126,7 +126,13 @@
+ if( url[i] == '/' )
+ return 0;
+ }
+- strncpy(auth,url,pos-url);
++
++ /* cut up the string to prevent scary BOF */
++ if (pos-url > 255)
++ strncpy(auth,url,255);
++ else
++ strncpy(auth,url,pos-url);
++
+ auth[pos-url] = 0;
+ strcpy(url,pos+1);
+ return 1;
+@@ -292,11 +298,11 @@
+ }
+ strcat (request, sptr);
+ }
+- sprintf (request + strlen(request),
++ snprintf (request + strlen(request), linelength - strlen(request),
+ " HTTP/1.0\r\nUser-Agent: %s/%s\r\n",
+ prgName, prgVersion);
+ if (host) {
+- sprintf(request + strlen(request),
++ snprintf(request + strlen(request), linelength - strlen(request),
+ "Host: %s:%s\r\n", host, myport);
+ #if 0
+ free (host);
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list