FreeBSD Security Advisory FreeBSD-SA-03:08.realpath
Benjamin Lewis
bhlewis at wossname.net
Mon Aug 4 10:42:09 PDT 2003
On Sun, 2003-08-03 at 19:04, FreeBSD Security Advisories wrote:
> 2) To patch your present system:
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility. The following patch
> has been tested to apply to all FreeBSD 4.x releases and to FreeBSD
> 5.0-RELEASE.
>
> # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch
> # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch.asc
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
Is it just me or is the patch referenced above wrong? I followed the
instructions above but the patch failed:
##### snip ######
# cd /usr/src-all/current/src # Where my "/usr/src" lives
# patch < /tmp/realpath.patch
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|Index: lib/libc/stdlib/realpath.c
|===================================================================
|RCS file: /home/ncvs/src/lib/libc/stdlib/realpath.c,v
|retrieving revision 1.9
|diff -c -c -r1.9 realpath.c
|*** lib/libc/stdlib/realpath.c 27 Jan 2000 23:06:50 -0000 1.9
|--- lib/libc/stdlib/realpath.c 3 Aug 2003 17:21:20 -0000
--------------------------
Patching file lib/libc/stdlib/realpath.c using Plan A...
Hunk #1 failed at 138.
1 out of 1 hunks failed--saving rejects to
lib/libc/stdlib/realpath.c.rej
done
##### snip ######
realpath.c.rej contains the entire patch:
##### snip ######
***************
*** 138,144 ****
rootd = 0;
if (*wbuf) {
! if (strlen(resolved) + strlen(wbuf) + rootd + 1 >
MAXPATHLEN) {
errno = ENAMETOOLONG;
goto err1;
}
--- 138,145 ----
rootd = 0;
if (*wbuf) {
! if (strlen(resolved) + strlen(wbuf) + (1-rootd) + 1 >
! MAXPATHLEN) {
errno = ENAMETOOLONG;
goto err1;
}
##### snip ######
I wasn't really surprised that it failed since it looks like it should
apply to crypto/openssh/openbsd-compat/realpath.c rather than
lib/libc/stdlib/realpath.c. I assume (from the CVS logs) that cvsup
has taken care of the libc version for me. Does the openssh file need
to be patched too?
-Ben
More information about the freebsd-security
mailing list