git: cc0b41d49276 - main - security/kdbxviewer: Update to 0.1.11

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Nuno Teixeira <eduardo_at_FreeBSD.org>
Date: Tue, 06 Sep 2022 22:45:25 UTC
The branch main has been updated by eduardo:

URL: https://cgit.FreeBSD.org/ports/commit/?id=cc0b41d49276447c1bbd052df4181829d44fe653

commit cc0b41d49276447c1bbd052df4181829d44fe653
Author:     Robert Clausecker <fuz@fuz.su>
AuthorDate: 2022-09-06 22:42:46 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-09-06 22:42:46 +0000

    security/kdbxviewer: Update to 0.1.11
    
     - patch two instances of undefined behaviour
     - patch a potential buffer overflow
    
    Changelog:      https://github.com/pepa65/kdbxviewer/releases/tag/v0.1.11
    PR:             266258
    MFH:            2022Q3
---
 security/kdbxviewer/Makefile                   |  2 +-
 security/kdbxviewer/distinfo                   |  6 ++---
 security/kdbxviewer/files/patch-libcx9r_kdbx.c | 32 ++++++++++++++++++++++++++
 security/kdbxviewer/files/patch-src_main.c     | 29 +++++++++++++++++++++++
 4 files changed, 65 insertions(+), 4 deletions(-)

diff --git a/security/kdbxviewer/Makefile b/security/kdbxviewer/Makefile
index eaa700656279..02a1f0e6e973 100644
--- a/security/kdbxviewer/Makefile
+++ b/security/kdbxviewer/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	kdbxviewer
-PORTVERSION=	0.1.10
+PORTVERSION=	0.1.11
 DISTVERSIONPREFIX=v
 CATEGORIES=	security
 
diff --git a/security/kdbxviewer/distinfo b/security/kdbxviewer/distinfo
index 98e9295e771f..a2b1cac88dec 100644
--- a/security/kdbxviewer/distinfo
+++ b/security/kdbxviewer/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1635952892
-SHA256 (pepa65-kdbxviewer-v0.1.10_GH0.tar.gz) = 0ef77f637b34cb603634b7c2f8247fb5f38e12951961c8e2ae6b7dbf7858fc6d
-SIZE (pepa65-kdbxviewer-v0.1.10_GH0.tar.gz) = 140203
+TIMESTAMP = 1662483072
+SHA256 (pepa65-kdbxviewer-v0.1.11_GH0.tar.gz) = de714ca964d637bcb83f591729fc2e9e6a1100d549278f4315129ec4ceb743d0
+SIZE (pepa65-kdbxviewer-v0.1.11_GH0.tar.gz) = 140203
diff --git a/security/kdbxviewer/files/patch-libcx9r_kdbx.c b/security/kdbxviewer/files/patch-libcx9r_kdbx.c
new file mode 100644
index 000000000000..a09c9cc7fbe4
--- /dev/null
+++ b/security/kdbxviewer/files/patch-libcx9r_kdbx.c
@@ -0,0 +1,32 @@
+--- libcx9r/kdbx.c.orig	2022-09-06 17:07:27 UTC
++++ libcx9r/kdbx.c
+@@ -112,22 +112,25 @@ static cx9r_err kdbx_read_magic(cx9r_stream_t *stream)
+ 	uint8_t const kdbx_magic[KDBX_MAGIC_LENGTH] = { 0x03, 0xd9, 0xa2, 0x9a,
+ 			0x67, 0xfb, 0x4b, 0xb5 };
+ DEBUG("Reading magic...\n");
+-	uint8_t magic[KDBX_MAGIC_LENGTH];
++	union {
++		uint8_t magic[KDBX_MAGIC_LENGTH];
++		uint64_t joined;
++	} m;
+ 
+ 	// default return value
+ 	cx9r_err err = CX9R_OK;
+ 	// read magic bytes
+-	CHECK((cx9r_sread(magic, 1, KDBX_MAGIC_LENGTH, stream) == KDBX_MAGIC_LENGTH),
++	CHECK((cx9r_sread(m.magic, 1, KDBX_MAGIC_LENGTH, stream) == KDBX_MAGIC_LENGTH),
+ 			err, CX9R_FILE_READ_ERR, kdbx_magic_bail);
+ DEBUG("Proper magic length\n");
+ 
+ 	// compare magic bytes to expected
+-	CHECK((memcmp(magic, kdbx_magic, KDBX_MAGIC_LENGTH) == 0), err,
++	CHECK((memcmp(m.magic, kdbx_magic, KDBX_MAGIC_LENGTH) == 0), err,
+ 			CX9R_BAD_MAGIC, kdbx_magic_bail);
+ DEBUG("Proper magic content\n");
+ 
+ 	kdbx_magic_bail:
+-DEBUG("%016lX  (%d)\n", *(uint64_t*)&magic, err);
++DEBUG("%016llX  (%d)\n", (unsigned long long)m.joined, err);
+ 	return err;
+ }
+ 
diff --git a/security/kdbxviewer/files/patch-src_main.c b/security/kdbxviewer/files/patch-src_main.c
new file mode 100644
index 000000000000..8ab02829a5de
--- /dev/null
+++ b/security/kdbxviewer/files/patch-src_main.c
@@ -0,0 +1,29 @@
+--- src/main.c.orig	2022-09-06 17:00:52 UTC
++++ src/main.c
+@@ -159,7 +159,7 @@ void print_key_table(cx9r_kt_group *g, int level) {
+ 
+ // Process commandline
+ int main(int argc, char **argv) {
+-	long unsigned int len = PATHLEN, opt, flags = 0;
++	size_t len = PATHLEN, opt, flags = 0;
+ 	char *kdbxfilename = malloc(len), *filename = malloc(len), command = 0,
+ 		*password = NULL, *self = argv[0] + strlen(argv[0]),
+ 		*configfilename = strcat(getenv("HOME"), CONFIGFILENAME);
+@@ -246,14 +246,14 @@ int main(int argc, char **argv) {
+ 		*filename = 0;
+ 		if ((configfile = fopen(configfilename, "r")) != NULL)
+ 			while (getline(&filename, &len, configfile) != -1) {
+-				*(filename+strlen(filename)-1) = 0;
++				filename[strcspn(filename, "\n")] = '\0';
+ 				// Check the latest found file
+-				if ((kdbxfile = fopen(filename, "r")) != NULL) strcpy(kdbxfilename, filename);
++				if ((kdbxfile = fopen(filename, "r")) != NULL) kdbxfilename = strdup(filename);
+ 				*filename = 0;
+ 			}
+ 		if (*kdbxfilename == 0)
+ 			abort(-7, "No database specified on commandline or in configfile\n");
+-		else strcpy(filename, kdbxfilename);
++		else filename = strdup(kdbxfilename);
+ 	}
+ 
+ 	// Set default mode depending on search