- Fix CVE-2008-5718

PR: 132427 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Approved by: marcus (maintainer) Security: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5718 http://www.openwall.com/lists/oss-security/2009/01/13/3
author: miwi <miwi@FreeBSD.org> 2009-03-19 00:39:04 +0800
committer: miwi <miwi@FreeBSD.org> 2009-03-19 00:39:04 +0800
commit: 025727b60fdec8d7fe806e5d0d50de183840db7b (patch)
tree: ccf7c39875fe4bf6b254c05e24b04d6cbe198ac9
parent: 5d7ff0545bde166a5a357a3c750324aca25e9007 (diff)
download: freebsd-ports-gnome-025727b60fdec8d7fe806e5d0d50de183840db7b.tar.gz
freebsd-ports-gnome-025727b60fdec8d7fe806e5d0d50de183840db7b.tar.zst
freebsd-ports-gnome-025727b60fdec8d7fe806e5d0d50de183840db7b.zip
2 files changed, 144 insertions, 1 deletions
diff --git a/net/netatalk/Makefile b/net/netatalk/Makefile
index 4f7bae079260..88aecebe882f 100644
--- a/net/netatalk/Makefile
+++ b/net/netatalk/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	netatalk
 PORTVERSION=	2.0.3
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	net print
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
diff --git a/net/netatalk/files/patch-CVE-2008-5718 b/net/netatalk/files/patch-CVE-2008-5718
new file mode 100644
index 000000000000..f5befd427e20
--- /dev/null
+++ b/net/netatalk/files/patch-CVE-2008-5718
@@ -0,0 +1,143 @@
+--- etc/papd/lp.c	2005/04/28 20:49:49	1.15
++++ etc/papd/lp.c	2008/08/14 20:02:47	1.16
+@@ -258,9 +258,9 @@
+             destlen -= len;
+         }
+ 
+-        /* stuff up to next $ */
++        /* stuff up to next % */
+         src = p + 2;
+-        p = strchr(src, '$');
++        p = strchr(src, '%');
+         len = p ? MIN((size_t)(p - src), destlen) : destlen;
+         if (len > 0) {
+             strncpy(dest, src, len);
+
+--- etc/papd/lp.c	2008/08/14 20:02:47	1.16
++++ etc/papd/lp.c	2008/08/14 20:18:50	1.17
+@@ -212,10 +212,37 @@
+ 
+ #define is_var(a, b) (strncmp((a), (b), 2) == 0)
+ 
++static size_t quote(char *dest, char *src, const size_t bsize, size_t len)
++{
++size_t used = 0;
++
++    while (len && used < bsize ) {
++        switch (*src) {
++          case '$':
++          case '\\':
++          case '"':
++          case '`':
++            if (used + 2 > bsize )
++              return used;
++            *dest = '\\';
++            dest++;
++            used++;
++            break;
++        }
++        *dest = *src;
++        src++;
++        dest++;
++        len--;
++        used++;
++    }
++    return used;
++}
++
++
+ static char* pipexlate(char *src)
+ {
+     char *p, *q, *dest; 
+-    static char destbuf[MAXPATHLEN];
++    static char destbuf[MAXPATHLEN +1];
+     size_t destlen = MAXPATHLEN;
+     int len = 0;
+    
+@@ -224,13 +251,15 @@
+     if (!src)
+ 	return NULL;
+ 
+-    strncpy(dest, src, MAXPATHLEN);
+-    if ((p = strchr(src, '%')) == NULL) /* nothing to do */
++    memset(dest, 0, MAXPATHLEN +1);
++    if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
++        strncpy(dest, src, MAXPATHLEN);
+         return destbuf;
+-
+-    /* first part of the path. just forward to the next variable. */
++    }
++    /* first part of the path. copy and forward to the next variable. */
+     len = MIN((size_t)(p - src), destlen);
+     if (len > 0) {
++        strncpy(dest, src, len);
+         destlen -= len;
+         dest += len;
+     }
+@@ -246,17 +275,20 @@
+             q =  lp.lp_created_for;
+         } else if (is_var(p, "%%")) {
+             q = "%";
+-        } else
+-            q = p;
++        } 
+ 
+         /* copy the stuff over. if we don't understand something that we
+          * should, just skip it over. */
+         if (q) {
+-            len = MIN(p == q ? 2 : strlen(q), destlen);
++            len = MIN(strlen(q), destlen);
++            len = quote(dest, q, destlen, len);
++        }
++        else {
++            len = MIN(2, destlen);
+             strncpy(dest, q, len);
+-            dest += len;
+-            destlen -= len;
+         }
++        dest += len;
++        destlen -= len;
+ 
+         /* stuff up to next % */
+         src = p + 2;
+--- etc/papd/lp.c	2009/01/21 02:43:46	1.21
++++ etc/papd/lp.c	2009/01/28 18:03:15	1.22
+@@ -217,7 +217,26 @@
+           case '$':
+           case '\\':
+           case '"':
++          case ';':
++          case '&':
++          case '(':
++          case ')':
++          case ' ':
++          case '*':
++          case '#':
++          case '|':
++          case '>':
++          case '<':
++          case '[':
++          case ']':
++          case '{':
++          case '}':
++          case '^':
++          case '?':
++          case '~':
+           case '`':
++          case '\x0A':
++          case '\xFF':
+             if (used + 2 > bsize )
+               return used;
+             *dest = '\\';
+@@ -247,9 +266,9 @@
+     if (!src)
+ 	return NULL;
+ 
+-    memset(dest, 0, MAXPATHLEN +1);
++    memset(dest, 0, sizeof(destbuf));
+     if ((p = strchr(src, '%')) == NULL) { /* nothing to do */
+-        strncpy(dest, src, MAXPATHLEN);
++        strncpy(dest, src, sizeof(dest) - 1);
+         return destbuf;
+     }
+     /* first part of the path. copy and forward to the next variable. */
author	miwi <miwi@FreeBSD.org>	2009-03-19 00:39:04 +0800
committer	miwi <miwi@FreeBSD.org>	2009-03-19 00:39:04 +0800
commit	025727b60fdec8d7fe806e5d0d50de183840db7b (patch)
tree	ccf7c39875fe4bf6b254c05e24b04d6cbe198ac9
parent	5d7ff0545bde166a5a357a3c750324aca25e9007 (diff)
download	freebsd-ports-gnome-025727b60fdec8d7fe806e5d0d50de183840db7b.tar.gz freebsd-ports-gnome-025727b60fdec8d7fe806e5d0d50de183840db7b.tar.zst freebsd-ports-gnome-025727b60fdec8d7fe806e5d0d50de183840db7b.zip