aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authornaddy <naddy@FreeBSD.org>2010-03-25 02:46:46 +0800
committernaddy <naddy@FreeBSD.org>2010-03-25 02:46:46 +0800
commita2cc16ab89f452e0c8b21f00d2cdd704e98decbc (patch)
tree793c8e3ef007678f467bc7a75f1d19504040efe3
parent991daff9a7a804c80c8cd2130225d619bb73d1a6 (diff)
downloadfreebsd-ports-gnome-a2cc16ab89f452e0c8b21f00d2cdd704e98decbc.tar.gz
freebsd-ports-gnome-a2cc16ab89f452e0c8b21f00d2cdd704e98decbc.tar.zst
freebsd-ports-gnome-a2cc16ab89f452e0c8b21f00d2cdd704e98decbc.zip
Fix a buffer overflow in the rmt client functionality.
From upstream. Security: c175d72f-3773-11df-8bb8-0211d880e350
-rw-r--r--archivers/gtar/Makefile2
-rw-r--r--archivers/gtar/files/patch-lib_rtapelib.c28
2 files changed, 29 insertions, 1 deletions
diff --git a/archivers/gtar/Makefile b/archivers/gtar/Makefile
index fedcea4be192..5aceaf271bd0 100644
--- a/archivers/gtar/Makefile
+++ b/archivers/gtar/Makefile
@@ -7,7 +7,7 @@
PORTNAME= tar
PORTVERSION= 1.22
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= archivers sysutils
MASTER_SITES= ${MASTER_SITE_GNU}
MASTER_SITE_SUBDIR= ${PORTNAME}
diff --git a/archivers/gtar/files/patch-lib_rtapelib.c b/archivers/gtar/files/patch-lib_rtapelib.c
new file mode 100644
index 000000000000..e6c81e14a0aa
--- /dev/null
+++ b/archivers/gtar/files/patch-lib_rtapelib.c
@@ -0,0 +1,28 @@
+
+$FreeBSD$
+
+--- lib/rtapelib.c.orig
++++ lib/rtapelib.c
+@@ -570,7 +570,8 @@
+
+ sprintf (command_buffer, "R%lu\n", (unsigned long) length);
+ if (do_command (handle, command_buffer) == -1
+- || (status = get_status (handle)) == SAFE_READ_ERROR)
++ || (status = get_status (handle)) == SAFE_READ_ERROR
++ || status > length)
+ return SAFE_READ_ERROR;
+
+ for (counter = 0; counter < status; counter += rlen, buffer += rlen)
+@@ -706,6 +707,12 @@
+ || (status = get_status (handle), status == -1))
+ return -1;
+
++ if (status > sizeof (struct mtop))
++ {
++ errno = EOVERFLOW;
++ return -1;
++ }
++
+ for (; status > 0; status -= counter, argument += counter)
+ {
+ counter = safe_read (READ_SIDE (handle), argument, status);