diff options
author | nectar <nectar@FreeBSD.org> | 2002-05-03 23:21:36 +0800 |
---|---|---|
committer | nectar <nectar@FreeBSD.org> | 2002-05-03 23:21:36 +0800 |
commit | 237586988211106329ce4701d560b464ec00530e (patch) | |
tree | 55aa1dfd4a30dfc1e2a7bc00677cf8903138ecc7 | |
parent | 266c61eb70ac9d7565f65664ffe65094fe6d9a9f (diff) | |
download | freebsd-ports-gnome-237586988211106329ce4701d560b464ec00530e.tar.gz freebsd-ports-gnome-237586988211106329ce4701d560b464ec00530e.tar.zst freebsd-ports-gnome-237586988211106329ce4701d560b464ec00530e.zip |
Patch a heap overflow. See
<URL:http://online.securityfocus.com/archive/1/269356> and
<URL:http://www.freeweb.hu/mantra/04_2002/KRB4.htm>.
Obtained from: Heimdal repository
-rw-r--r-- | security/heimdal/Makefile | 2 | ||||
-rw-r--r-- | security/heimdal/files/patch-appl::ftp::ftp::ftp.c | 65 |
2 files changed, 66 insertions, 1 deletions
diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile index 4d3bc60076bb..b6bc88aadcf4 100644 --- a/security/heimdal/Makefile +++ b/security/heimdal/Makefile @@ -7,7 +7,7 @@ PORTNAME= heimdal PORTVERSION= 0.4e -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.pdc.kth.se/pub/heimdal/src/ \ ftp://ftp.replay.com/pub/replay/crypto/APPS/kerberos/heimdal/ \ diff --git a/security/heimdal/files/patch-appl::ftp::ftp::ftp.c b/security/heimdal/files/patch-appl::ftp::ftp::ftp.c new file mode 100644 index 000000000000..0cee1bd61e8f --- /dev/null +++ b/security/heimdal/files/patch-appl::ftp::ftp::ftp.c @@ -0,0 +1,65 @@ +Index: appl/ftp/ftp/ftp.c +=================================================================== +RCS file: /home/kth-krb/appl/ftp/ftp/ftp.c,v +retrieving revision 1.70 +retrieving revision 1.71 +diff -u -r1.70 -r1.71 +--- appl/ftp/ftp/ftp.c 2001/09/07 20:28:10 1.70 ++++ appl/ftp/ftp/ftp.c 2002/04/24 21:55:07 1.71 + struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss; +@@ -312,7 +312,8 @@ + char *lead_string; + int c; + struct sigaction sa, osa; +- char buf[1024]; ++ char buf[8192]; ++ int long_warn = 0; + + sigemptyset (&sa.sa_mask); + sa.sa_flags = 0; +@@ -368,7 +369,7 @@ + if (verbose > 0 || (verbose > -1 && code > 499)) + fprintf (stdout, "%s%s\n", lead_string, buf); + if (buf[3] == ' ') { +- strcpy (reply_string, buf); ++ strlcpy (reply_string, buf, sizeof(reply_string)); + if (code >= 200) + cpend = 0; + sigaction (SIGINT, &osa, NULL); +@@ -381,17 +382,12 @@ + osa.sa_handler (SIGINT); + #endif + if (code == 227 || code == 229) { +- char *p, *q; ++ char *p; + +- pasv[0] = 0; + p = strchr (reply_string, '('); + if (p) { + p++; +- q = strchr(p, ')'); +- if(q){ +- memcpy (pasv, p, q - p); +- pasv[q - p] = 0; +- } ++ strlcpy(pasv, p, sizeof(pasv)); + } + } + return code / 100; +@@ -404,9 +400,15 @@ + } + } + p = buf; ++ long_warn = 0; + continue; + default: +- *p++ = c; ++ if(p < buf + sizeof(buf) - 1) ++ *p++ = c; ++ else if(long_warn == 0) { ++ fprintf(stderr, "WARNING: incredibly long line received\n"); ++ long_warn = 1; ++ } + } + } + |