aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authornectar <nectar@FreeBSD.org>2002-05-03 23:21:36 +0800
committernectar <nectar@FreeBSD.org>2002-05-03 23:21:36 +0800
commit237586988211106329ce4701d560b464ec00530e (patch)
tree55aa1dfd4a30dfc1e2a7bc00677cf8903138ecc7
parent266c61eb70ac9d7565f65664ffe65094fe6d9a9f (diff)
downloadfreebsd-ports-gnome-237586988211106329ce4701d560b464ec00530e.tar.gz
freebsd-ports-gnome-237586988211106329ce4701d560b464ec00530e.tar.zst
freebsd-ports-gnome-237586988211106329ce4701d560b464ec00530e.zip
Patch a heap overflow. See
<URL:http://online.securityfocus.com/archive/1/269356> and <URL:http://www.freeweb.hu/mantra/04_2002/KRB4.htm>. Obtained from: Heimdal repository
-rw-r--r--security/heimdal/Makefile2
-rw-r--r--security/heimdal/files/patch-appl::ftp::ftp::ftp.c65
2 files changed, 66 insertions, 1 deletions
diff --git a/security/heimdal/Makefile b/security/heimdal/Makefile
index 4d3bc60076bb..b6bc88aadcf4 100644
--- a/security/heimdal/Makefile
+++ b/security/heimdal/Makefile
@@ -7,7 +7,7 @@
PORTNAME= heimdal
PORTVERSION= 0.4e
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= security ipv6
MASTER_SITES= ftp://ftp.pdc.kth.se/pub/heimdal/src/ \
ftp://ftp.replay.com/pub/replay/crypto/APPS/kerberos/heimdal/ \
diff --git a/security/heimdal/files/patch-appl::ftp::ftp::ftp.c b/security/heimdal/files/patch-appl::ftp::ftp::ftp.c
new file mode 100644
index 000000000000..0cee1bd61e8f
--- /dev/null
+++ b/security/heimdal/files/patch-appl::ftp::ftp::ftp.c
@@ -0,0 +1,65 @@
+Index: appl/ftp/ftp/ftp.c
+===================================================================
+RCS file: /home/kth-krb/appl/ftp/ftp/ftp.c,v
+retrieving revision 1.70
+retrieving revision 1.71
+diff -u -r1.70 -r1.71
+--- appl/ftp/ftp/ftp.c 2001/09/07 20:28:10 1.70
++++ appl/ftp/ftp/ftp.c 2002/04/24 21:55:07 1.71
+ struct sockaddr *hisctladdr = (struct sockaddr *)&hisctladdr_ss;
+@@ -312,7 +312,8 @@
+ char *lead_string;
+ int c;
+ struct sigaction sa, osa;
+- char buf[1024];
++ char buf[8192];
++ int long_warn = 0;
+
+ sigemptyset (&sa.sa_mask);
+ sa.sa_flags = 0;
+@@ -368,7 +369,7 @@
+ if (verbose > 0 || (verbose > -1 && code > 499))
+ fprintf (stdout, "%s%s\n", lead_string, buf);
+ if (buf[3] == ' ') {
+- strcpy (reply_string, buf);
++ strlcpy (reply_string, buf, sizeof(reply_string));
+ if (code >= 200)
+ cpend = 0;
+ sigaction (SIGINT, &osa, NULL);
+@@ -381,17 +382,12 @@
+ osa.sa_handler (SIGINT);
+ #endif
+ if (code == 227 || code == 229) {
+- char *p, *q;
++ char *p;
+
+- pasv[0] = 0;
+ p = strchr (reply_string, '(');
+ if (p) {
+ p++;
+- q = strchr(p, ')');
+- if(q){
+- memcpy (pasv, p, q - p);
+- pasv[q - p] = 0;
+- }
++ strlcpy(pasv, p, sizeof(pasv));
+ }
+ }
+ return code / 100;
+@@ -404,9 +400,15 @@
+ }
+ }
+ p = buf;
++ long_warn = 0;
+ continue;
+ default:
+- *p++ = c;
++ if(p < buf + sizeof(buf) - 1)
++ *p++ = c;
++ else if(long_warn == 0) {
++ fprintf(stderr, "WARNING: incredibly long line received\n");
++ long_warn = 1;
++ }
+ }
+ }
+