diff options
author | miwi <miwi@FreeBSD.org> | 2009-01-11 21:22:40 +0800 |
---|---|---|
committer | miwi <miwi@FreeBSD.org> | 2009-01-11 21:22:40 +0800 |
commit | eeaa5104b042e0928cf8f9b8d275749336728ddf (patch) | |
tree | d7391e1d9bb46377ed448188d3faa6541de6692f /audio | |
parent | 0bfff0cb4a99e38b5b2805de367dadc503651595 (diff) | |
download | freebsd-ports-gnome-eeaa5104b042e0928cf8f9b8d275749336728ddf.tar.gz freebsd-ports-gnome-eeaa5104b042e0928cf8f9b8d275749336728ddf.tar.zst freebsd-ports-gnome-eeaa5104b042e0928cf8f9b8d275749336728ddf.zip |
- Fix:
Heap-based buffer overflow in the cddb_read_disc_data function in
cddb.c in libcdaudio 0.99.12p2 allows remote attackers to execute
arbitrary code via long CDDB data.
Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause
a denial of service (crash) and possibly execute arbitrary code by
causing the cddb lookup to return more matches than expected.
PR: 129050
Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Approved by: novel@ (maintainer)
Security: http://www.vuxml.org/freebsd/bd730827-dfe0-11dd-a765-0030843d3802.html
Diffstat (limited to 'audio')
-rw-r--r-- | audio/libcdaudio/Makefile | 4 | ||||
-rw-r--r-- | audio/libcdaudio/files/patch-CVE-2008-5030.2005-0706 | 45 |
2 files changed, 47 insertions, 2 deletions
diff --git a/audio/libcdaudio/Makefile b/audio/libcdaudio/Makefile index 0bd3791ddaa6..879742516dde 100644 --- a/audio/libcdaudio/Makefile +++ b/audio/libcdaudio/Makefile @@ -7,7 +7,7 @@ PORTNAME= libcdaudio PORTVERSION= 0.99.12p2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= audio MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -17,7 +17,7 @@ COMMENT= A library for playing audio CDs USE_AUTOTOOLS= libtool:15 USE_GNOME= gnomehack gnometarget pkgconfig -GNU_CONFIGURE= yes +GNU_CONFIGURE= yes USE_LDCONFIG= yes .include <bsd.port.mk> diff --git a/audio/libcdaudio/files/patch-CVE-2008-5030.2005-0706 b/audio/libcdaudio/files/patch-CVE-2008-5030.2005-0706 new file mode 100644 index 000000000000..415b57ceb133 --- /dev/null +++ b/audio/libcdaudio/files/patch-CVE-2008-5030.2005-0706 @@ -0,0 +1,45 @@ +--- src/cddb.c.orig 2004-09-09 05:26:39.000000000 +0400 ++++ src/cddb.c 2008-11-21 17:33:50.000000000 +0300 +@@ -1052,7 +1052,8 @@ + } + + query->query_matches = 0; +- while(!cddb_read_line(sock, inbuffer, 256)) { ++ while(query->query_matches < MAX_INEXACT_MATCHES && ++ !cddb_read_line(sock, inbuffer, 256)) { + slashed = 0; + if(strchr(inbuffer, '/') != NULL && parse_disc_artist) { + index = 0; +@@ -1601,7 +1602,7 @@ + return -1; + } + +- if((inbuffer = malloc(256)) == NULL) { ++ if((inbuffer = malloc(512)) == NULL) { + free(root_dir); + free(file); + return -1; +--- src/coverart.c.orig 2008-11-21 17:36:39.000000000 +0300 ++++ src/coverart.c 2008-11-21 17:39:41.000000000 +0300 +@@ -131,7 +131,9 @@ + } + } else if(strncmp(line, "Album", 5) == 0) { + long n = strtol((char *)line + 5, NULL, 10); +- if(parse_disc_artist && strchr(procbuffer, '/') != NULL) { ++ if(n >= MAX_INEXACT_MATCHES) { ++ // Too much data, can't store it ++ } else if(parse_disc_artist && strchr(procbuffer, '/') != NULL) { + strtok(procbuffer, "/"); + strncpy(query->query_list[n].list_artist, procbuffer, + (strlen(procbuffer) < 64) ? (strlen(procbuffer) - 1) : 64); +@@ -143,7 +145,9 @@ + } + } else if(strncmp(line, "Url", 3) == 0) { + long n = strtol((char *)line + 3, NULL, 10); +- cddb_process_url(&query->query_list[n].list_host, procbuffer); ++ if (n < MAX_INEXACT_MATCHES) { ++ cddb_process_url(&query->query_list[n].list_host, procbuffer); ++ } + } + + return; |