aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorpav <pav@FreeBSD.org>2007-08-23 00:17:00 +0800
committerpav <pav@FreeBSD.org>2007-08-23 00:17:00 +0800
commit5ba04e85e3176dda277c8472bb138c936883059f (patch)
tree9343570ba5efc535b4ae3d421f819abd2917e595 /net
parent39fa60b1cd2d5f4449d0b43e3ccaafd17e1340d3 (diff)
downloadfreebsd-ports-gnome-5ba04e85e3176dda277c8472bb138c936883059f.tar.gz
freebsd-ports-gnome-5ba04e85e3176dda277c8472bb138c936883059f.tar.zst
freebsd-ports-gnome-5ba04e85e3176dda277c8472bb138c936883059f.zip
- Fix off-by-one buffer overflow in f_name() function. It is not clear if this
problem can be exploited. Submitted by: several Obtained from: http://www.suse.de/~krahmer/rsync-2.6.9-fname-obo.diff Security: CVE-2007-4091 Security: http://www.novell.com/linux/security/advisories/2007_17_sr.html
Diffstat (limited to 'net')
-rw-r--r--net/rsync/Makefile1
-rw-r--r--net/rsync/files/patch-CVE-2007-409160
2 files changed, 61 insertions, 0 deletions
diff --git a/net/rsync/Makefile b/net/rsync/Makefile
index 4f51c77b747b..72116a66c790 100644
--- a/net/rsync/Makefile
+++ b/net/rsync/Makefile
@@ -7,6 +7,7 @@
PORTNAME= rsync
PORTVERSION= 2.6.9
+PORTREVISION= 1
CATEGORIES= net ipv6
MASTER_SITES= http://rsync.samba.org/ftp/%SUBDIR%/ \
ftp://ftp.samba.org/pub/%SUBDIR%/ \
diff --git a/net/rsync/files/patch-CVE-2007-4091 b/net/rsync/files/patch-CVE-2007-4091
new file mode 100644
index 000000000000..201af96a2390
--- /dev/null
+++ b/net/rsync/files/patch-CVE-2007-4091
@@ -0,0 +1,60 @@
+--- sender.c 2006-09-20 03:53:32.000000000 +0200
++++ sender.c 2007-07-25 15:33:05.000000000 +0200
+@@ -123,6 +123,7 @@
+ char fname[MAXPATHLEN];
+ struct file_struct *file;
+ unsigned int offset;
++ size_t l = 0;
+
+ if (ndx < 0 || ndx >= the_file_list->count)
+ return;
+@@ -133,6 +134,20 @@
+ file->dir.root, "/", NULL);
+ } else
+ offset = 0;
++
++ l = offset + 1;
++ if (file) {
++ if (file->dirname)
++ l += strlen(file->dirname);
++ if (file->basename)
++ l += strlen(file->basename);
++ }
++
++ if (l >= sizeof(fname)) {
++ rprintf(FERROR, "Overlong pathname\n");
++ exit_cleanup(RERR_FILESELECT);
++ }
++
+ f_name(file, fname + offset);
+ if (remove_source_files) {
+ if (do_unlink(fname) == 0) {
+@@ -224,6 +239,7 @@
+ enum logcode log_code = log_before_transfer ? FLOG : FINFO;
+ int f_xfer = write_batch < 0 ? batch_fd : f_out;
+ int i, j;
++ size_t l = 0;
+
+ if (verbose > 2)
+ rprintf(FINFO, "send_files starting\n");
+@@ -259,6 +275,20 @@
+ fname[offset++] = '/';
+ } else
+ offset = 0;
++
++ l = offset + 1;
++ if (file) {
++ if (file->dirname)
++ l += strlen(file->dirname);
++ if (file->basename)
++ l += strlen(file->basename);
++ }
++
++ if (l >= sizeof(fname)) {
++ rprintf(FERROR, "Overlong pathname\n");
++ exit_cleanup(RERR_FILESELECT);
++ }
++
+ fname2 = f_name(file, fname + offset);
+
+ if (verbose > 2)
generated by cgit (git 2.34.1) at 2024-11-27 11:41:46 +0800