Jack of RaptureSecurity reported a double byte buffer overflow in

ident2.  The bug may allow a remote attacker to execute arbitrary code
within the context of the ident2 daemon.  The daemon typically runs as
user-ID `nobody', but with group-ID `wheel'.

2 files changed, 54 insertions, 0 deletions

diff --git a/security/ident2/Makefile b/security/ident2/Makefile
index 07010ab6561f..f4d19f4562aa 100644
--- a/security/ident2/Makefile
+++ b/security/ident2/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	ident2
 PORTVERSION=	1.04
+PORTREVISION=	1
 CATEGORIES=	security net
 MASTER_SITES=	http://michael.bacarella.com/projects/ident2/
 DISTNAME=	ident2-v${PORTVERSION}_FINAL
diff --git a/security/ident2/files/patch-common.c b/security/ident2/files/patch-common.c
new file mode 100644
index 000000000000..490f513be938
--- /dev/null
+++ b/security/ident2/files/patch-common.c
@@ -0,0 +1,53 @@
+*** common.c.orig	Fri Apr 16 10:02:41 2004
+--- common.c	Fri Apr 16 10:17:43 2004
+***************
+*** 41,63 ****
+  	/*
+  	 *	a (skewed) fgets() that works on file descriptors
+  	 *	the '\r' charecter is ignored
+  	 */
+  static int
+! _getl (int d, char *p, u_short l)
+  {
+! 	size_t n = 0;
+  
+! 	while (read (d, p, 1) == 1) {
+  		if (*p == '\n')
+  			break;
+  		if (*p == '\r')
+  			p--;	/* ignore \r */
+- 		p++;
+- 		if (n++ >= l)
+- 			break;
+  	}
+! 	*p = 0;
+! 	return n;
+  }
+  
+  	/*
+--- 41,65 ----
+  	/*
+  	 *	a (skewed) fgets() that works on file descriptors
+  	 *	the '\r' charecter is ignored
++ 	 *	returns the number of bytes written into the given
++ 	 *	 buffer, including the terminating NUL
+  	 */
+  static int
+! _getl (int d, char *begin, u_short l)
+  {
+! 	char *p, *end;
+  
+! 	end = &begin[l-1]; /* leave room for terminating NUL */
+! 	for (p = begin; p < end; ++p) {
+! 		if (read (d, p, 1) != 1)
+! 			break;
+  		if (*p == '\n')
+  			break;
+  		if (*p == '\r')
+  			p--;	/* ignore \r */
+  	}
+! 	*p++ = 0;
+! 	return p-begin;
+  }
+  
+  	/*