diff options
| -rw-r--r-- | security/vuxml/vuln.xml | 69 | ||||
| -rw-r--r-- | x11-toolkits/plib/Makefile | 2 | ||||
| -rw-r--r-- | x11-toolkits/plib/files/patch-src-ssg-ssgParser.cxx | 60 | ||||
| -rw-r--r-- | x11-toolkits/plib/files/patch-src-util-ulError.cxx | 18 |
4 files changed, 148 insertions, 1 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 655f8a49622c..741968ab9a27 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,75 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="c72a2494-c08b-11e2-bb21-083e8ed0f47b"> + <topic>plib -- stack-based buffer overflow</topic> + <affects> + <package> + <name>plib</name> + <range><lt>1.8.5_4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>CVE reports:</p> + <blockquote cite="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4552"> + <p>Stack-based buffer overflow in the error function in + ssg/ssgParser.cxx in PLIB 1.8.5 allows remote attackers to + execute arbitrary code via a crafted 3d model file that + triggers a long error message, as demonstrated by a .ase + file.</p> + </blockquote> + </body> + </description> + <references> + <bid>55839</bid> + <cvename>CVE-2012-4552</cvename> + <mlist>http://www.openwall.com/lists/oss-security/2012/10/29/8</mlist> + </references> + <dates> + <discovery>2012-10-09</discovery> + <entry>2013-05-19</entry> + </dates> + </vuln> + + <vuln vid="13bf0602-c08a-11e2-bb21-083e8ed0f47b"> + <topic>plib -- buffer overflow</topic> + <affects> + <package> + <name>plib</name> + <range><lt>1.8.5_4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Secunia reports:</p> + <blockquote cite="https://secunia.com/advisories/47297"> + <p>A vulnerability has been discovered in PLIB, which can be + exploited by malicious people to compromise an application + using the library. The vulnerability is caused due to a + boundary error within the "ulSetError()" function + (src/util/ulError.cxx) when creating the error message, + which can be exploited to overflow a static buffer.</p> + <p>Successful exploitation allows the execution of arbitrary + code but requires that the attacker can e.g. control the + content of an overly long error message passed to the + "ulSetError()" function.</p> + <p>The vulnerability is confirmed in version 1.8.5. Other + versions may also be affected.</p> + <p>Originally reported in TORCS by Andres Gomez.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2011-4620</cvename> + <mlist>http://openwall.com/lists/oss-security/2011/12/21/2</mlist> + </references> + <dates> + <discovery>2011-12-21</discovery> + <entry>2013-05-19</entry> + </dates> + </vuln> + <vuln vid="a8818f7f-9182-11e2-9bdf-d48564727302"> <topic>optipng -- use-after-free vulnerability</topic> <affects> diff --git a/x11-toolkits/plib/Makefile b/x11-toolkits/plib/Makefile index 9c710f71ea73..142ab6c4e16f 100644 --- a/x11-toolkits/plib/Makefile +++ b/x11-toolkits/plib/Makefile @@ -7,7 +7,7 @@ PORTNAME= plib PORTVERSION= 1.8.5 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= x11-toolkits MASTER_SITES= http://plib.sourceforge.net/dist/ diff --git a/x11-toolkits/plib/files/patch-src-ssg-ssgParser.cxx b/x11-toolkits/plib/files/patch-src-ssg-ssgParser.cxx new file mode 100644 index 000000000000..1894b32fe9af --- /dev/null +++ b/x11-toolkits/plib/files/patch-src-ssg-ssgParser.cxx @@ -0,0 +1,60 @@ +Index: src/ssg/ssgParser.cxx +=================================================================== +--- src/ssg/ssgParser.cxx.orig ++++ src/ssg/ssgParser.cxx +@@ -57,18 +57,18 @@ void _ssgParser::error( const char *form + char msgbuff[ 255 ]; + va_list argp; + +- char* msgptr = msgbuff; +- if (linenum) +- { +- msgptr += sprintf ( msgptr,"%s, line %d: ", +- path, linenum ); +- } +- + va_start( argp, format ); +- vsprintf( msgptr, format, argp ); ++ vsnprintf( msgbuff, sizeof(msgbuff)-1, format, argp ); + va_end( argp ); ++ ++ msgbuff[sizeof(msgbuff)-1] = '\0'; + +- ulSetError ( UL_WARNING, "%s", msgbuff ) ; ++ if (linenum) ++ { ++ ulSetError ( UL_WARNING, "%s, line %d: %s", path, linenum, msgbuff ) ; ++ } else { ++ ulSetError ( UL_WARNING, "%s", msgbuff ) ; ++ } + } + + +@@ -78,18 +78,18 @@ void _ssgParser::message( const char *fo + char msgbuff[ 255 ]; + va_list argp; + +- char* msgptr = msgbuff; +- if (linenum) +- { +- msgptr += sprintf ( msgptr,"%s, line %d: ", +- path, linenum ); +- } +- + va_start( argp, format ); +- vsprintf( msgptr, format, argp ); ++ vsnprintf( msgbuff, sizeof(msgbuff)-1, format, argp ); + va_end( argp ); ++ ++ msgbuff[sizeof(msgbuff)-1] = '\0'; + +- ulSetError ( UL_DEBUG, "%s", msgbuff ) ; ++ if (linenum) ++ { ++ ulSetError ( UL_DEBUG, "%s, line %d: %s", path, linenum, msgbuff ) ; ++ } else { ++ ulSetError ( UL_DEBUG, "%s", msgbuff ) ; ++ } + } + + // Opens the file and does a few internal calculations based on the spec. diff --git a/x11-toolkits/plib/files/patch-src-util-ulError.cxx b/x11-toolkits/plib/files/patch-src-util-ulError.cxx new file mode 100644 index 000000000000..d04ec3170be0 --- /dev/null +++ b/x11-toolkits/plib/files/patch-src-util-ulError.cxx @@ -0,0 +1,18 @@ +Index: src/util/ulError.cxx +=================================================================== +--- src/util/ulError.cxx.orig ++++ src/util/ulError.cxx +@@ -39,9 +39,11 @@ void ulSetError ( enum ulSeverity severi + { + va_list argp; + va_start ( argp, fmt ) ; +- vsprintf ( _ulErrorBuffer, fmt, argp ) ; ++ vsnprintf ( _ulErrorBuffer, sizeof(_ulErrorBuffer)-1, fmt, argp ) ; + va_end ( argp ) ; +- ++ ++ _ulErrorBuffer[sizeof(_ulErrorBuffer)-1] = '\0'; ++ + if ( _ulErrorCB ) + { + (*_ulErrorCB)( severity, _ulErrorBuffer ) ; |