From db004e2d5d87a32bdbe1e7972f9855b68e6fa8cc Mon Sep 17 00:00:00 2001 From: marcus Date: Thu, 12 Aug 2004 20:38:43 +0000 Subject: Fix the remotely exploitable buffer overflows in the MSN protocol. Submitted by: nectar Obtained from: Sebastian Krahmer --- net/gaim/Makefile | 3 +-- net/gaim/files/patch-msn | 45 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 net/gaim/files/patch-msn (limited to 'net') diff --git a/net/gaim/Makefile b/net/gaim/Makefile index 8d19f30f0bb7..1dd76e2958eb 100644 --- a/net/gaim/Makefile +++ b/net/gaim/Makefile @@ -6,12 +6,11 @@ PORTNAME= gaim PORTVERSION= 0.81 +PORTREVISION= 1 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} -FORBIDDEN= MSN component contains remotely exploitable buffer overflows http://vuxml.freebsd.org/5b8f9a02-ec93-11d8-b913-000c41e2cdad.html - MAINTAINER?= marcus@FreeBSD.org COMMENT= Multi-protocol instant messaging client diff --git a/net/gaim/files/patch-msn b/net/gaim/files/patch-msn new file mode 100644 index 000000000000..58f47d5324f1 --- /dev/null +++ b/net/gaim/files/patch-msn @@ -0,0 +1,45 @@ +--- src/protocols/msn/slp.c.orig 2004-08-09 11:21:34.000000000 +0200 ++++ src/protocols/msn/slp.c 2004-08-09 11:21:42.000000000 +0200 +@@ -640,13 +640,17 @@ + /* It's not valid. Kill this off. */ + char temp[32]; + const char *c; ++ size_t offset; + ++ memset(temp, 0, sizeof(temp)); + /* Eww */ + if ((c = strchr(status, '\r')) || (c = strchr(status, '\n')) || + (c = strchr(status, '\0'))) + { +- strncpy(temp, status, c - status); +- temp[c - status] = '\0'; ++ offset = c - status; ++ if (offset >= sizeof(temp)) ++ offset = sizeof(temp) - 1; ++ strncpy(temp, status, offset); + } + + gaim_debug_error("msn", "Received non-OK result: %s\n", temp); +--- src/protocols/msn/object.c.orig 2004-06-06 05:42:54.000000000 +0200 ++++ src/protocols/msn/object.c 2004-08-09 11:30:43.000000000 +0200 +@@ -35,11 +35,17 @@ + if ((tag = strstr(str, id "=\"")) != NULL) \ + { \ + char buf[16]; \ ++ size_t offset; \ + tag += strlen(id "=\""); \ + c = strchr(tag, '"'); \ +- strncpy(buf, tag, c - tag); \ +- buf[c - tag] = '\0'; \ +- obj->field = atoi(buf); \ ++ if (c != NULL) { \ ++ memset(buf, 0, sizeof(buf)); \ ++ offset = c - tag; \ ++ if (offset >= sizeof(buf)) \ ++ offset = sizeof(buf) - 1; \ ++ strncpy(buf, tag, offset); \ ++ obj->field = atoi(buf); \ ++ } \ + } + + static GList *local_objs; -- cgit