From a60ed02c90311535e33ae60a4d20011c4815bf20 Mon Sep 17 00:00:00 2001 From: niels Date: Tue, 1 Feb 2005 09:32:47 +0000 Subject: Fixed insecure sscanf usage (no length checking) in the processing of NNTP server responses. Approved by: nectar (mentor), maintainer (timeout) VuXML: http://vuxml.freebsd.org/76e0b133-6bfd-11d9-a5df-00065be4b5b6.html --- news/newsfetch/Makefile | 2 +- news/newsfetch/files/patch-nntp.c | 52 +++++++++++++++++++++++++++++++-------- 2 files changed, 43 insertions(+), 11 deletions(-) (limited to 'news') diff --git a/news/newsfetch/Makefile b/news/newsfetch/Makefile index e5dd3ffe67e6..93e934f57d76 100644 --- a/news/newsfetch/Makefile +++ b/news/newsfetch/Makefile @@ -7,7 +7,7 @@ PORTNAME= newsfetch PORTVERSION= 1.21 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= news MASTER_SITES= ${MASTER_SITE_SUNSITE} MASTER_SITE_SUBDIR= system/news/readers diff --git a/news/newsfetch/files/patch-nntp.c b/news/newsfetch/files/patch-nntp.c index 19d5a9a04534..55053131253a 100644 --- a/news/newsfetch/files/patch-nntp.c +++ b/news/newsfetch/files/patch-nntp.c @@ -1,6 +1,14 @@ ---- nntp.c.orig Sat Aug 3 19:24:46 2002 -+++ nntp.c Sat Aug 3 19:26:29 2002 -@@ -33,7 +33,7 @@ +--- nntp.c.orig Thu Jul 23 12:03:11 1998 ++++ nntp.c Thu Jan 27 17:19:01 2005 +@@ -20,6 +20,7 @@ + + char *header; + #define MAXBUFSIZE 500 ++#define GROUP_FMT "%99s" + char command_buf[MAXBUFSIZE+1]; + + readNNTPdata() +@@ -33,7 +34,7 @@ { /* dummy read to flush input */ readNNTPdata(); @@ -9,7 +17,17 @@ readNNTPdata(); return(get_error(command_buf)); } -@@ -151,7 +151,7 @@ +@@ -140,7 +141,8 @@ + else + fprintf(rctmpfp,"%s",command_buf); + } +- items_read=sscanf(command_buf,"%s %d %d", group, &first_article, &max_article); ++ items_read=sscanf(command_buf,GROUP_FMT "%d %d", group, &first_article, &max_article); ++ group[sizeof(group)-1] = '\0'; + if(items_read < 2) + return(0); + return(items_read); +@@ -151,7 +153,7 @@ int first_art, last_art, total_art, tmp ; fprintf(stderr,"%s: ",group); @@ -18,7 +36,7 @@ readNNTPdata(); #ifdef DEBUG -@@ -180,7 +180,7 @@ +@@ -180,7 +182,7 @@ first_article = last_art - max_article + 1; } @@ -27,7 +45,7 @@ readNNTPdata(); while(!get_error1(command_buf)) -@@ -196,7 +196,7 @@ +@@ -196,7 +198,7 @@ return(0); } @@ -36,7 +54,7 @@ readNNTPdata(); } fprintf(stderr,"articles %d to %d\n",first_article,last_art); -@@ -256,7 +256,7 @@ +@@ -256,7 +258,7 @@ fprintf(stderr," %c",0xd); } @@ -45,7 +63,7 @@ readNNTPdata(); if(!get_error(command_buf)) return(0); -@@ -275,7 +275,7 @@ +@@ -275,7 +277,7 @@ } /* Make it little fast */ @@ -54,7 +72,7 @@ article_fetching=1; -@@ -329,7 +329,7 @@ +@@ -329,17 +331,19 @@ char groupname[100]; fprintf(stderr, "\nList of NewsGroups:\n"); @@ -63,7 +81,21 @@ readNNTPdata(); if(!get_error2(command_buf)) exit(1); -@@ -348,7 +348,7 @@ + readNNTPdata(); +- sscanf(command_buf,"%s",groupname); ++ sscanf(command_buf,GROUP_FMT,groupname); ++ groupname[sizeof(groupname)-1] = '\0'; + while(command_buf[0] != '.' || command_buf[1] != 13 )/*|| command_buf[1] != 10)*/ + { + fprintf(stderr,"%s\n",groupname); + readNNTPdata(); +- sscanf(command_buf,"%s",groupname); ++ sscanf(command_buf,GROUP_FMT,groupname); ++ groupname[sizeof(groupname)-1] = '\0'; + } + exit(1); + +@@ -348,7 +352,7 @@ sendQuit() { -- cgit