From 32c883fdceb86d7143f8ab9a2ae0f96982897ebb Mon Sep 17 00:00:00 2001 From: bdrewery Date: Sat, 16 May 2015 16:28:39 +0000 Subject: Avoid a potential read overflow. This was not deemed a security issue by upstream; it was fixed upstream comprehensively a few weeks ago in 77199d6ec8986d470487e66f8ea8f4cf43d2e20c. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR: 200241 Patch by: Hanno Böck Obtained from: http://www.openwall.com/lists/oss-security/2015/05/16/3 --- security/openssh-portable/Makefile | 2 +- security/openssh-portable/files/patch-compat.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 security/openssh-portable/files/patch-compat.c (limited to 'security/openssh-portable') diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index d9bd0aa755eb..1727fdcf863b 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 6.8p1 -PORTREVISION= 6 +PORTREVISION= 7 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable diff --git a/security/openssh-portable/files/patch-compat.c b/security/openssh-portable/files/patch-compat.c new file mode 100644 index 000000000000..a0a873efb89c --- /dev/null +++ b/security/openssh-portable/files/patch-compat.c @@ -0,0 +1,17 @@ +Avoid a heap overflow. Upstream did not deem this a security issue. It appears +to be mostly harmless too. + +http://www.openwall.com/lists/oss-security/2015/05/16/3 +https://anongit.mindrot.org/openssh.git/commit/?id=77199d6ec8986d470487e66f8ea8f4cf43d2e20c + +--- compat.c 2015-03-17 06:49:20.000000000 +0100 ++++ compat.c 2015-05-03 17:51:32.251293388 +0200 +@@ -229,7 +229,7 @@ + buffer_init(&b); + tmp = orig_prop = xstrdup(proposal); + while ((cp = strsep(&tmp, ",")) != NULL) { +- if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) { ++ if (match_pattern_list(cp, filter, strlen(filter), 0) != 1) { + if (buffer_len(&b) > 0) + buffer_append(&b, ",", 1); + buffer_append(&b, cp, strlen(cp)); -- cgit