Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Oct 2004 23:40:17 +0400
From:      Roman Bogorodskiy <bogorodskiy@inbox.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/73091: [ maintainer ] fix audio/mpg123 vulnerabilities
Message-ID:  <E1CLoDw-000G9N-00.bogorodskiy-inbox-ru@mx2.mail.ru>
Resent-Message-ID: <200410241940.i9OJeVrr053704@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         73091
>Category:       ports
>Synopsis:       [ maintainer ] fix audio/mpg123 vulnerabilities
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 24 19:40:30 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Roman Bogorodskiy
>Release:        FreeBSD 5.3-BETA7 i386
>Organization:
>Environment:
System: FreeBSD lame.novel.ru 5.3-BETA7 FreeBSD 5.3-BETA7 #12: Sat Oct 16 20:09:15 MSD 2004 root@lame.novel.ru:/usr/obj/usr/home/novel/current/src/sys/NOVEL i386


>Description:
	Fix two mpg123 vulnerabilities[1], pointed out/helped to fix: simon.

	[1] http://www.vuxml.org/freebsd/20d16518-2477-11d9-814e-0001020eed82.html
>How-To-Repeat:
>Fix:

diff -ru mpg123.orig/files/patch-httpget.c mpg123/files/patch-httpget.c
--- mpg123.orig/files/patch-httpget.c	Sun Oct 24 19:25:52 2004
+++ mpg123/files/patch-httpget.c	Sun Oct 24 23:24:40 2004
@@ -1,6 +1,6 @@
---- httpget.c.orig	2003-11-13 18:34:37.000000000 +0000
-+++ httpget.c	2003-11-13 18:35:10.000000000 +0000
-@@ -55,11 +55,10 @@ void readstring (char *string, int maxle
+--- httpget.c.orig	Sun Oct 24 19:33:47 2004
++++ httpget.c	Sun Oct 24 19:34:18 2004
+@@ -55,11 +55,10 @@
  #endif
  	int pos = 0;
  
@@ -13,7 +13,7 @@
  				break;
  			}
  		}
-@@ -68,6 +67,7 @@ void readstring (char *string, int maxle
+@@ -68,6 +67,7 @@
  			exit(1);
  		}
  	}
@@ -21,3 +21,32 @@
  #if 0
  	do {
  		result = fgets(string, maxlen, f);
+@@ -126,7 +126,13 @@
+       if( url[i] == '/' )
+          return 0;
+     }
+-    strncpy(auth,url,pos-url);
++
++    /* cut up the string to prevent scary BOF */
++    if (pos-url > 255)
++	strncpy(auth,url,255);
++    else
++	strncpy(auth,url,pos-url);
++
+     auth[pos-url] = 0;
+     strcpy(url,pos+1);
+     return 1;
+@@ -292,11 +298,11 @@
+ 			}
+ 			strcat (request, sptr);
+ 		}
+-		sprintf (request + strlen(request),
++		snprintf (request + strlen(request), linelength - strlen(request),
+ 			" HTTP/1.0\r\nUser-Agent: %s/%s\r\n",
+ 			prgName, prgVersion);
+ 		if (host) {
+-			sprintf(request + strlen(request),
++			snprintf(request + strlen(request), linelength - strlen(request),
+ 				"Host: %s:%s\r\n", host, myport);
+ #if 0
+ 			free (host);
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1CLoDw-000G9N-00.bogorodskiy-inbox-ru>