Date: Mon, 26 Jul 2004 18:06:01 -0300 From: David Bremner <bremner@unb.ca> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/69632: Patch for buffer overflow in wv-1.0.0. Message-ID: <E1BpCfZ-000D6W-7m@convex.cs.unb.ca> Resent-Message-ID: <200407262110.i6QLAGmZ008734@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 69632 >Category: ports >Synopsis: Patch for buffer overflow in wv-1.0.0. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 26 21:10:15 GMT 2004 >Closed-Date: >Last-Modified: >Originator: David Bremner >Release: FreeBSD 5.2.1-RELEASE-p3 i386 >Organization: University of New Brunswick >Environment: System: FreeBSD convex.cs.unb.ca 5.2.1-RELEASE-p3 FreeBSD 5.2.1-RELEASE-p3 #12: Fri Mar 19 11:08:54 AST 2004 bremner@convex.cs.unb.ca:/usr/obj/usr/src/sys/CONVEX2 i386 >Description: This is a fix for a known vulnerability in wv. I read in a posting dated July 5 that a new release incorporating this fix would be out in "a few days"; so it may or may not be worth committing this. For problem description http://www.FreeBSD.org/ports/portaudit/7a5430df-d562-11d8-b479-02e0185c0b53.html My only contribution is to grab the patch from AbiWord CVS >How-To-Repeat: n/a >Fix: place this patch in /usr/ports/textproc/wv/patch-field.c Index: field.c =================================================================== RCS file: /cvsroot/wv/field.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- field.c 29 Dec 2002 16:37:00 -0000 1.19 +++ field.c 5 Jul 2004 18:10:03 -0000 1.20 @@ -98,18 +98,21 @@ case 1: sprintf (temp, "%d", current->tm_mon+1); strcat (timestr, temp); + consumed += strlen (temp); break; case 2: strcat (timestr, "%m"); + consumed += 2; break; case 3: strcat (timestr, "%b"); + consumed += 2; break; default: strcat (timestr, "%B"); + consumed += 2; break; } - consumed += 2; break; case 's': case 'S': @@ -139,6 +142,7 @@ case 1: consumed += sprintf (temp, "%d", current->tm_wday); strcat (timestr, temp); + consumed += strlen (temp); break; case 2: strcat (timestr, "%d"); @@ -182,12 +186,13 @@ case 1: sprintf (temp, "%d", current->tm_hour % 12); strcat (timestr, temp); + consumed += strlen (temp); break; default: strcat (timestr, "%I"); + consumed += 2; break; } - consumed += 2; break; case 'H': no = lookahead (token, 'H', 'H'); @@ -197,6 +202,7 @@ case 1: consumed += sprintf (temp, "%d", current->tm_hour); strcat (timestr, temp); + consumed += strlen (temp); break; default: strcat (timestr, "%H"); @@ -212,6 +218,7 @@ case 1: consumed += sprintf (temp, "%d", current->tm_min); strcat (timestr, temp); + consumed += strlen (temp); break; default: strcat (timestr, "%M"); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1BpCfZ-000D6W-7m>