Pullup ticket 950 - requested by Lubomir Sedlacik

security fix for ethereal

Revisions pulled up:
- pkgsrc/net/ethereal/Makefile		1.121
- pkgsrc/net/ethereal/distinfo		1.46
- pkgsrc/net/ethereal/patches/patch-ac	1.5

   Modified Files:
           pkgsrc/net/ethereal: Makefile distinfo
   Added Files:
           pkgsrc/net/ethereal/patches: patch-ac

   Log Message:
   Security fix for CVE-2005-3651:

   "Remote exploitation of an input validation vulnerability in the OSPF
   protocol dissectors within Ethereal, as included in various vendors
   operating system distributions, could allow attackers to crash the
   vulnerable process or potentially execute arbitrary code."

   http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities

   Patch from the Ethereal SVN repository.

3 files changed, 68 insertions, 3 deletions

diff --git a/net/ethereal/Makefile b/net/ethereal/Makefile
index b4af3ebdff5..dcaab6c3fa7 100644
--- a/net/ethereal/Makefile
+++ b/net/ethereal/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.115.2.2 2005/11/03 13:27:30 salo Exp $
+# $NetBSD: Makefile,v 1.115.2.3 2005/12/10 23:40:57 snj Exp $
 
 DISTNAME=		ethereal-0.10.13
-PKGREVISION=		1
+PKGREVISION=		2
 CATEGORIES=		net
 MASTER_SITES=		http://www.ethereal.com/distribution/ \
 			http://ethereal.planetmirror.com/distribution/ \
diff --git a/net/ethereal/distinfo b/net/ethereal/distinfo
index 33f06d4d1c9..57885c096f0 100644
--- a/net/ethereal/distinfo
+++ b/net/ethereal/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.42.2.2 2005/11/03 13:27:30 salo Exp $
+$NetBSD: distinfo,v 1.42.2.3 2005/12/10 23:40:58 snj Exp $
 
 SHA1 (ethereal-0.10.13.tar.bz2) = 4ed2014a1ede6bdb05fbe99b0469a030c7794a13
 RMD160 (ethereal-0.10.13.tar.bz2) = 54f6431ac2d807e0d7dd896af71463d340c66107
 Size (ethereal-0.10.13.tar.bz2) = 8029087 bytes
 SHA1 (patch-aa) = 0513b971c0af032fc64fc181fbd64d78aef0d044
 SHA1 (patch-ab) = bfbefb0ae66607068e21d0912a15a72606ab8ea8
+SHA1 (patch-ac) = 101cbc6315b2ad9732b70d697295ad8e4a389dcd
diff --git a/net/ethereal/patches/patch-ac b/net/ethereal/patches/patch-ac
new file mode 100644
index 00000000000..6f57b5a61e4
--- /dev/null
+++ b/net/ethereal/patches/patch-ac
@@ -0,0 +1,64 @@
+$NetBSD: patch-ac,v 1.3.2.2 2005/12/10 23:40:58 snj Exp $
+
+Security fix for CVE-2005-3651, from Ethereal SVN tree.
+
+--- epan/dissectors/packet-ospf.c.orig	2005-10-10 15:23:02.000000000 +0200
++++ epan/dissectors/packet-ospf.c	2005-12-10 21:40:23.000000000 +0100
+@@ -2321,39 +2321,28 @@
+ static void dissect_ospf_v3_address_prefix(tvbuff_t *tvb, int offset, int prefix_length, proto_tree *tree)
+ {
+ 
+-    guint8 value;
+-    guint8 position;
+-    guint8 bufpos;
+-    gchar  *buffer;
+-    gchar  *bytebuf;
+-    guint8 bytes_to_process;
+-    int start_offset;
+-
+-    start_offset=offset;
+-    position=0;
+-    bufpos=0;
+-    bytes_to_process=((prefix_length+31)/32)*4;
+-
+-    buffer=ep_alloc(32+7);
+-    while (bytes_to_process > 0 ) {
+-
+-        value=tvb_get_guint8(tvb, offset);
++    int bytes_to_process;
++    struct e_in6_addr prefix;
+ 
+-        if ( (position > 0) && ( (position%2) == 0 ) )
+-	    buffer[bufpos++]=':';
++    bytes_to_process=((prefix_length+31)/32)*4;
+ 
+-	bytebuf=ep_alloc(3);
+-        g_snprintf(bytebuf, 3, "%02x",value);
+-        buffer[bufpos++]=bytebuf[0];
+-        buffer[bufpos++]=bytebuf[1];
+-
+-	position++;
+-	offset++;
+-        bytes_to_process--;
++    if (prefix_length > 128) {
++        proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++            "Address Prefix: length is invalid (%d, should be <= 128)",
++            prefix_length);
++        return;
+     }
+ 
+-    buffer[bufpos]=0;
+-    proto_tree_add_text(tree, tvb, start_offset, ((prefix_length+31)/32)*4, "Address Prefix: %s",buffer);
++    memset(prefix.bytes, 0, sizeof prefix.bytes);
++    if (bytes_to_process != 0) {
++        tvb_memcpy(tvb, prefix.bytes, offset, bytes_to_process);
++        if (prefix_length % 8) {
++            prefix.bytes[bytes_to_process - 1] &=
++                ((0xff00 >> (prefix_length % 8)) & 0xff);
++        }
++    }
++    proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++        "Address Prefix: %s", ip6_to_str(&prefix));
+ 
+ }
+