Pullup ticket 120 - requested by Todd Vierling

security fix for gzip

	Modified Files:
		pkgsrc/mk: bsd.pkg.mk

	Log Message:
	Automatic inclusion of gzip-base needs a version number in the BUILD_DEPENDS.

	Modified Files:
		pkgsrc/mk: bsd.pkg.mk

	Log Message:
	Bump gzip-base to 1.2.4b for security fix.

	Modified Files:
		pkgsrc/archivers/gzip: Makefile
		pkgsrc/archivers/gzip-base: Makefile distinfo
	Added Files:
		pkgsrc/archivers/gzip-base/patches: patch-ab

	Log Message:
	Update gzip to 1.2.4b, fixing a filename buffer overflow.

1 files changed, 22 insertions, 0 deletions

diff --git a/archivers/gzip-base/patches/patch-ab b/archivers/gzip-base/patches/patch-ab
new file mode 100644
index 00000000000..ed1c1564c1f
--- /dev/null
+++ b/archivers/gzip-base/patches/patch-ab
@@ -0,0 +1,22 @@
+$NetBSD: patch-ab,v 1.1.2.2 2004/10/19 13:33:41 agc Exp $
+
+From http://www.gzip.org/gzip-1.2.4b.patch - security fix for filenames
+over 1020 caharacters long.
+
+--- gzip.c	Thu Aug 19 15:39:43 1993
++++ gzip.c	Tue Jan  8 21:44:18 2002
+@@ -1005,7 +1005,14 @@
+ #ifdef NO_MULTIPLE_DOTS
+     char *dot; /* pointer to ifname extension, or NULL */
+ #endif
++    int max_suffix_len = (z_len > 3 ? z_len : 3);
+ 
++    /* Leave enough room in ifname or ofname for suffix: */
++    if (strlen(iname) >= sizeof(ifname) - max_suffix_len) {
++        strncpy(ifname, iname, sizeof(ifname) - 1);
++	/* last byte of ifname is already zero and never overwritten */
++        error("file name too long");
++    }
+     strcpy(ifname, iname);
+ 
+     /* If input file exists, return OK. */