Pullup ticket #4217 - requested by drochner

net/filezilla: security update

Revisions pulled up:
- net/filezilla/Makefile                                        1.44-1.45
- net/filezilla/PLIST                                           1.10
- net/filezilla/distinfo                                        1.17-1.18
- net/filezilla/patches/patch-CVE-2013-4206                     1.1
- net/filezilla/patches/patch-CVE-2013-4208                     1.1
- net/filezilla/patches/patch-CVE-2013-4852-1                   deleted
- net/filezilla/patches/patch-CVE-2013-4852-2                   deleted
- net/filezilla/patches/patch-CVE-2013-4852-3                   deleted
- net/filezilla/patches/patch-aa                                deleted

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Tue Aug  6 12:55:10 UTC 2013

   Modified Files:
           pkgsrc/net/filezilla: Makefile distinfo
   Added Files:
           pkgsrc/net/filezilla/patches: patch-CVE-2013-4852-1
               patch-CVE-2013-4852-2 patch-CVE-2013-4852-3

   Log Message:
   apply patches from pkgsrc/security/putty to fix embedded sftp client
   bump PKGREV

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Wed Aug  7 16:48:49 UTC 2013

   Modified Files:
           pkgsrc/net/filezilla: Makefile PLIST distinfo
   Added Files:
           pkgsrc/net/filezilla/patches: patch-CVE-2013-4206
   patch-CVE-2013-4208 Removed Files:
           pkgsrc/net/filezilla/patches: patch-CVE-2013-4852-1
               patch-CVE-2013-4852-2 patch-CVE-2013-4852-3 patch-aa

   Log Message:
   update to 3.7.2
   This is a major update, many fixes and improvements.
   Main reason for the update was to sync the embedded sftp client
   with putty after fixes for vulnerabilities.

9 files changed, 270 insertions, 29 deletions

diff --git a/net/filezilla/Makefile b/net/filezilla/Makefile
index 615613f70b2..9a7e18c5bef 100644
--- a/net/filezilla/Makefile
+++ b/net/filezilla/Makefile
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.43 2013/06/06 12:54:55 wiz Exp $
+# $NetBSD: Makefile,v 1.43.2.1 2013/08/21 21:59:57 tron Exp $
 #
 
-VERSION=	3.5.0
+VERSION=	3.7.2
 DISTNAME=	FileZilla_${VERSION}_src
 PKGNAME=	filezilla-${VERSION}
-PKGREVISION=	18
 CATEGORIES=	net x11
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=filezilla/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/net/filezilla/PLIST b/net/filezilla/PLIST
index 009bba28e2d..b1ea3e89697 100644
--- a/net/filezilla/PLIST
+++ b/net/filezilla/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.9 2011/04/03 11:47:34 abs Exp $
+@comment $NetBSD: PLIST,v 1.9.20.1 2013/08/21 21:59:57 tron Exp $
 bin/filezilla
 bin/fzputtygen
 bin/fzsftp
@@ -180,7 +180,7 @@ share/filezilla/resources/leds.png
 share/filezilla/resources/lone/16x16/ascii.png
 share/filezilla/resources/lone/16x16/auto.png
 share/filezilla/resources/lone/16x16/binary.png
-share/filezilla/resources/lone/16x16/bookmarks.png
+share/filezilla/resources/lone/16x16/bookmark.png
 share/filezilla/resources/lone/16x16/cancel.png
 share/filezilla/resources/lone/16x16/compare.png
 share/filezilla/resources/lone/16x16/disconnect.png
@@ -211,7 +211,7 @@ share/filezilla/resources/lone/16x16/uploadadd.png
 share/filezilla/resources/lone/32x32/ascii.png
 share/filezilla/resources/lone/32x32/auto.png
 share/filezilla/resources/lone/32x32/binary.png
-share/filezilla/resources/lone/32x32/bookmarks.png
+share/filezilla/resources/lone/32x32/bookmark.png
 share/filezilla/resources/lone/32x32/cancel.png
 share/filezilla/resources/lone/32x32/compare.png
 share/filezilla/resources/lone/32x32/disconnect.png
@@ -241,7 +241,7 @@ share/filezilla/resources/lone/32x32/uploadadd.png
 share/filezilla/resources/lone/48x48/ascii.png
 share/filezilla/resources/lone/48x48/auto.png
 share/filezilla/resources/lone/48x48/binary.png
-share/filezilla/resources/lone/48x48/bookmarks.png
+share/filezilla/resources/lone/48x48/bookmark.png
 share/filezilla/resources/lone/48x48/cancel.png
 share/filezilla/resources/lone/48x48/compare.png
 share/filezilla/resources/lone/48x48/disconnect.png
@@ -308,7 +308,7 @@ share/filezilla/resources/netconfwizard.xrc
 share/filezilla/resources/opencrystal/16x16/ascii.png
 share/filezilla/resources/opencrystal/16x16/auto.png
 share/filezilla/resources/opencrystal/16x16/binary.png
-share/filezilla/resources/opencrystal/16x16/bookmarks.png
+share/filezilla/resources/opencrystal/16x16/bookmark.png
 share/filezilla/resources/opencrystal/16x16/cancel.png
 share/filezilla/resources/opencrystal/16x16/compare.png
 share/filezilla/resources/opencrystal/16x16/disconnect.png
@@ -342,7 +342,7 @@ share/filezilla/resources/opencrystal/24x24/server.png
 share/filezilla/resources/opencrystal/32x32/ascii.png
 share/filezilla/resources/opencrystal/32x32/auto.png
 share/filezilla/resources/opencrystal/32x32/binary.png
-share/filezilla/resources/opencrystal/32x32/bookmarks.png
+share/filezilla/resources/opencrystal/32x32/bookmark.png
 share/filezilla/resources/opencrystal/32x32/cancel.png
 share/filezilla/resources/opencrystal/32x32/compare.png
 share/filezilla/resources/opencrystal/32x32/disconnect.png
@@ -373,7 +373,7 @@ share/filezilla/resources/opencrystal/32x32/uploadadd.png
 share/filezilla/resources/opencrystal/48x48/ascii.png
 share/filezilla/resources/opencrystal/48x48/auto.png
 share/filezilla/resources/opencrystal/48x48/binary.png
-share/filezilla/resources/opencrystal/48x48/bookmarks.png
+share/filezilla/resources/opencrystal/48x48/bookmark.png
 share/filezilla/resources/opencrystal/48x48/cancel.png
 share/filezilla/resources/opencrystal/48x48/compare.png
 share/filezilla/resources/opencrystal/48x48/disconnect.png
@@ -404,12 +404,99 @@ share/filezilla/resources/opencrystal/48x48/uploadadd.png
 share/filezilla/resources/opencrystal/theme.xml
 share/filezilla/resources/quickconnectbar.xrc
 share/filezilla/resources/settings.xrc
+share/filezilla/resources/tango/16x16/ascii.png
+share/filezilla/resources/tango/16x16/auto.png
+share/filezilla/resources/tango/16x16/binary.png
+share/filezilla/resources/tango/16x16/bookmark.png
+share/filezilla/resources/tango/16x16/cancel.png
+share/filezilla/resources/tango/16x16/compare.png
+share/filezilla/resources/tango/16x16/disconnect.png
+share/filezilla/resources/tango/16x16/download.png
+share/filezilla/resources/tango/16x16/downloadadd.png
+share/filezilla/resources/tango/16x16/file.png
+share/filezilla/resources/tango/16x16/filter.png
+share/filezilla/resources/tango/16x16/find.png
+share/filezilla/resources/tango/16x16/folder.png
+share/filezilla/resources/tango/16x16/folderclosed.png
+share/filezilla/resources/tango/16x16/localtreeview.png
+share/filezilla/resources/tango/16x16/lock.png
+share/filezilla/resources/tango/16x16/logview.png
+share/filezilla/resources/tango/16x16/processqueue.png
+share/filezilla/resources/tango/16x16/queueview.png
+share/filezilla/resources/tango/16x16/reconnect.png
+share/filezilla/resources/tango/16x16/refresh.png
+share/filezilla/resources/tango/16x16/remotetreeview.png
+share/filezilla/resources/tango/16x16/server.png
+share/filezilla/resources/tango/16x16/sitemanager.png
+share/filezilla/resources/tango/16x16/synchronize.png
+share/filezilla/resources/tango/16x16/unknown.png
+share/filezilla/resources/tango/16x16/upload.png
+share/filezilla/resources/tango/16x16/uploadadd.png
+share/filezilla/resources/tango/32x32/ascii.png
+share/filezilla/resources/tango/32x32/auto.png
+share/filezilla/resources/tango/32x32/binary.png
+share/filezilla/resources/tango/32x32/bookmark.png
+share/filezilla/resources/tango/32x32/cancel.png
+share/filezilla/resources/tango/32x32/compare.png
+share/filezilla/resources/tango/32x32/disconnect.png
+share/filezilla/resources/tango/32x32/download.png
+share/filezilla/resources/tango/32x32/downloadadd.png
+share/filezilla/resources/tango/32x32/file.png
+share/filezilla/resources/tango/32x32/filter.png
+share/filezilla/resources/tango/32x32/find.png
+share/filezilla/resources/tango/32x32/folder.png
+share/filezilla/resources/tango/32x32/folderclosed.png
+share/filezilla/resources/tango/32x32/localtreeview.png
+share/filezilla/resources/tango/32x32/lock.png
+share/filezilla/resources/tango/32x32/logview.png
+share/filezilla/resources/tango/32x32/processqueue.png
+share/filezilla/resources/tango/32x32/queueview.png
+share/filezilla/resources/tango/32x32/reconnect.png
+share/filezilla/resources/tango/32x32/refresh.png
+share/filezilla/resources/tango/32x32/remotetreeview.png
+share/filezilla/resources/tango/32x32/server.png
+share/filezilla/resources/tango/32x32/sitemanager.png
+share/filezilla/resources/tango/32x32/synchronize.png
+share/filezilla/resources/tango/32x32/unknown.png
+share/filezilla/resources/tango/32x32/upload.png
+share/filezilla/resources/tango/32x32/uploadadd.png
+share/filezilla/resources/tango/48x48/ascii.png
+share/filezilla/resources/tango/48x48/auto.png
+share/filezilla/resources/tango/48x48/binary.png
+share/filezilla/resources/tango/48x48/bookmark.png
+share/filezilla/resources/tango/48x48/cancel.png
+share/filezilla/resources/tango/48x48/compare.png
+share/filezilla/resources/tango/48x48/disconnect.png
+share/filezilla/resources/tango/48x48/download.png
+share/filezilla/resources/tango/48x48/downloadadd.png
+share/filezilla/resources/tango/48x48/file.png
+share/filezilla/resources/tango/48x48/filter.png
+share/filezilla/resources/tango/48x48/find.png
+share/filezilla/resources/tango/48x48/folder.png
+share/filezilla/resources/tango/48x48/folderclosed.png
+share/filezilla/resources/tango/48x48/localtreeview.png
+share/filezilla/resources/tango/48x48/lock.png
+share/filezilla/resources/tango/48x48/logview.png
+share/filezilla/resources/tango/48x48/processqueue.png
+share/filezilla/resources/tango/48x48/queueview.png
+share/filezilla/resources/tango/48x48/reconnect.png
+share/filezilla/resources/tango/48x48/refresh.png
+share/filezilla/resources/tango/48x48/remotetreeview.png
+share/filezilla/resources/tango/48x48/server.png
+share/filezilla/resources/tango/48x48/sitemanager.png
+share/filezilla/resources/tango/48x48/synchronize.png
+share/filezilla/resources/tango/48x48/unknown.png
+share/filezilla/resources/tango/48x48/upload.png
+share/filezilla/resources/tango/48x48/uploadadd.png
+share/filezilla/resources/tango/theme.xml
 share/filezilla/resources/theme.xml
 share/filezilla/resources/toolbar.xrc
 share/filezilla/resources/up.png
 share/icons/hicolor/16x16/apps/filezilla.png
 share/icons/hicolor/32x32/apps/filezilla.png
 share/icons/hicolor/48x48/apps/filezilla.png
+share/icons/hicolor/scalable/apps/filezilla.svg
+share/locale/an/LC_MESSAGES/filezilla.mo
 share/locale/ar/LC_MESSAGES/filezilla.mo
 share/locale/bg_BG/LC_MESSAGES/filezilla.mo
 share/locale/ca/LC_MESSAGES/filezilla.mo
@@ -420,6 +507,7 @@ share/locale/de/LC_MESSAGES/filezilla.mo
 share/locale/el/LC_MESSAGES/filezilla.mo
 share/locale/es/LC_MESSAGES/filezilla.mo
 share/locale/et_EE/LC_MESSAGES/filezilla.mo
+share/locale/eu/LC_MESSAGES/filezilla.mo
 share/locale/eu_ES/LC_MESSAGES/filezilla.mo
 share/locale/fa_IR/LC_MESSAGES/filezilla.mo
 share/locale/fi_FI/LC_MESSAGES/filezilla.mo
@@ -437,6 +525,7 @@ share/locale/ka/LC_MESSAGES/filezilla.mo
 share/locale/km_KH/LC_MESSAGES/filezilla.mo
 share/locale/ko_KR/LC_MESSAGES/filezilla.mo
 share/locale/ku/LC_MESSAGES/filezilla.mo
+share/locale/ky/LC_MESSAGES/filezilla.mo
 share/locale/lt_LT/LC_MESSAGES/filezilla.mo
 share/locale/lv_LV/LC_MESSAGES/filezilla.mo
 share/locale/mk_MK/LC_MESSAGES/filezilla.mo
diff --git a/net/filezilla/distinfo b/net/filezilla/distinfo
index 059957a4e6c..355d7c10555 100644
--- a/net/filezilla/distinfo
+++ b/net/filezilla/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.16 2012/07/06 15:37:23 drochner Exp $
+$NetBSD: distinfo,v 1.16.8.1 2013/08/21 21:59:57 tron Exp $
 
-SHA1 (FileZilla_3.5.0_src.tar.bz2) = 0d351b74bbe70cbfea1d315fd07193089e6e1c9d
-RMD160 (FileZilla_3.5.0_src.tar.bz2) = c3ffc60ced15b7055c34d6ef07c97f516e6f276d
-Size (FileZilla_3.5.0_src.tar.bz2) = 3348649 bytes
-SHA1 (patch-aa) = 78237ce599dafa640b1488f188376ecc835dfe45
+SHA1 (FileZilla_3.7.2_src.tar.bz2) = 12a241004bf10a4e28fec33c4d7e219dc3f8635e
+RMD160 (FileZilla_3.7.2_src.tar.bz2) = 2e993c7c9fa04e6e72cd9c120df871f4cdc4e09c
+Size (FileZilla_3.7.2_src.tar.bz2) = 3682007 bytes
+SHA1 (patch-CVE-2013-4206) = e4e6d4c5d26449d29a3b9d27956ecc6a255eeac7
+SHA1 (patch-CVE-2013-4208) = fd3a73dc554bf5bc39bac1150dd11594b4556346
 SHA1 (patch-data_makezip.sh.in) = 80acc96fce08e2e0831a4da0613f7b2eaebad465
diff --git a/net/filezilla/patches/patch-CVE-2013-4206 b/net/filezilla/patches/patch-CVE-2013-4206
new file mode 100644
index 00000000000..f25232c459b
--- /dev/null
+++ b/net/filezilla/patches/patch-CVE-2013-4206
@@ -0,0 +1,87 @@
+$NetBSD: patch-CVE-2013-4206,v 1.1.2.2 2013/08/21 21:59:57 tron Exp $
+
+fixes also CVE-2013-4207
+http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977
+http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996
+
+--- src/putty/sshbn.c.orig	2011-08-21 17:53:50.000000000 +0000
++++ src/putty/sshbn.c
+@@ -1018,6 +1018,13 @@ Bignum modmul(Bignum p, Bignum q, Bignum
+ 
+     pqlen = (p[0] > q[0] ? p[0] : q[0]);
+ 
++    /*
++     * Make sure that we're allowing enough space. The shifting below
++     * will underflow the vectors we allocate if pqlen is too small.
++     */
++    if (2*pqlen <= mlen)
++        pqlen = mlen/2 + 1;
++
+     /* Allocate n of size pqlen, copy p to n */
+     n = snewn(pqlen, BignumInt);
+     i = pqlen - p[0];
+@@ -1306,7 +1313,18 @@ int ssh1_write_bignum(void *data, Bignum
+ int bignum_cmp(Bignum a, Bignum b)
+ {
+     int amax = a[0], bmax = b[0];
+-    int i = (amax > bmax ? amax : bmax);
++    int i;
++
++    /* Annoyingly we have two representations of zero */
++    if (amax == 1 && a[amax] == 0)
++	    amax = 0;
++    if (bmax == 1 && b[bmax] == 0)
++	    bmax = 0;
++
++    assert(amax == 0 || a[amax] != 0);
++    assert(bmax == 0 || b[bmax] != 0);
++
++    i = (amax > bmax ? amax : bmax);
+     while (i) {
+ 	BignumInt aval = (i > amax ? 0 : a[i]);
+ 	BignumInt bval = (i > bmax ? 0 : b[i]);
+@@ -1864,6 +1882,44 @@ int main(int argc, char **argv)
+             freebn(b);
+             freebn(c);
+             freebn(p);
++        } else if (!strcmp(buf, "modmul")) {
++            Bignum a, b, m, c, p;
++
++            if (ptrnum != 4) {
++                printf("%d: modmul with %d parameters, expected 4\n",
++                       line, ptrnum);
++                exit(1);
++            }
++            a = bignum_from_bytes(ptrs[0], ptrs[1]-ptrs[0]);
++            b = bignum_from_bytes(ptrs[1], ptrs[2]-ptrs[1]);
++            m = bignum_from_bytes(ptrs[2], ptrs[3]-ptrs[2]);
++            c = bignum_from_bytes(ptrs[3], ptrs[4]-ptrs[3]);
++            p = modmul(a, b, m);
++
++            if (bignum_cmp(c, p) == 0) {
++                passes++;
++            } else {
++                char *as = bignum_decimal(a);
++                char *bs = bignum_decimal(b);
++                char *ms = bignum_decimal(m);
++                char *cs = bignum_decimal(c);
++                char *ps = bignum_decimal(p);
++                
++                printf("%d: fail: %s * %s mod %s gave %s expected %s\n",
++                       line, as, bs, ms, ps, cs);
++                fails++;
++
++                sfree(as);
++                sfree(bs);
++                sfree(ms);
++                sfree(cs);
++                sfree(ps);
++            }
++            freebn(a);
++            freebn(b);
++            freebn(m);
++            freebn(c);
++            freebn(p);
+         } else if (!strcmp(buf, "pow")) {
+             Bignum base, expt, modulus, expected, answer;
+ 
diff --git a/net/filezilla/patches/patch-CVE-2013-4208 b/net/filezilla/patches/patch-CVE-2013-4208
new file mode 100644
index 00000000000..293aa1ce9df
--- /dev/null
+++ b/net/filezilla/patches/patch-CVE-2013-4208
@@ -0,0 +1,29 @@
+$NetBSD: patch-CVE-2013-4208,v 1.1.2.2 2013/08/21 21:59:57 tron Exp $
+
+http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988
+
+--- src/putty/sshdss.c.orig	2013-08-06 09:08:32.000000000 +0000
++++ src/putty/sshdss.c
+@@ -251,8 +251,13 @@ static int dss_verifysig(void *key, char
+     }
+     r = get160(&sig, &siglen);
+     s = get160(&sig, &siglen);
+-    if (!r || !s)
++    if (!r || !s) {
++        if (r)
++            freebn(r);
++        if (s)
++            freebn(s);
+ 	return 0;
++    }
+ 
+     /*
+      * Step 1. w <- s^-1 mod q.
+@@ -601,6 +606,7 @@ static unsigned char *dss_sign(void *key
+     s = modmul(kinv, hxr, dss->q);     /* s = k^-1 * (hash + x*r) mod q */
+     freebn(hxr);
+     freebn(kinv);
++    freebn(k);
+     freebn(hash);
+ 
+     /*
diff --git a/net/filezilla/patches/patch-CVE-2013-4852-1 b/net/filezilla/patches/patch-CVE-2013-4852-1
new file mode 100644
index 00000000000..de63abf8ca6
--- /dev/null
+++ b/net/filezilla/patches/patch-CVE-2013-4852-1
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2013-4852-1,v 1.2.2.2 2013/08/21 21:59:57 tron Exp $
+
+see http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
+
+--- src/putty/sshdss.c.orig	2007-11-23 11:34:00.000000000 +0000
++++ src/putty/sshdss.c
+@@ -43,6 +43,8 @@ static void getstring(char **data, int *
+     if (*datalen < 4)
+ 	return;
+     *length = GET_32BIT(*data);
++    if (*length < 0)
++	return;
+     *datalen -= 4;
+     *data += 4;
+     if (*datalen < *length)
+@@ -98,7 +100,7 @@ static void *dss_newkey(char *data, int 
+     }
+ #endif
+ 
+-    if (!p || memcmp(p, "ssh-dss", 7)) {
++    if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
+ 	sfree(dss);
+ 	return NULL;
+     }
diff --git a/net/filezilla/patches/patch-CVE-2013-4852-2 b/net/filezilla/patches/patch-CVE-2013-4852-2
new file mode 100644
index 00000000000..5a8c089293e
--- /dev/null
+++ b/net/filezilla/patches/patch-CVE-2013-4852-2
@@ -0,0 +1,13 @@
+$NetBSD: patch-CVE-2013-4852-2,v 1.2.2.2 2013/08/21 21:59:57 tron Exp $
+
+--- src/putty/sshrsa.c.orig	2009-01-03 15:44:15.000000000 +0000
++++ src/putty/sshrsa.c
+@@ -450,6 +450,8 @@ static void getstring(char **data, int *
+     if (*datalen < 4)
+ 	return;
+     *length = GET_32BIT(*data);
++    if (*length < 0)
++	return;
+     *datalen -= 4;
+     *data += 4;
+     if (*datalen < *length)
diff --git a/net/filezilla/patches/patch-CVE-2013-4852-3 b/net/filezilla/patches/patch-CVE-2013-4852-3
new file mode 100644
index 00000000000..0db5916dbc3
--- /dev/null
+++ b/net/filezilla/patches/patch-CVE-2013-4852-3
@@ -0,0 +1,13 @@
+$NetBSD: patch-CVE-2013-4852-3,v 1.2.2.2 2013/08/21 21:59:57 tron Exp $
+
+--- src/putty/import.c.orig	2008-02-22 03:00:11.000000000 +0000
++++ src/putty/import.c
+@@ -290,7 +290,7 @@ static int ssh2_read_mpint(void *data, i
+     if (len < 4)
+         goto error;
+     bytes = GET_32BIT(d);
+-    if (len < 4+bytes)
++    if (bytes < 0 || len-4 < bytes)
+         goto error;
+ 
+     ret->start = d + 4;
diff --git a/net/filezilla/patches/patch-aa b/net/filezilla/patches/patch-aa
deleted file mode 100644
index 3fc1256e2fd..00000000000
--- a/net/filezilla/patches/patch-aa
+++ /dev/null
@@ -1,14 +0,0 @@
-$NetBSD: patch-aa,v 1.1 2012/07/06 15:37:23 drochner Exp $
-
-fix build with gnutls-3
-
---- src/engine/tlssocket.cpp.orig	2011-05-02 03:30:19.000000000 +0000
-+++ src/engine/tlssocket.cpp
-@@ -113,7 +113,6 @@ bool CTlsSocket::Init()
- 	gnutls_transport_set_push_function(m_session, PushFunction);
- 	gnutls_transport_set_pull_function(m_session, PullFunction);
- 	gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this);
--	gnutls_transport_set_lowat(m_session, 0);
- 
- 	m_shutdown_requested = false;
-