summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjlam <jlam>2005-04-10 07:46:50 +0000
committerjlam <jlam>2005-04-10 07:46:50 +0000
commit8c58533d196cf0125a5401a3c33e2b0199ac2a28 (patch)
treebf2251fb74f9c3c5844247058c8c015ec34c4f26
parentfb54f51fb03d8793052123528fea62d2beda6e2c (diff)
downloadpkgsrc-8c58533d196cf0125a5401a3c33e2b0199ac2a28.tar.gz
Patch from http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt
which fixes MITKRB5-SA-2005-001 (CAN-2005-0468 & CAN-2005-0469) relating to buffer overflows in the telnet client. Bump PKGREVISION to 1.
-rw-r--r--security/mit-krb5/Makefile3
-rw-r--r--security/mit-krb5/distinfo3
-rw-r--r--security/mit-krb5/patches/patch-al96
3 files changed, 100 insertions, 2 deletions
diff --git a/security/mit-krb5/Makefile b/security/mit-krb5/Makefile
index 226daf9b79b..86b953e1634 100644
--- a/security/mit-krb5/Makefile
+++ b/security/mit-krb5/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.17 2005/04/10 07:15:24 jlam Exp $
+# $NetBSD: Makefile,v 1.18 2005/04/10 07:46:50 jlam Exp $
DISTNAME= krb5-1.4
PKGNAME= mit-${DISTNAME:S/-signed$//}
+PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/1.4/
DISTFILES= ${DISTNAME}-signed${EXTRACT_SUFX}
diff --git a/security/mit-krb5/distinfo b/security/mit-krb5/distinfo
index 87c0d5c9fd4..3ad292b8daf 100644
--- a/security/mit-krb5/distinfo
+++ b/security/mit-krb5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.9 2005/04/10 07:15:24 jlam Exp $
+$NetBSD: distinfo,v 1.10 2005/04/10 07:46:50 jlam Exp $
SHA1 (krb5-1.4-signed.tar) = fa354aaaeb5ac5039653ebd249b1e3f9273a7a29
RMD160 (krb5-1.4-signed.tar) = 0231e55c56f3d6d20aee3ca1bcb77b0eeaeabaae
@@ -13,3 +13,4 @@ SHA1 (patch-ag) = 52a794b5fa0d1573bb2c9e7c4d233212d767d0e0
SHA1 (patch-ah) = 59a6bfc341a22234b38db406abe83b0d6d358a9f
SHA1 (patch-aj) = 5c633571ea932ce349065cbb4c3bf482cc971675
SHA1 (patch-ak) = 9d95372fd8edddbf0366e83a51d7a0b8a507f218
+SHA1 (patch-al) = dbfae9ee81ba7b0367bc874fe60d1c256f8c5cf1
diff --git a/security/mit-krb5/patches/patch-al b/security/mit-krb5/patches/patch-al
new file mode 100644
index 00000000000..ed9e1ca7a72
--- /dev/null
+++ b/security/mit-krb5/patches/patch-al
@@ -0,0 +1,96 @@
+$NetBSD: patch-al,v 1.1 2005/04/10 07:46:50 jlam Exp $
+
+Patch from http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt
+which fixes MITKRB5-SA-2005-001 (CAN-2005-0468 & CAN-2005-0469) relating
+to buffer overflows in the telnet client.
+
+*** appl/telnet/telnet/telnet.c 15 Nov 2002 20:21:35 -0000 5.18
+--- appl/telnet/telnet/telnet.c 15 Mar 2005 18:59:32 -0000
+***************
+*** 1475,1480 ****
+--- 1475,1482 ----
+ unsigned char flags;
+ cc_t value;
+ {
++ if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
++ return;
+ if ((*slc_replyp++ = func) == IAC)
+ *slc_replyp++ = IAC;
+ if ((*slc_replyp++ = flags) == IAC)
+***************
+*** 1488,1498 ****
+ {
+ register int len;
+
+- *slc_replyp++ = IAC;
+- *slc_replyp++ = SE;
+ len = slc_replyp - slc_reply;
+! if (len <= 6)
+ return;
+ if (NETROOM() > len) {
+ ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+ printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+--- 1490,1501 ----
+ {
+ register int len;
+
+ len = slc_replyp - slc_reply;
+! if (len <= 4 || (len + 2 > sizeof(slc_reply)))
+ return;
++ *slc_replyp++ = IAC;
++ *slc_replyp++ = SE;
++ len += 2;
+ if (NETROOM() > len) {
+ ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+ printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+***************
+*** 1645,1650 ****
+--- 1648,1654 ----
+ register unsigned char *ep;
+ {
+ register unsigned char *vp, c;
++ unsigned int len, olen, elen;
+
+ if (opt_reply == NULL) /*XXX*/
+ return; /*XXX*/
+***************
+*** 1662,1680 ****
+ return;
+ }
+ vp = env_getvalue(ep);
+! if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+! strlen((char *)ep) + 6 > opt_replyend)
+ {
+! register unsigned int len;
+! opt_replyend += OPT_REPLY_SIZE;
+! len = opt_replyend - opt_reply;
+ opt_reply = (unsigned char *)realloc(opt_reply, len);
+ if (opt_reply == NULL) {
+ /*@*/ printf("env_opt_add: realloc() failed!!!\n");
+ opt_reply = opt_replyp = opt_replyend = NULL;
+ return;
+ }
+! opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+ opt_replyend = opt_reply + len;
+ }
+ if (opt_welldefined((char *) ep))
+--- 1666,1684 ----
+ return;
+ }
+ vp = env_getvalue(ep);
+! elen = 2 * (vp ? strlen((char *)vp) : 0) +
+! 2 * strlen((char *)ep) + 6;
+! if ((opt_replyend - opt_replyp) < elen)
+ {
+! len = opt_replyend - opt_reply + elen;
+! olen = opt_replyp - opt_reply;
+ opt_reply = (unsigned char *)realloc(opt_reply, len);
+ if (opt_reply == NULL) {
+ /*@*/ printf("env_opt_add: realloc() failed!!!\n");
+ opt_reply = opt_replyp = opt_replyend = NULL;
+ return;
+ }
+! opt_replyp = opt_reply + olen;
+ opt_replyend = opt_reply + len;
+ }
+ if (opt_welldefined((char *) ep))