diff options
author | salo <salo@pkgsrc.org> | 2003-03-29 21:20:29 +0000 |
---|---|---|
committer | salo <salo@pkgsrc.org> | 2003-03-29 21:20:29 +0000 |
commit | 0d095992f91b0e11be94d26d94cdd74fb147141f (patch) | |
tree | b1bba0a5a836479564a88f830486250138eacf01 /chat | |
parent | f3bbd5629b566c02e6e9f4c7051673bd655bfb0a (diff) | |
download | pkgsrc-0d095992f91b0e11be94d26d94cdd74fb147141f.tar.gz |
Bump PKGREVISION: fix several potential buffer overflows found by Timo
Sirainen <tss at iki dot fi>, see the following url for more details:
http://securityfocus.com/archive/1/315057
Patch from bugtraq by <caf at guarana dor org>.
Diffstat (limited to 'chat')
-rw-r--r-- | chat/bitchx/Makefile | 3 | ||||
-rw-r--r-- | chat/bitchx/distinfo | 8 | ||||
-rw-r--r-- | chat/bitchx/patches/patch-ag | 72 | ||||
-rw-r--r-- | chat/bitchx/patches/patch-ah | 20 | ||||
-rw-r--r-- | chat/bitchx/patches/patch-ai | 113 | ||||
-rw-r--r-- | chat/bitchx/patches/patch-aj | 27 | ||||
-rw-r--r-- | chat/bitchx/patches/patch-ak | 18 | ||||
-rw-r--r-- | chat/bitchx/patches/patch-al | 54 |
8 files changed, 313 insertions, 2 deletions
diff --git a/chat/bitchx/Makefile b/chat/bitchx/Makefile index 1848981248e..13a7e6a9192 100644 --- a/chat/bitchx/Makefile +++ b/chat/bitchx/Makefile @@ -1,8 +1,9 @@ -# $NetBSD: Makefile,v 1.16 2003/03/29 12:40:16 jmmv Exp $ +# $NetBSD: Makefile,v 1.17 2003/03/29 21:20:29 salo Exp $ # DISTNAME= ircii-pana-1.0c19 PKGNAME= bitchx-1.0.3.19 +PKGREVISION= 1 WRKSRC= ${WRKDIR}/BitchX CATEGORIES= chat MASTER_SITES= ftp://ftp.bitchx.org/pub/BitchX/source/ \ diff --git a/chat/bitchx/distinfo b/chat/bitchx/distinfo index aeec239536d..96343152624 100644 --- a/chat/bitchx/distinfo +++ b/chat/bitchx/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.6 2003/01/31 00:17:45 salo Exp $ +$NetBSD: distinfo,v 1.7 2003/03/29 21:20:29 salo Exp $ SHA1 (ircii-pana-1.0c19.tar.gz) = 4821ebbd3f55ec2cfc2a20e2109e34ea45b3f144 Size (ircii-pana-1.0c19.tar.gz) = 2533621 bytes @@ -8,3 +8,9 @@ SHA1 (patch-ac) = ba59735707ca8758d62e78b7756330aa933f2de7 SHA1 (patch-ad) = ad6678061ea154153d3a04c0b2ea3d295ecb9686 SHA1 (patch-ae) = 90c7e0a19c81e710392c675be650c57e64ee65b3 SHA1 (patch-af) = c79fcbcc57b8234d5918b1414219965b75e3c0d1 +SHA1 (patch-ag) = 4b89c3da7eb4483b87d9660b5e3d4e62752c5bfd +SHA1 (patch-ah) = 2cc10ac0e312c53f8af379ea50aafa7439671be7 +SHA1 (patch-ai) = 7ebe26aaa82a993f5fa40ec5f74ed87769abe2fd +SHA1 (patch-aj) = 292c70f009d08fda82e4480917c83d4269a89d57 +SHA1 (patch-ak) = 4e70e8d42b104b91849e79930fabe8c5a43d10f5 +SHA1 (patch-al) = dd501c530af801bece9f035b4355d1ecaaa7658a diff --git a/chat/bitchx/patches/patch-ag b/chat/bitchx/patches/patch-ag new file mode 100644 index 00000000000..77495e6d999 --- /dev/null +++ b/chat/bitchx/patches/patch-ag @@ -0,0 +1,72 @@ +$NetBSD: patch-ag,v 1.1 2003/03/29 21:20:30 salo Exp $ + +Fixes potential remote buffer overflows. See the following url for more +details: http://securityfocus.com/archive/1/315057 + +Patch by caf@guarana.org. + +--- source/banlist.c.orig 2002-02-28 05:22:46.000000000 +0100 ++++ source/banlist.c 2003-03-29 21:30:20.000000000 +0100 +@@ -264,9 +264,9 @@ + char * ban_it(char *nick, char *user, char *host, char *ip) + { + static char banstr[BIG_BUFFER_SIZE/4+1]; +-char *tmpstr = NULL; + char *t = user; + char *t1 = user; ++char *tmp; + + *banstr = 0; + while (strlen(t1)>9) +@@ -277,33 +277,40 @@ + case 7: + if (ip) + { +- sprintf(banstr, "*!*@%s", cluster(ip)); ++ snprintf(banstr, sizeof banstr, "*!*@%s", ++ cluster(ip)); + break; + } + case 2: /* Better */ +- sprintf(banstr, "*!*%s@%s", t1, cluster(host)); ++ snprintf(banstr, sizeof banstr, "*!*%s@%s", t1, ++ cluster(host)); + break; + case 3: /* Host */ +- sprintf(banstr, "*!*@%s", host); ++ snprintf(banstr, sizeof banstr, "*!*@%s", host); + break; + case 4: /* Domain */ +- sprintf(banstr, "*!*@*%s", strrchr(host, '.')); ++ tmp = strrchr(host, '.'); ++ if (tmp) ++ snprintf(banstr, sizeof banstr, "*!*@*%s", ++ tmp); ++ else ++ snprintf(banstr, sizeof banstr, "*!*@%s", ++ host); + break; + case 5: /* User */ +- sprintf(banstr, "*!%s@%s", t, cluster(host)); ++ snprintf(banstr, sizeof banstr, "*!%s@%s", t, ++ cluster(host)); + break; + case 6: /* Screw */ +- malloc_sprintf(&tmpstr, "*!*%s@%s", t1, host); +- strcpy(banstr, screw(tmpstr)); +- new_free(&tmpstr); ++ snprintf(banstr, sizeof banstr, "*!*%s@%s", t1, host); ++ screw(banstr); + break; + case 1: /* Normal */ + default: +- { +- sprintf(banstr, "%s!*%s@%s", nick, t1, host); ++ snprintf(banstr, sizeof banstr, "%s!*%s@%s", nick, t1, ++ host); + break; + } +- } + return banstr; + } + diff --git a/chat/bitchx/patches/patch-ah b/chat/bitchx/patches/patch-ah new file mode 100644 index 00000000000..869a9b2d6ad --- /dev/null +++ b/chat/bitchx/patches/patch-ah @@ -0,0 +1,20 @@ +$NetBSD: patch-ah,v 1.1 2003/03/29 21:20:30 salo Exp $ + +Fixes potential remote buffer overflows. See the following url for more +details: http://securityfocus.com/archive/1/315057 + +Patch by caf@guarana.org. + +--- source/ctcp.c.orig 2002-02-28 05:22:47.000000000 +0100 ++++ source/ctcp.c 2003-03-29 21:41:01.000000000 +0100 +@@ -1482,6 +1482,10 @@ + *putbuf2; + int len; + len = IRCD_BUFFER_SIZE - (12 + strlen(to)); ++ ++ if (len < strlen(ctcp_cmd[datatag].name) + 3) ++ return; ++ + putbuf2 = alloca(len); + + if (format) diff --git a/chat/bitchx/patches/patch-ai b/chat/bitchx/patches/patch-ai new file mode 100644 index 00000000000..3307d752c04 --- /dev/null +++ b/chat/bitchx/patches/patch-ai @@ -0,0 +1,113 @@ +$NetBSD: patch-ai,v 1.1 2003/03/29 21:20:30 salo Exp $ + +Fixes potential remote buffer overflows. See the following url for more +details: http://securityfocus.com/archive/1/315057 + +Patch by caf@guarana.org. + +--- source/misc.c.orig 2002-03-24 10:31:07.000000000 +0100 ++++ source/misc.c 2003-03-29 21:44:37.000000000 +0100 +@@ -3110,42 +3110,47 @@ + static char result[IRCD_BUFFER_SIZE/4 + 1]; + char temphost[BIG_BUFFER_SIZE + 1]; + char *host; ++ char *atsign; + + if (!hostname) + return NULL; +- host = temphost; +- *result = 0; +- memset(result, 0, sizeof(result)); +- memset(temphost, 0, sizeof(temphost)); +- if (strchr(hostname, '@')) +- { +- if (*hostname == '~') +- hostname++; +- strcpy(result, hostname); +- *strchr(result, '@') = '\0'; +- if (strlen(result) > 9) +- { ++ ++ atsign = strchr(hostname, '@'); ++ if (atsign) { ++ if (*hostname == '~') { ++ strcpy(result, "~*@"); ++ } else { ++ size_t ident_len = atsign - hostname; ++ ++ if (ident_len <= 9) { ++ /* copy ident@ */ ++ strmcpy(result, hostname, ident_len + 1); ++ } else { ++ strmcpy(result, hostname, 8); + result[8] = '*'; +- result[9] = '\0'; ++ result[9] = '@'; ++ result[10] = '\0'; + } +- strcat(result, "@"); +- if (!(hostname = strchr(hostname, '@'))) +- return NULL; +- hostname++; + } +- strcpy(host, hostname); ++ hostname = atsign + 1; ++ } else { ++ *result = 0; ++ } + +- if (*host && isdigit(*(host + strlen(host) - 1))) ++ strlcpy(temphost, hostname, sizeof temphost); ++ host = temphost; ++ ++ if (*host && isdigit((unsigned char)*(host + strlen(host) - 1))) + { + /* Thanks icebreak for this small patch which fixes this function */ + int i; + char *tmp; +- char count=0; ++ char count = 0; + + tmp = host; +- while((tmp-host)<strlen(host)) ++ while((tmp - host) < strlen(host)) + { +- if((tmp=strchr(tmp,'.'))==NULL) ++ if((tmp = strchr(tmp,'.')) == NULL) + break; + count++; + tmp++; +@@ -3154,8 +3159,8 @@ + for (i = 0; i < count; i++) + tmp = strchr(tmp, '.') + 1; + *tmp = '\0'; +- strcat(result, host); +- strcat(result, "*"); ++ strlcat(result, host, sizeof result); ++ strlcat(result, "*", sizeof result); + } + else + { +@@ -3177,17 +3182,18 @@ + else + return (char *) NULL; + } ++ ++ /* We don't need strlcat for these first two, because ++ * at this point the maximum length of the string in ++ * result is 10 */ + strcat(result, "*"); + if (my_stricmp(host, temphost)) + strcat(result, "."); +- strcat(result, host); ++ strlcat(result, host, sizeof result); + } + return result; + } + +- +- +- + struct _sock_manager + { + int init; diff --git a/chat/bitchx/patches/patch-aj b/chat/bitchx/patches/patch-aj new file mode 100644 index 00000000000..2b73e993c9d --- /dev/null +++ b/chat/bitchx/patches/patch-aj @@ -0,0 +1,27 @@ +$NetBSD: patch-aj,v 1.1 2003/03/29 21:20:30 salo Exp $ + +Fixes potential remote buffer overflows. See the following url for more +details: http://securityfocus.com/archive/1/315057 + +Patch by caf@guarana.org. + +--- source/names.c.orig 2003-03-29 21:48:19.000000000 +0100 ++++ source/names.c 2003-03-29 21:52:59.000000000 +0100 +@@ -572,7 +572,7 @@ + + *nmodes = 0; + *nargs = 0; +- for (; *modes; modes++) ++ for (; *modes && (strlen(nmodes) + 2) < sizeof nmodes; modes++) + { + isbanned = isopped = isvoiced = 0; + switch (*modes) +@@ -742,7 +742,7 @@ + + /* modes which can be done multiple times are added here */ + +- for (tucm = ucm; tucm; tucm = tucm->next) ++ for (tucm = ucm; tucm && (strlen(nmodes) + 2) < sizeof nmodes; tucm = tucm->next) + { + if (tucm->o_ed) + { diff --git a/chat/bitchx/patches/patch-ak b/chat/bitchx/patches/patch-ak new file mode 100644 index 00000000000..589061070d5 --- /dev/null +++ b/chat/bitchx/patches/patch-ak @@ -0,0 +1,18 @@ +$NetBSD: patch-ak,v 1.1 2003/03/29 21:20:30 salo Exp $ + +Fixes potential remote buffer overflows. See the following url for more +details: http://securityfocus.com/archive/1/315057 + +Patch by caf@guarana.org. + +--- source/notice.c.orig 2003-03-29 21:55:24.000000000 +0100 ++++ source/notice.c 2003-03-29 21:55:51.000000000 +0100 +@@ -425,7 +425,7 @@ + int conn = !strncmp(line+7, "connect", 7) ? 1 : 0; + int dalnet = 0, ircnet = 0; + +- if (*(line+18) == ':') ++ if (strlen(line) >= 19 && line[18] == ':') + q = NULL; + else + dalnet = (q == NULL); diff --git a/chat/bitchx/patches/patch-al b/chat/bitchx/patches/patch-al new file mode 100644 index 00000000000..8ba20a1a19f --- /dev/null +++ b/chat/bitchx/patches/patch-al @@ -0,0 +1,54 @@ +$NetBSD: patch-al,v 1.1 2003/03/29 21:20:30 salo Exp $ + +Fixes potential remote buffer overflows. See the following url for more +details: http://securityfocus.com/archive/1/315057 + +Patch by caf@guarana.org. + +--- source/numbers.c.orig 2002-02-28 05:22:50.000000000 +0100 ++++ source/numbers.c 2003-03-29 21:56:55.000000000 +0100 +@@ -354,26 +354,29 @@ + + set_display_target(chan, LOG_CURRENT); + PasteArgs(ArgList, 0); +- strcpy(buffer, ArgList[0]); ++ strlcpy(buffer, ArgList[0], sizeof buffer); + switch(-current_numeric) + { + case 437: +- strcat(buffer, " (Channel is temporarily unavailable)"); ++ strlcat(buffer, ++ " (Channel is temporarily unavailable)", ++ sizeof buffer); + break; + case 471: +- strcat(buffer, " (Channel is full)"); ++ strlcat(buffer, " (Channel is full)", sizeof buffer); + break; + case 473: +- strcat(buffer, " (You must be invited)"); ++ strlcat(buffer, " (You must be invited)", ++ sizeof buffer); + break; + case 474: +- strcat(buffer, " (You are banned)"); ++ strlcat(buffer, " (You are banned)", sizeof buffer); + break; + case 475: +- strcat(buffer, " (Bad channel key)"); ++ strlcat(buffer, " (Bad channel key)", sizeof buffer); + break; + case 476: +- strcat(buffer, " (Bad channel mask)"); ++ strlcat(buffer, " (Bad channel mask)", sizeof buffer); + break; + default: + return; +@@ -385,7 +388,6 @@ + reset_display_target(); + } + +- + int handle_server_stats(char *from, char **ArgList, int comm) + { + static int norm = 0, |