Pullup ticket 2134 - requested by lkundrak

security fix for gdb

- pkgsrc/devel/gdb6/Makefile				1.21
- pkgsrc/devel/gdb6/distinfo				1.11
- pkgsrc/devel/gdb6/patches/patch-bo			1.1
- pkgsrc/devel/gdb6/patches/patch-bp			1.1

   Module Name:    pkgsrc
   Committed By: lkundrak
   Date:         Tue Jul  3 12:32:28 UTC 2007

   Modified Files:
	   pkgsrc/devel/gdb6: Makefile distinfo
   Added Files:
	   pkgsrc/devel/gdb6/patches: patch-bo patch-bp

   Log Message:
   Backported fixes for CAN-2005-1704 and CAN-2005-1705.

4 files changed, 95 insertions, 3 deletions

diff --git a/devel/gdb6/Makefile b/devel/gdb6/Makefile
index c97dfffcd97..db26f633750 100644
--- a/devel/gdb6/Makefile
+++ b/devel/gdb6/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.20 2006/10/18 13:39:07 reed Exp $
+# $NetBSD: Makefile,v 1.20.6.1 2007/07/10 10:01:21 ghen Exp $
 #
 
 DISTNAME=		gdb-6.2.1
-PKGREVISION=		3
+PKGREVISION=		4
 CATEGORIES=		devel
 MASTER_SITES=		ftp://sources.redhat.com/pub/gdb/releases/
 EXTRACT_SUFX=		.tar.bz2
diff --git a/devel/gdb6/distinfo b/devel/gdb6/distinfo
index c5ed0530f2f..7c865ffb742 100644
--- a/devel/gdb6/distinfo
+++ b/devel/gdb6/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.10 2006/10/22 08:06:42 rillig Exp $
+$NetBSD: distinfo,v 1.10.6.1 2007/07/10 10:01:25 ghen Exp $
 
 SHA1 (gdb-6.2.1.tar.bz2) = 50cee3887744c4140aafcc0e4eb579d94464dfd7
 RMD160 (gdb-6.2.1.tar.bz2) = 6fe9f3bbef076c55cbcdf05143e7d5f98f61f889
@@ -43,3 +43,5 @@ SHA1 (patch-bk) = 98f836c7007a668b812d119be294842a957cb507
 SHA1 (patch-bl) = 12a9846fc08e8c3110897644d7803f67999b68f8
 SHA1 (patch-bm) = baf198e86cb5e9d8b9f6b0bd6d7ccd1ca61227b4
 SHA1 (patch-bn) = cfeee69148028782b9ab6580f0f619d5f3327325
+SHA1 (patch-bo) = 92221afaa93d9362057783c20100ce7ff1b5df9b
+SHA1 (patch-bp) = bff41b3fb0f5952cbcd37797ec4bb63f6f79da8d
diff --git a/devel/gdb6/patches/patch-bo b/devel/gdb6/patches/patch-bo
new file mode 100644
index 00000000000..fd5fa7200ad
--- /dev/null
+++ b/devel/gdb6/patches/patch-bo
@@ -0,0 +1,75 @@
+$NetBSD: patch-bo,v 1.1.2.2 2007/07/10 10:01:55 ghen Exp $
+
+Patch for CVE-2005-1704 sucked from upstream.
+* elfcode.h (elf_object_p): Add more sanity checks on elf header.
+
+--- bfd/elfcode.h.orig	2004-06-24 06:46:22.000000000 +0200
++++ bfd/elfcode.h
+@@ -613,8 +613,13 @@ elf_object_p (bfd *abfd)
+ 
+   if (i_ehdrp->e_shoff != 0)
+     {
++      bfd_signed_vma where = i_ehdrp->e_shoff;
++
++      if (where != (file_ptr) where)
++	goto got_wrong_format_error;
++
+       /* Seek to the section header table in the file.  */
+-      if (bfd_seek (abfd, (file_ptr) i_ehdrp->e_shoff, SEEK_SET) != 0)
++      if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
+ 	goto got_no_match;
+ 
+       /* Read the first section header at index 0, and convert to internal
+@@ -626,13 +631,50 @@ elf_object_p (bfd *abfd)
+       /* If the section count is zero, the actual count is in the first
+ 	 section header.  */
+       if (i_ehdrp->e_shnum == SHN_UNDEF)
+-	i_ehdrp->e_shnum = i_shdr.sh_size;
++	{
++	  i_ehdrp->e_shnum = i_shdr.sh_size;
++	  if (i_ehdrp->e_shnum != i_shdr.sh_size)
++	    goto got_wrong_format_error;
++	}
+ 
+       /* And similarly for the string table index.  */
+       if (i_ehdrp->e_shstrndx == SHN_XINDEX)
+-	i_ehdrp->e_shstrndx = i_shdr.sh_link;
++	{
++	  i_ehdrp->e_shstrndx = i_shdr.sh_link;
++	  if (i_ehdrp->e_shstrndx != i_shdr.sh_link)
++	    goto got_wrong_format_error;
++	}
++
++      /* Sanity check that we can read all of the section headers.
++	 It ought to be good enough to just read the last one.  */
++      if (i_ehdrp->e_shnum != 1)
++	{
++	  /* Check that we don't have a totally silly number of sections.  */
++	  if (i_ehdrp->e_shnum > (unsigned int) -1 / sizeof (x_shdr))
++	    goto got_wrong_format_error;
++
++	  where += (i_ehdrp->e_shnum - 1) * sizeof (x_shdr);
++	  if (where != (file_ptr) where)
++	    goto got_wrong_format_error;
++	  if ((bfd_size_type) where <= i_ehdrp->e_shoff)
++	    goto got_wrong_format_error;
++
++	  if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
++	    goto got_no_match;
++	  if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
++	    goto got_no_match;
++
++	  /* Back to where we were.  */
++	  where = i_ehdrp->e_shoff + sizeof (x_shdr);
++	  if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
++	    goto got_no_match;
++	}
+     }
+ 
++  /* A further sanity check.  */
++  if (i_ehdrp->e_shstrndx >= i_ehdrp->e_shnum)
++    goto got_wrong_format_error;
++
+   /* Allocate space for a copy of the section header table in
+      internal form.  */
+   if (i_ehdrp->e_shnum != 0)
diff --git a/devel/gdb6/patches/patch-bp b/devel/gdb6/patches/patch-bp
new file mode 100644
index 00000000000..dac2f2d990a
--- /dev/null
+++ b/devel/gdb6/patches/patch-bp
@@ -0,0 +1,15 @@
+$NetBSD: patch-bp,v 1.1.2.2 2007/07/10 10:01:55 ghen Exp $
+
+Patch for CVE-2005-1705 from Gentoo #88398.
+
+--- gdb/main.c.orig	2004-07-26 21:01:36.000000000 +0200
++++ gdb/main.c
+@@ -696,7 +696,7 @@ extern int gdbtk_test (char *);
+ 
+   if (!homedir
+       || memcmp ((char *) &homebuf, (char *) &cwdbuf, sizeof (struct stat)))
+-    if (!inhibit_gdbinit)
++    if (!inhibit_gdbinit && (cwdbuf.st_uid == getuid()) && (!cwdbuf.st_mode & (S_IWOTH)))
+       {
+ 	catch_command_errors (source_command, gdbinit, 0, RETURN_MASK_ALL);
+       }