update to 3.7.2

This is a major update, many fixes and improvements.
Main reason for the update was to sync the embedded sftp client
with putty after fixes for vulnerabilities.

9 files changed, 220 insertions, 82 deletions

diff --git a/net/filezilla/Makefile b/net/filezilla/Makefile
index 2fe3153af48..f51d1c21ce2 100644
--- a/net/filezilla/Makefile
+++ b/net/filezilla/Makefile
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.44 2013/08/06 12:55:10 drochner Exp $
+# $NetBSD: Makefile,v 1.45 2013/08/07 16:48:49 drochner Exp $
 #
 
-VERSION=	3.5.0
+VERSION=	3.7.2
 DISTNAME=	FileZilla_${VERSION}_src
 PKGNAME=	filezilla-${VERSION}
-PKGREVISION=	19
 CATEGORIES=	net x11
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=filezilla/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/net/filezilla/PLIST b/net/filezilla/PLIST
index 009bba28e2d..720d06d1629 100644
--- a/net/filezilla/PLIST
+++ b/net/filezilla/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.9 2011/04/03 11:47:34 abs Exp $
+@comment $NetBSD: PLIST,v 1.10 2013/08/07 16:48:49 drochner Exp $
 bin/filezilla
 bin/fzputtygen
 bin/fzsftp
@@ -180,7 +180,7 @@ share/filezilla/resources/leds.png
 share/filezilla/resources/lone/16x16/ascii.png
 share/filezilla/resources/lone/16x16/auto.png
 share/filezilla/resources/lone/16x16/binary.png
-share/filezilla/resources/lone/16x16/bookmarks.png
+share/filezilla/resources/lone/16x16/bookmark.png
 share/filezilla/resources/lone/16x16/cancel.png
 share/filezilla/resources/lone/16x16/compare.png
 share/filezilla/resources/lone/16x16/disconnect.png
@@ -211,7 +211,7 @@ share/filezilla/resources/lone/16x16/uploadadd.png
 share/filezilla/resources/lone/32x32/ascii.png
 share/filezilla/resources/lone/32x32/auto.png
 share/filezilla/resources/lone/32x32/binary.png
-share/filezilla/resources/lone/32x32/bookmarks.png
+share/filezilla/resources/lone/32x32/bookmark.png
 share/filezilla/resources/lone/32x32/cancel.png
 share/filezilla/resources/lone/32x32/compare.png
 share/filezilla/resources/lone/32x32/disconnect.png
@@ -241,7 +241,7 @@ share/filezilla/resources/lone/32x32/uploadadd.png
 share/filezilla/resources/lone/48x48/ascii.png
 share/filezilla/resources/lone/48x48/auto.png
 share/filezilla/resources/lone/48x48/binary.png
-share/filezilla/resources/lone/48x48/bookmarks.png
+share/filezilla/resources/lone/48x48/bookmark.png
 share/filezilla/resources/lone/48x48/cancel.png
 share/filezilla/resources/lone/48x48/compare.png
 share/filezilla/resources/lone/48x48/disconnect.png
@@ -308,7 +308,7 @@ share/filezilla/resources/netconfwizard.xrc
 share/filezilla/resources/opencrystal/16x16/ascii.png
 share/filezilla/resources/opencrystal/16x16/auto.png
 share/filezilla/resources/opencrystal/16x16/binary.png
-share/filezilla/resources/opencrystal/16x16/bookmarks.png
+share/filezilla/resources/opencrystal/16x16/bookmark.png
 share/filezilla/resources/opencrystal/16x16/cancel.png
 share/filezilla/resources/opencrystal/16x16/compare.png
 share/filezilla/resources/opencrystal/16x16/disconnect.png
@@ -342,7 +342,7 @@ share/filezilla/resources/opencrystal/24x24/server.png
 share/filezilla/resources/opencrystal/32x32/ascii.png
 share/filezilla/resources/opencrystal/32x32/auto.png
 share/filezilla/resources/opencrystal/32x32/binary.png
-share/filezilla/resources/opencrystal/32x32/bookmarks.png
+share/filezilla/resources/opencrystal/32x32/bookmark.png
 share/filezilla/resources/opencrystal/32x32/cancel.png
 share/filezilla/resources/opencrystal/32x32/compare.png
 share/filezilla/resources/opencrystal/32x32/disconnect.png
@@ -373,7 +373,7 @@ share/filezilla/resources/opencrystal/32x32/uploadadd.png
 share/filezilla/resources/opencrystal/48x48/ascii.png
 share/filezilla/resources/opencrystal/48x48/auto.png
 share/filezilla/resources/opencrystal/48x48/binary.png
-share/filezilla/resources/opencrystal/48x48/bookmarks.png
+share/filezilla/resources/opencrystal/48x48/bookmark.png
 share/filezilla/resources/opencrystal/48x48/cancel.png
 share/filezilla/resources/opencrystal/48x48/compare.png
 share/filezilla/resources/opencrystal/48x48/disconnect.png
@@ -404,12 +404,99 @@ share/filezilla/resources/opencrystal/48x48/uploadadd.png
 share/filezilla/resources/opencrystal/theme.xml
 share/filezilla/resources/quickconnectbar.xrc
 share/filezilla/resources/settings.xrc
+share/filezilla/resources/tango/16x16/ascii.png
+share/filezilla/resources/tango/16x16/auto.png
+share/filezilla/resources/tango/16x16/binary.png
+share/filezilla/resources/tango/16x16/bookmark.png
+share/filezilla/resources/tango/16x16/cancel.png
+share/filezilla/resources/tango/16x16/compare.png
+share/filezilla/resources/tango/16x16/disconnect.png
+share/filezilla/resources/tango/16x16/download.png
+share/filezilla/resources/tango/16x16/downloadadd.png
+share/filezilla/resources/tango/16x16/file.png
+share/filezilla/resources/tango/16x16/filter.png
+share/filezilla/resources/tango/16x16/find.png
+share/filezilla/resources/tango/16x16/folder.png
+share/filezilla/resources/tango/16x16/folderclosed.png
+share/filezilla/resources/tango/16x16/localtreeview.png
+share/filezilla/resources/tango/16x16/lock.png
+share/filezilla/resources/tango/16x16/logview.png
+share/filezilla/resources/tango/16x16/processqueue.png
+share/filezilla/resources/tango/16x16/queueview.png
+share/filezilla/resources/tango/16x16/reconnect.png
+share/filezilla/resources/tango/16x16/refresh.png
+share/filezilla/resources/tango/16x16/remotetreeview.png
+share/filezilla/resources/tango/16x16/server.png
+share/filezilla/resources/tango/16x16/sitemanager.png
+share/filezilla/resources/tango/16x16/synchronize.png
+share/filezilla/resources/tango/16x16/unknown.png
+share/filezilla/resources/tango/16x16/upload.png
+share/filezilla/resources/tango/16x16/uploadadd.png
+share/filezilla/resources/tango/32x32/ascii.png
+share/filezilla/resources/tango/32x32/auto.png
+share/filezilla/resources/tango/32x32/binary.png
+share/filezilla/resources/tango/32x32/bookmark.png
+share/filezilla/resources/tango/32x32/cancel.png
+share/filezilla/resources/tango/32x32/compare.png
+share/filezilla/resources/tango/32x32/disconnect.png
+share/filezilla/resources/tango/32x32/download.png
+share/filezilla/resources/tango/32x32/downloadadd.png
+share/filezilla/resources/tango/32x32/file.png
+share/filezilla/resources/tango/32x32/filter.png
+share/filezilla/resources/tango/32x32/find.png
+share/filezilla/resources/tango/32x32/folder.png
+share/filezilla/resources/tango/32x32/folderclosed.png
+share/filezilla/resources/tango/32x32/localtreeview.png
+share/filezilla/resources/tango/32x32/lock.png
+share/filezilla/resources/tango/32x32/logview.png
+share/filezilla/resources/tango/32x32/processqueue.png
+share/filezilla/resources/tango/32x32/queueview.png
+share/filezilla/resources/tango/32x32/reconnect.png
+share/filezilla/resources/tango/32x32/refresh.png
+share/filezilla/resources/tango/32x32/remotetreeview.png
+share/filezilla/resources/tango/32x32/server.png
+share/filezilla/resources/tango/32x32/sitemanager.png
+share/filezilla/resources/tango/32x32/synchronize.png
+share/filezilla/resources/tango/32x32/unknown.png
+share/filezilla/resources/tango/32x32/upload.png
+share/filezilla/resources/tango/32x32/uploadadd.png
+share/filezilla/resources/tango/48x48/ascii.png
+share/filezilla/resources/tango/48x48/auto.png
+share/filezilla/resources/tango/48x48/binary.png
+share/filezilla/resources/tango/48x48/bookmark.png
+share/filezilla/resources/tango/48x48/cancel.png
+share/filezilla/resources/tango/48x48/compare.png
+share/filezilla/resources/tango/48x48/disconnect.png
+share/filezilla/resources/tango/48x48/download.png
+share/filezilla/resources/tango/48x48/downloadadd.png
+share/filezilla/resources/tango/48x48/file.png
+share/filezilla/resources/tango/48x48/filter.png
+share/filezilla/resources/tango/48x48/find.png
+share/filezilla/resources/tango/48x48/folder.png
+share/filezilla/resources/tango/48x48/folderclosed.png
+share/filezilla/resources/tango/48x48/localtreeview.png
+share/filezilla/resources/tango/48x48/lock.png
+share/filezilla/resources/tango/48x48/logview.png
+share/filezilla/resources/tango/48x48/processqueue.png
+share/filezilla/resources/tango/48x48/queueview.png
+share/filezilla/resources/tango/48x48/reconnect.png
+share/filezilla/resources/tango/48x48/refresh.png
+share/filezilla/resources/tango/48x48/remotetreeview.png
+share/filezilla/resources/tango/48x48/server.png
+share/filezilla/resources/tango/48x48/sitemanager.png
+share/filezilla/resources/tango/48x48/synchronize.png
+share/filezilla/resources/tango/48x48/unknown.png
+share/filezilla/resources/tango/48x48/upload.png
+share/filezilla/resources/tango/48x48/uploadadd.png
+share/filezilla/resources/tango/theme.xml
 share/filezilla/resources/theme.xml
 share/filezilla/resources/toolbar.xrc
 share/filezilla/resources/up.png
 share/icons/hicolor/16x16/apps/filezilla.png
 share/icons/hicolor/32x32/apps/filezilla.png
 share/icons/hicolor/48x48/apps/filezilla.png
+share/icons/hicolor/scalable/apps/filezilla.svg
+share/locale/an/LC_MESSAGES/filezilla.mo
 share/locale/ar/LC_MESSAGES/filezilla.mo
 share/locale/bg_BG/LC_MESSAGES/filezilla.mo
 share/locale/ca/LC_MESSAGES/filezilla.mo
@@ -420,6 +507,7 @@ share/locale/de/LC_MESSAGES/filezilla.mo
 share/locale/el/LC_MESSAGES/filezilla.mo
 share/locale/es/LC_MESSAGES/filezilla.mo
 share/locale/et_EE/LC_MESSAGES/filezilla.mo
+share/locale/eu/LC_MESSAGES/filezilla.mo
 share/locale/eu_ES/LC_MESSAGES/filezilla.mo
 share/locale/fa_IR/LC_MESSAGES/filezilla.mo
 share/locale/fi_FI/LC_MESSAGES/filezilla.mo
@@ -437,6 +525,7 @@ share/locale/ka/LC_MESSAGES/filezilla.mo
 share/locale/km_KH/LC_MESSAGES/filezilla.mo
 share/locale/ko_KR/LC_MESSAGES/filezilla.mo
 share/locale/ku/LC_MESSAGES/filezilla.mo
+share/locale/ky/LC_MESSAGES/filezilla.mo
 share/locale/lt_LT/LC_MESSAGES/filezilla.mo
 share/locale/lv_LV/LC_MESSAGES/filezilla.mo
 share/locale/mk_MK/LC_MESSAGES/filezilla.mo
diff --git a/net/filezilla/distinfo b/net/filezilla/distinfo
index be811461e1a..5c6bab14440 100644
--- a/net/filezilla/distinfo
+++ b/net/filezilla/distinfo
@@ -1,10 +1,8 @@
-$NetBSD: distinfo,v 1.17 2013/08/06 12:55:10 drochner Exp $
+$NetBSD: distinfo,v 1.18 2013/08/07 16:48:49 drochner Exp $
 
-SHA1 (FileZilla_3.5.0_src.tar.bz2) = 0d351b74bbe70cbfea1d315fd07193089e6e1c9d
-RMD160 (FileZilla_3.5.0_src.tar.bz2) = c3ffc60ced15b7055c34d6ef07c97f516e6f276d
-Size (FileZilla_3.5.0_src.tar.bz2) = 3348649 bytes
-SHA1 (patch-CVE-2013-4852-1) = dd22cfde06eb3f949801e84f3f7daec5578f81bb
-SHA1 (patch-CVE-2013-4852-2) = 5bf47fc19cc5676fe8abeab799f62083da14b1ff
-SHA1 (patch-CVE-2013-4852-3) = 6a0e97a0eb4afb37a087a0b1adb4698af3fe5a2d
-SHA1 (patch-aa) = 78237ce599dafa640b1488f188376ecc835dfe45
+SHA1 (FileZilla_3.7.2_src.tar.bz2) = 12a241004bf10a4e28fec33c4d7e219dc3f8635e
+RMD160 (FileZilla_3.7.2_src.tar.bz2) = 2e993c7c9fa04e6e72cd9c120df871f4cdc4e09c
+Size (FileZilla_3.7.2_src.tar.bz2) = 3682007 bytes
+SHA1 (patch-CVE-2013-4206) = e4e6d4c5d26449d29a3b9d27956ecc6a255eeac7
+SHA1 (patch-CVE-2013-4208) = fd3a73dc554bf5bc39bac1150dd11594b4556346
 SHA1 (patch-data_makezip.sh.in) = 80acc96fce08e2e0831a4da0613f7b2eaebad465
diff --git a/net/filezilla/patches/patch-CVE-2013-4206 b/net/filezilla/patches/patch-CVE-2013-4206
new file mode 100644
index 00000000000..5ea64c704b3
--- /dev/null
+++ b/net/filezilla/patches/patch-CVE-2013-4206
@@ -0,0 +1,87 @@
+$NetBSD: patch-CVE-2013-4206,v 1.1 2013/08/07 16:48:49 drochner Exp $
+
+fixes also CVE-2013-4207
+http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9977
+http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9996
+
+--- src/putty/sshbn.c.orig	2011-08-21 17:53:50.000000000 +0000
++++ src/putty/sshbn.c
+@@ -1018,6 +1018,13 @@ Bignum modmul(Bignum p, Bignum q, Bignum
+ 
+     pqlen = (p[0] > q[0] ? p[0] : q[0]);
+ 
++    /*
++     * Make sure that we're allowing enough space. The shifting below
++     * will underflow the vectors we allocate if pqlen is too small.
++     */
++    if (2*pqlen <= mlen)
++        pqlen = mlen/2 + 1;
++
+     /* Allocate n of size pqlen, copy p to n */
+     n = snewn(pqlen, BignumInt);
+     i = pqlen - p[0];
+@@ -1306,7 +1313,18 @@ int ssh1_write_bignum(void *data, Bignum
+ int bignum_cmp(Bignum a, Bignum b)
+ {
+     int amax = a[0], bmax = b[0];
+-    int i = (amax > bmax ? amax : bmax);
++    int i;
++
++    /* Annoyingly we have two representations of zero */
++    if (amax == 1 && a[amax] == 0)
++	    amax = 0;
++    if (bmax == 1 && b[bmax] == 0)
++	    bmax = 0;
++
++    assert(amax == 0 || a[amax] != 0);
++    assert(bmax == 0 || b[bmax] != 0);
++
++    i = (amax > bmax ? amax : bmax);
+     while (i) {
+ 	BignumInt aval = (i > amax ? 0 : a[i]);
+ 	BignumInt bval = (i > bmax ? 0 : b[i]);
+@@ -1864,6 +1882,44 @@ int main(int argc, char **argv)
+             freebn(b);
+             freebn(c);
+             freebn(p);
++        } else if (!strcmp(buf, "modmul")) {
++            Bignum a, b, m, c, p;
++
++            if (ptrnum != 4) {
++                printf("%d: modmul with %d parameters, expected 4\n",
++                       line, ptrnum);
++                exit(1);
++            }
++            a = bignum_from_bytes(ptrs[0], ptrs[1]-ptrs[0]);
++            b = bignum_from_bytes(ptrs[1], ptrs[2]-ptrs[1]);
++            m = bignum_from_bytes(ptrs[2], ptrs[3]-ptrs[2]);
++            c = bignum_from_bytes(ptrs[3], ptrs[4]-ptrs[3]);
++            p = modmul(a, b, m);
++
++            if (bignum_cmp(c, p) == 0) {
++                passes++;
++            } else {
++                char *as = bignum_decimal(a);
++                char *bs = bignum_decimal(b);
++                char *ms = bignum_decimal(m);
++                char *cs = bignum_decimal(c);
++                char *ps = bignum_decimal(p);
++                
++                printf("%d: fail: %s * %s mod %s gave %s expected %s\n",
++                       line, as, bs, ms, ps, cs);
++                fails++;
++
++                sfree(as);
++                sfree(bs);
++                sfree(ms);
++                sfree(cs);
++                sfree(ps);
++            }
++            freebn(a);
++            freebn(b);
++            freebn(m);
++            freebn(c);
++            freebn(p);
+         } else if (!strcmp(buf, "pow")) {
+             Bignum base, expt, modulus, expected, answer;
+ 
diff --git a/net/filezilla/patches/patch-CVE-2013-4208 b/net/filezilla/patches/patch-CVE-2013-4208
new file mode 100644
index 00000000000..5464fa7c5d2
--- /dev/null
+++ b/net/filezilla/patches/patch-CVE-2013-4208
@@ -0,0 +1,29 @@
+$NetBSD: patch-CVE-2013-4208,v 1.1 2013/08/07 16:48:49 drochner Exp $
+
+http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988
+
+--- src/putty/sshdss.c.orig	2013-08-06 09:08:32.000000000 +0000
++++ src/putty/sshdss.c
+@@ -251,8 +251,13 @@ static int dss_verifysig(void *key, char
+     }
+     r = get160(&sig, &siglen);
+     s = get160(&sig, &siglen);
+-    if (!r || !s)
++    if (!r || !s) {
++        if (r)
++            freebn(r);
++        if (s)
++            freebn(s);
+ 	return 0;
++    }
+ 
+     /*
+      * Step 1. w <- s^-1 mod q.
+@@ -601,6 +606,7 @@ static unsigned char *dss_sign(void *key
+     s = modmul(kinv, hxr, dss->q);     /* s = k^-1 * (hash + x*r) mod q */
+     freebn(hxr);
+     freebn(kinv);
++    freebn(k);
+     freebn(hash);
+ 
+     /*
diff --git a/net/filezilla/patches/patch-CVE-2013-4852-1 b/net/filezilla/patches/patch-CVE-2013-4852-1
deleted file mode 100644
index cbc780a8dec..00000000000
--- a/net/filezilla/patches/patch-CVE-2013-4852-1
+++ /dev/null
@@ -1,24 +0,0 @@
-$NetBSD: patch-CVE-2013-4852-1,v 1.1 2013/08/06 12:55:10 drochner Exp $
-
-see http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
-
---- src/putty/sshdss.c.orig	2007-11-23 11:34:00.000000000 +0000
-+++ src/putty/sshdss.c
-@@ -43,6 +43,8 @@ static void getstring(char **data, int *
-     if (*datalen < 4)
- 	return;
-     *length = GET_32BIT(*data);
-+    if (*length < 0)
-+	return;
-     *datalen -= 4;
-     *data += 4;
-     if (*datalen < *length)
-@@ -98,7 +100,7 @@ static void *dss_newkey(char *data, int 
-     }
- #endif
- 
--    if (!p || memcmp(p, "ssh-dss", 7)) {
-+    if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
- 	sfree(dss);
- 	return NULL;
-     }
diff --git a/net/filezilla/patches/patch-CVE-2013-4852-2 b/net/filezilla/patches/patch-CVE-2013-4852-2
deleted file mode 100644
index f448d55026b..00000000000
--- a/net/filezilla/patches/patch-CVE-2013-4852-2
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-CVE-2013-4852-2,v 1.1 2013/08/06 12:55:10 drochner Exp $
-
---- src/putty/sshrsa.c.orig	2009-01-03 15:44:15.000000000 +0000
-+++ src/putty/sshrsa.c
-@@ -450,6 +450,8 @@ static void getstring(char **data, int *
-     if (*datalen < 4)
- 	return;
-     *length = GET_32BIT(*data);
-+    if (*length < 0)
-+	return;
-     *datalen -= 4;
-     *data += 4;
-     if (*datalen < *length)
diff --git a/net/filezilla/patches/patch-CVE-2013-4852-3 b/net/filezilla/patches/patch-CVE-2013-4852-3
deleted file mode 100644
index c4ee3ef850a..00000000000
--- a/net/filezilla/patches/patch-CVE-2013-4852-3
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-CVE-2013-4852-3,v 1.1 2013/08/06 12:55:10 drochner Exp $
-
---- src/putty/import.c.orig	2008-02-22 03:00:11.000000000 +0000
-+++ src/putty/import.c
-@@ -290,7 +290,7 @@ static int ssh2_read_mpint(void *data, i
-     if (len < 4)
-         goto error;
-     bytes = GET_32BIT(d);
--    if (len < 4+bytes)
-+    if (bytes < 0 || len-4 < bytes)
-         goto error;
- 
-     ret->start = d + 4;
diff --git a/net/filezilla/patches/patch-aa b/net/filezilla/patches/patch-aa
deleted file mode 100644
index 3fc1256e2fd..00000000000
--- a/net/filezilla/patches/patch-aa
+++ /dev/null
@@ -1,14 +0,0 @@
-$NetBSD: patch-aa,v 1.1 2012/07/06 15:37:23 drochner Exp $
-
-fix build with gnutls-3
-
---- src/engine/tlssocket.cpp.orig	2011-05-02 03:30:19.000000000 +0000
-+++ src/engine/tlssocket.cpp
-@@ -113,7 +113,6 @@ bool CTlsSocket::Init()
- 	gnutls_transport_set_push_function(m_session, PushFunction);
- 	gnutls_transport_set_pull_function(m_session, PullFunction);
- 	gnutls_transport_set_ptr(m_session, (gnutls_transport_ptr_t)this);
--	gnutls_transport_set_lowat(m_session, 0);
- 
- 	m_shutdown_requested = false;
-