add patch from upstream to fix possible heap overflow in SSH handshake

due to integer overflow (CVE-2013-4852)
bump PKGREV

5 files changed, 55 insertions, 5 deletions

diff --git a/security/putty/Makefile b/security/putty/Makefile
index 182e1661c0f..fa5b573da04 100644
--- a/security/putty/Makefile
+++ b/security/putty/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.33 2013/06/06 12:55:01 wiz Exp $
+# $NetBSD: Makefile,v 1.34 2013/08/06 12:23:37 drochner Exp $
 #
 
 DISTNAME=	putty-0.62
-PKGREVISION=	9
+PKGREVISION=	10
 CATEGORIES=	security
 MASTER_SITES=	http://the.earth.li/~sgtatham/putty/0.62/
 
diff --git a/security/putty/distinfo b/security/putty/distinfo
index 1b0d6bbc401..db59bd53145 100644
--- a/security/putty/distinfo
+++ b/security/putty/distinfo
@@ -1,9 +1,11 @@
-$NetBSD: distinfo,v 1.13 2012/11/01 19:32:44 joerg Exp $
+$NetBSD: distinfo,v 1.14 2013/08/06 12:23:37 drochner Exp $
 
 SHA1 (putty-0.62.tar.gz) = 5898438614117ee7e3704fc3f30a3c4bf2041380
 RMD160 (putty-0.62.tar.gz) = 48324416005eb4b14654fc9e0e14d39f20971507
 Size (putty-0.62.tar.gz) = 1783106 bytes
-SHA1 (patch-import.c) = c2dc26aa851a326ea89e782ef93ae7bfdc916366
+SHA1 (patch-CVE-2013-4852-1) = 9f81e7b1c1135f153d7af1c4ca264d0af8df0cd8
+SHA1 (patch-CVE-2013-4852-2) = ca90d823b5ea59e4759fd48f63c28f0c8a3378da
+SHA1 (patch-import.c) = 2d88e956bb04e66a836992347e1252eeca78e8de
 SHA1 (patch-ldisc.c) = e4dd89bfb2ddcb47aad46cc7c311f424aa6ab6be
 SHA1 (patch-terminal.c) = bed37a83bb7afc56ff34d48f8079b37d9db0f948
 SHA1 (patch-timing.c) = b836da7194aa72ac88d94951070dc65f11978703
diff --git a/security/putty/patches/patch-CVE-2013-4852-1 b/security/putty/patches/patch-CVE-2013-4852-1
new file mode 100644
index 00000000000..dea86d664dd
--- /dev/null
+++ b/security/putty/patches/patch-CVE-2013-4852-1
@@ -0,0 +1,24 @@
+$NetBSD: patch-CVE-2013-4852-1,v 1.1 2013/08/06 12:23:37 drochner Exp $
+
+see http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
+
+--- sshdss.c.orig	2007-10-03 21:21:18.000000000 +0000
++++ sshdss.c
+@@ -43,6 +43,8 @@ static void getstring(char **data, int *
+     if (*datalen < 4)
+ 	return;
+     *length = GET_32BIT(*data);
++    if (*length < 0)
++	return;
+     *datalen -= 4;
+     *data += 4;
+     if (*datalen < *length)
+@@ -98,7 +100,7 @@ static void *dss_newkey(char *data, int 
+     }
+ #endif
+ 
+-    if (!p || memcmp(p, "ssh-dss", 7)) {
++    if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
+ 	sfree(dss);
+ 	return NULL;
+     }
diff --git a/security/putty/patches/patch-CVE-2013-4852-2 b/security/putty/patches/patch-CVE-2013-4852-2
new file mode 100644
index 00000000000..0e94ad8151f
--- /dev/null
+++ b/security/putty/patches/patch-CVE-2013-4852-2
@@ -0,0 +1,13 @@
+$NetBSD: patch-CVE-2013-4852-2,v 1.1 2013/08/06 12:23:37 drochner Exp $
+
+--- sshrsa.c.orig	2011-02-18 08:25:39.000000000 +0000
++++ sshrsa.c
+@@ -526,6 +526,8 @@ static void getstring(char **data, int *
+     if (*datalen < 4)
+ 	return;
+     *length = GET_32BIT(*data);
++    if (*length < 0)
++	return;
+     *datalen -= 4;
+     *data += 4;
+     if (*datalen < *length)
diff --git a/security/putty/patches/patch-import.c b/security/putty/patches/patch-import.c
index aa74a4e69ff..14617c99457 100644
--- a/security/putty/patches/patch-import.c
+++ b/security/putty/patches/patch-import.c
@@ -1,7 +1,18 @@
-$NetBSD: patch-import.c,v 1.1 2012/02/22 15:27:16 wiz Exp $
+$NetBSD: patch-import.c,v 1.2 2013/08/06 12:23:37 drochner Exp $
+
+see http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
 
 --- import.c.orig	2010-04-12 11:02:06.000000000 +0000
 +++ import.c
+@@ -290,7 +290,7 @@ static int ssh2_read_mpint(void *data, i
+     if (len < 4)
+         goto error;
+     bytes = GET_32BIT(d);
+-    if (len < 4+bytes)
++    if (bytes < 0 || len-4 < bytes)
+         goto error;
+ 
+     ret->start = d + 4;
 @@ -717,8 +717,8 @@ int openssh_write(const Filename *filena
      unsigned char *outblob;
      int outlen;