Security fix for CAN-2004-1289.

"Multiple buffer overflows in the getline function in pcalutil.c and the
 get_holiday function in readfile.c for pcal 4.7.1 allow remote attackers
 to execute arbitrary code via a crafted calendar file."

Partial patch from Debian.  Bump PKGREVISION.

4 files changed, 33 insertions, 2 deletions

diff --git a/time/pcal/Makefile b/time/pcal/Makefile
index 4e3d94f94e7..ca0b1efccdc 100644
--- a/time/pcal/Makefile
+++ b/time/pcal/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.6 2004/12/03 15:15:11 wiz Exp $
+# $NetBSD: Makefile,v 1.7 2005/03/20 21:34:17 salo Exp $
 #
 
 DISTNAME=	pcal-4.7
+PKGREVISION=	1
 CATEGORIES=	time
 MASTER_SITES=	http://membled.com/work/mirror/pcal/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/time/pcal/distinfo b/time/pcal/distinfo
index 65d6ff84320..96e96451448 100644
--- a/time/pcal/distinfo
+++ b/time/pcal/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2005/02/23 19:14:55 wiz Exp $
+$NetBSD: distinfo,v 1.5 2005/03/20 21:34:17 salo Exp $
 
 SHA1 (pcal-4.7.tar.bz2) = 4604067da16b7674630eb4d8894406b885e85d89
 RMD160 (pcal-4.7.tar.bz2) = d0b5380da2bbf94c5c5824f3355b583abba593bc
@@ -8,3 +8,5 @@ SHA1 (patch-ab) = 95205a855ed29f45f68bdb940f88d33133348b97
 SHA1 (patch-ac) = ab1eee4e3441268255d4bbc2d043db74d3eac2ae
 SHA1 (patch-ad) = ffd8b00dbb716df55be4a7e17f4637dad86bcd1f
 SHA1 (patch-ae) = 34ae04ae56d096b1b2294114428dc1f29af83701
+SHA1 (patch-af) = 59f064df3fa9441c22be91c1e6dd12c7ffef3a08
+SHA1 (patch-ag) = 34c442b33d47f51e4f6e82f966446a717ceb64a1
diff --git a/time/pcal/patches/patch-af b/time/pcal/patches/patch-af
new file mode 100644
index 00000000000..1669ad8830e
--- /dev/null
+++ b/time/pcal/patches/patch-af
@@ -0,0 +1,13 @@
+$NetBSD: patch-af,v 1.1 2005/03/20 21:34:17 salo Exp $
+
+--- pcalutil.c.orig	2000-02-09 17:06:23.000000000 +0100
++++ pcalutil.c	2005-03-20 22:26:14.000000000 +0100
+@@ -1111,6 +1111,8 @@
+ 				else
+ 					ungetc(c2, fp);
+ 			}
++			/* Don't overflow the buffer */
++			if ( (cp - tmpbuf) < (LINSIZ -1))
+ 			*cp++ = c;
+ 		}
+ 
diff --git a/time/pcal/patches/patch-ag b/time/pcal/patches/patch-ag
new file mode 100644
index 00000000000..6a7d343a4b1
--- /dev/null
+++ b/time/pcal/patches/patch-ag
@@ -0,0 +1,15 @@
+$NetBSD: patch-ag,v 1.1 2005/03/20 21:34:17 salo Exp $
+
+--- readfile.c.orig	2000-02-09 17:06:23.000000000 +0100
++++ readfile.c	2005-03-20 22:18:17.000000000 +0100
+@@ -1300,8 +1300,9 @@
+ {
+ 	KWD_H *p;
+ 	char tmp[STRSIZ];
++	memset(tmp,'\0',sizeof(tmp));
+ 
+-	strcpy(tmp, cp);		/* make copy without any trailing '*' */
++	strncpy(tmp, cp,sizeof(tmp)-1);		/* make copy without any trailing '*' */
+ 	if (LASTCHAR(tmp) == '*')
+ 		LASTCHAR(tmp) = '\0';
+