Fix a number of buffer overflows in OpenMotif's UIL implementation.

For non-propolice systems this might be exploitable when the user-provided data (e.g. certain filenames) or the locale files are manipulated. Mostly-found-by: xfocus, see [xfocus-SD-051202] on VulnWatch. Some additional cases are handled which have the same impact. Bump revision.
author: joerg <joerg> 2006-01-07 21:08:12 +0000
committer: joerg <joerg> 2006-01-07 21:08:12 +0000
commit: 00fda745f30882978b2f9b275c2ae2432e256b8a (patch)
tree: fa43cf59557f9db4011ff6f9f1bf849db2391b90 /x11/openmotif
parent: 9941bc72cef8b3581f86c38fc1c63c5b00a01d65 (diff)
download: pkgsrc-00fda745f30882978b2f9b275c2ae2432e256b8a.tar.gz
4 files changed, 91 insertions, 2 deletions
diff --git a/x11/openmotif/Makefile b/x11/openmotif/Makefile
index 3aed4c7bc10..5b612c45e23 100644
--- a/x11/openmotif/Makefile
+++ b/x11/openmotif/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.39 2005/12/12 19:55:41 joerg Exp $
+# $NetBSD: Makefile,v 1.40 2006/01/07 21:08:12 joerg Exp $
 
 PKGVER=		2.2.3
 DISTNAME=	openMotif-${PKGVER}
 PKGNAME=	openmotif-${PKGVER}
+PKGREVISION=	1
 CATEGORIES=	x11
 MASTER_SITES=	http://ftp.motifzone.com/src/
 
diff --git a/x11/openmotif/distinfo b/x11/openmotif/distinfo
index 1685a9c362b..6c67b2b0310 100644
--- a/x11/openmotif/distinfo
+++ b/x11/openmotif/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2006/01/04 15:53:15 joerg Exp $
+$NetBSD: distinfo,v 1.22 2006/01/07 21:08:12 joerg Exp $
 
 SHA1 (openMotif-2.2.3.tar.gz) = c463653d9f8e24b35522c3ba6363ddf7a282eab4
 RMD160 (openMotif-2.2.3.tar.gz) = b99230d508da57bca72b6920d28fce4187bf5179
@@ -23,3 +23,5 @@ SHA1 (patch-bf) = 211d84bccf91ed474634658a75af5d8977b052d4
 SHA1 (patch-bg) = 582f455b066bd4f12160d719c885e9d8423632e5
 SHA1 (patch-bh) = 09401eb3e5e6e7e911a9268f2ba0cd6ddaeed3b4
 SHA1 (patch-bi) = 4dced20ce293f8635f121f77e9112e93766b9723
+SHA1 (patch-bj) = ac2b1d9fc09ff1bc712e776a3e2e469c1993c385
+SHA1 (patch-bk) = 3d8c264c8060616878dec5a7a21a479aa801e95d
diff --git a/x11/openmotif/patches/patch-bj b/x11/openmotif/patches/patch-bj
new file mode 100644
index 00000000000..ed28348d89e
--- /dev/null
+++ b/x11/openmotif/patches/patch-bj
@@ -0,0 +1,70 @@
+$NetBSD: patch-bj,v 1.3 2006/01/07 21:08:12 joerg Exp $
+
+--- clients/uil/UilDiags.c.orig	2006-01-06 20:46:16.000000000 +0100
++++ clients/uil/UilDiags.c
+@@ -293,12 +293,12 @@ void	diag_issue_diagnostic
+     va_start(ap, l_start_column);
+ 
+ #ifndef NO_MESSAGE_CATALOG
+-    vsprintf( msg_buffer, 
++    vsnprintf( msg_buffer, sizeof(msg_buffer),
+ 	      catgets(uil_catd, UIL_SET1, msg_cat_table[ message_number ],
+ 		      diag_rz_msg_table[ message_number ].ac_text), 
+ 	     ap );
+ #else
+-    vsprintf( msg_buffer, 
++    vsnprintf( msg_buffer, sizeof(msg_buffer), 
+ 	      diag_rz_msg_table[ message_number ].ac_text, 
+ 	      ap );
+ #endif
+@@ -317,13 +317,13 @@ void	diag_issue_diagnostic
+ 	    */
+ 
+ #ifndef NO_MESSAGE_CATALOG
+-	    sprintf( loc_buffer,
++	    snprintf( loc_buffer, sizeof(loc_buffer),
+ 		     catgets(uil_catd, UIL_SET_MISC,
+ 			     UIL_MISC_0, "\t\t line: %d  file: %s"),
+ 		     az_src_rec->w_line_number,
+ 		     src_get_file_name( az_src_rec ) );
+ #else
+-	    sprintf( loc_buffer,
++	    snprintf( loc_buffer, sizeof(loc_buffer),
+ 		     "\t\t line: %d  file: %s",
+ 		     az_src_rec->w_line_number,
+ 		     src_get_file_name( az_src_rec ) );
+@@ -371,7 +371,7 @@ void	diag_issue_diagnostic
+ 
+ 	    if (l_start_column != diag_k_no_column)
+ #ifndef NO_MESSAGE_CATALOG
+-	      sprintf(loc_buffer,
++	      snprintf(loc_buffer, sizeof(loc_buffer),
+ 		      catgets(uil_catd, UIL_SET_MISC,
+ 			      UIL_MISC_1, 
+ 			      "\t\t line: %d  position: %d  file: %s"),
+@@ -379,7 +379,7 @@ void	diag_issue_diagnostic
+ 		      l_start_column + 1,
+ 		      src_get_file_name( az_src_rec ) );
+ #else
+-	      sprintf(loc_buffer,
++	      snprintf(loc_buffer, sizeof(loc_buffer),
+ 		      "\t\t line: %d  position: %d  file: %s",
+ 		      az_src_rec->w_line_number,
+ 		      l_start_column + 1,
+@@ -387,13 +387,14 @@ void	diag_issue_diagnostic
+ #endif
+ 	    else
+ #ifndef NO_MESSAGE_CATALOG
+-		sprintf( loc_buffer, catgets(uil_catd, UIL_SET_MISC,
++		snprintf( loc_buffer, sizeof(loc_buffer),
++			 catgets(uil_catd, UIL_SET_MISC,
+ 					     UIL_MISC_0,
+ 					     "\t\t line: %d  file: %s"),
+ 			 az_src_rec->w_line_number,
+ 			 src_get_file_name( az_src_rec ) );
+ #else
+-		sprintf( loc_buffer,
++		snprintf( loc_buffer, sizeof(loc_buffer),
+ 			 "\t\t line: %d  file: %s",
+ 			 az_src_rec->w_line_number,
+ 			 src_get_file_name( az_src_rec ) );
diff --git a/x11/openmotif/patches/patch-bk b/x11/openmotif/patches/patch-bk
new file mode 100644
index 00000000000..0ea84c1ff0b
--- /dev/null
+++ b/x11/openmotif/patches/patch-bk
@@ -0,0 +1,16 @@
+$NetBSD: patch-bk,v 1.1 2006/01/07 21:08:12 joerg Exp $
+
+--- clients/uil/UilSrcSrc.c.orig	2006-01-06 20:50:23.000000000 +0100
++++ clients/uil/UilSrcSrc.c
+@@ -629,8 +629,10 @@ open_source_file( XmConst char          
+     char			buffer[256];
+ 
+ 
+-    /* place the file name in the expanded_name buffer */
++    if (strlen(c_file_name) >= sizeof(buffer + 1))
++	return src_k_open_error;
+ 
++    /* place the file name in the expanded_name buffer */
+     strcpy(buffer, c_file_name);
+ 
+ /*    Determine if this is the main file or an include file.  */
author	joerg <joerg>	2006-01-07 21:08:12 +0000
committer	joerg <joerg>	2006-01-07 21:08:12 +0000
commit	00fda745f30882978b2f9b275c2ae2432e256b8a (patch)
tree	fa43cf59557f9db4011ff6f9f1bf849db2391b90 /x11/openmotif
parent	9941bc72cef8b3581f86c38fc1c63c5b00a01d65 (diff)
download	pkgsrc-00fda745f30882978b2f9b275c2ae2432e256b8a.tar.gz