From 7ce55173368542803e7592a7108b667886885881 Mon Sep 17 00:00:00 2001 From: salo Date: Tue, 9 Nov 2004 08:50:38 +0000 Subject: Pullup ticket 134 - requested by Matthias Scheler security fix for mpg123 Module Name: pkgsrc Committed By: tron Date: Sun Nov 7 08:55:04 UTC 2004 Modified Files: pkgsrc/audio/mpg123: Makefile distinfo pkgsrc/audio/mpg123-esound: Makefile pkgsrc/audio/mpg123-nas: Makefile pkgsrc/audio/mpg123/patches: patch-aq Log Message: Add fix for security vulnerability reported in CAN-2004-0982 based on patches from Debian's advisory DSA-578. Bump package revision because of this fix. --- audio/mpg123-esound/Makefile | 4 ++-- audio/mpg123-nas/Makefile | 4 ++-- audio/mpg123/Makefile | 4 ++-- audio/mpg123/distinfo | 4 ++-- audio/mpg123/patches/patch-aq | 50 ++++++++++++++++++++++++++++++++++++++++--- 5 files changed, 55 insertions(+), 11 deletions(-) diff --git a/audio/mpg123-esound/Makefile b/audio/mpg123-esound/Makefile index df770a7dfae..9083db322b2 100644 --- a/audio/mpg123-esound/Makefile +++ b/audio/mpg123-esound/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.7 2004/09/07 22:14:10 salo Exp $ +# $NetBSD: Makefile,v 1.7.2.1 2004/11/09 08:50:38 salo Exp $ PKGNAME= mpg123-esound-${MPG123_VERSION} -PKGREVISION= 2 +PKGREVISION= 4 COMMENT= Command-line player for mpeg layer 1, 2 and 3 audio with EsounD TARGET_SUFFIX= -esd diff --git a/audio/mpg123-nas/Makefile b/audio/mpg123-nas/Makefile index d89e78bb784..b547075e67b 100644 --- a/audio/mpg123-nas/Makefile +++ b/audio/mpg123-nas/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.9 2004/09/07 22:14:10 salo Exp $ +# $NetBSD: Makefile,v 1.9.2.1 2004/11/09 08:50:38 salo Exp $ PKGNAME= mpg123${TARGET_SUFFIX}-${MPG123_VERSION} -PKGREVISION= 4 +PKGREVISION= 5 COMMENT= Command-line player for mpeg layer 1, 2 and 3 audio with NAS output TARGET_SUFFIX= -nas diff --git a/audio/mpg123/Makefile b/audio/mpg123/Makefile index e10b723e2d1..bcfe50a9ceb 100644 --- a/audio/mpg123/Makefile +++ b/audio/mpg123/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.36 2004/09/07 22:14:09 salo Exp $ +# $NetBSD: Makefile,v 1.36.2.1 2004/11/09 08:50:38 salo Exp $ PKGNAME= mpg123-${MPG123_VERSION} -PKGREVISION= 4 +PKGREVISION= 5 COMMENT= Command-line player for mpeg layer 1, 2 and 3 audio CONFLICTS+= mpg123-nas-[0-9]* diff --git a/audio/mpg123/distinfo b/audio/mpg123/distinfo index d1fea081646..804b31c2807 100644 --- a/audio/mpg123/distinfo +++ b/audio/mpg123/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.18 2004/09/07 22:14:09 salo Exp $ +$NetBSD: distinfo,v 1.18.2.1 2004/11/09 08:50:38 salo Exp $ SHA1 (mpg123/mpg123-0.59r.tar.gz) = c32fe242f4506d218bd19a51a4034da9fdc79493 Size (mpg123/mpg123-0.59r.tar.gz) = 159028 bytes @@ -20,5 +20,5 @@ SHA1 (patch-am) = 661c1f95f65145f4e08706eb3f6fe975118a2822 SHA1 (patch-an) = 08917e1825adcfd870bb2c61ae865339da7c45ef SHA1 (patch-ao) = 40961a43cc3dbebf71deee1c240907896d297304 SHA1 (patch-ap) = b35e7f6739a8b4979412793c7b3f2f7f5a9f15a7 -SHA1 (patch-aq) = ea443c1d45d856f360d2ccba3e5e2d058ac65007 +SHA1 (patch-aq) = a993d815b6657b9a2241b2e3f0ba30d6c2861230 SHA1 (patch-ar) = 6238d6f2ff3f3abf4fd47bc36edcf6696d76fea4 diff --git a/audio/mpg123/patches/patch-aq b/audio/mpg123/patches/patch-aq index 311269f68b7..049363142d1 100644 --- a/audio/mpg123/patches/patch-aq +++ b/audio/mpg123/patches/patch-aq @@ -1,7 +1,7 @@ -$NetBSD: patch-aq,v 1.1 2004/02/10 09:32:47 tron Exp $ +$NetBSD: patch-aq,v 1.1.8.1 2004/11/09 08:50:38 salo Exp $ ---- httpget.c.orig Tue Feb 10 10:14:29 2004 -+++ httpget.c Tue Feb 10 10:18:07 2004 +--- httpget.c.orig 2004-11-07 09:47:28.000000000 +0100 ++++ httpget.c 2004-11-07 09:49:34.000000000 +0100 @@ -55,11 +55,10 @@ #endif int pos = 0; @@ -23,3 +23,47 @@ $NetBSD: patch-aq,v 1.1 2004/02/10 09:32:47 tron Exp $ } void encode64 (char *source,char *destination) +@@ -111,7 +111,7 @@ + } + + /* VERY simple auth-from-URL grabber */ +-int getauthfromURL(char *url,char *auth) ++int getauthfromURL(char *url,char *auth,unsigned long authlen) + { + char *pos; + +@@ -126,9 +126,13 @@ + if( url[i] == '/' ) + return 0; + } ++ if (pos-url >= authlen) { ++ fprintf (stderr, "Error: authentication data exceeds max. length.\n"); ++ return -1; ++ } + strncpy(auth,url,pos-url); + auth[pos-url] = 0; +- strcpy(url,pos+1); ++ memmove(url,pos+1,strlen(pos+1)+1); + return 1; + } + return 0; +@@ -265,7 +269,10 @@ + strncpy (purl, url, 1023); + purl[1023] = '\0'; + +- getauthfromURL(purl,httpauth1); ++ if (getauthfromURL(purl,httpauth1,sizeof(httpauth1)) < 0) { ++ sock = -1; ++ goto exit; ++ } + + do { + strcpy (request, "GET "); +@@ -399,6 +406,7 @@ + fprintf (stderr, "Too many HTTP relocations.\n"); + exit (1); + } ++exit: + free (purl); + free (request); + free(host); -- cgit v1.2.3