From 15e280fa490a36d267eba16d4a47b1b43250caad Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 12 Oct 2004 18:28:28 +0000 Subject: Update gzip to 1.2.4b, fixing a filename buffer overflow. --- archivers/gzip-base/Makefile | 5 ++--- archivers/gzip-base/distinfo | 3 ++- archivers/gzip-base/patches/patch-ab | 22 ++++++++++++++++++++++ archivers/gzip/Makefile | 9 ++++----- 4 files changed, 30 insertions(+), 9 deletions(-) create mode 100644 archivers/gzip-base/patches/patch-ab (limited to 'archivers') diff --git a/archivers/gzip-base/Makefile b/archivers/gzip-base/Makefile index a725f16a16f..32d04b6422a 100644 --- a/archivers/gzip-base/Makefile +++ b/archivers/gzip-base/Makefile @@ -1,9 +1,8 @@ -# $NetBSD: Makefile,v 1.16 2004/07/02 21:06:35 minskim Exp $ +# $NetBSD: Makefile,v 1.17 2004/10/12 18:28:28 tv Exp $ # DISTNAME= gzip-1.2.4a -PKGNAME= ${DISTNAME:S/gzip-/gzip-base-/} -PKGREVISION= 1 +PKGNAME= ${DISTNAME:S/gzip-/gzip-base-/:S/a$/b/} SVR4_PKGNAME= gzipb CATEGORIES= archivers MASTER_SITES= ${MASTER_SITE_GNU:=gzip/} diff --git a/archivers/gzip-base/distinfo b/archivers/gzip-base/distinfo index 8d31efc64a7..6df08ff7bf8 100644 --- a/archivers/gzip-base/distinfo +++ b/archivers/gzip-base/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.3 2004/05/07 21:41:43 reed Exp $ +$NetBSD: distinfo,v 1.4 2004/10/12 18:28:28 tv Exp $ SHA1 (gzip-1.2.4a.shar) = 1e1e513f48be32ecfe24c06b609329963d5a5288 Size (gzip-1.2.4a.shar) = 832431 bytes SHA1 (patch-aa) = 449d3eb975b9ddc634ba0b3a245381f3f3e1f5e1 +SHA1 (patch-ab) = e198a1d9a90a8b626b178ef7b5beabc729c6367d diff --git a/archivers/gzip-base/patches/patch-ab b/archivers/gzip-base/patches/patch-ab new file mode 100644 index 00000000000..a903b99910b --- /dev/null +++ b/archivers/gzip-base/patches/patch-ab @@ -0,0 +1,22 @@ +$NetBSD: patch-ab,v 1.1 2004/10/12 18:28:29 tv Exp $ + +From http://www.gzip.org/gzip-1.2.4b.patch - security fix for filenames +over 1020 caharacters long. + +--- gzip.c Thu Aug 19 15:39:43 1993 ++++ gzip.c Tue Jan 8 21:44:18 2002 +@@ -1005,7 +1005,14 @@ + #ifdef NO_MULTIPLE_DOTS + char *dot; /* pointer to ifname extension, or NULL */ + #endif ++ int max_suffix_len = (z_len > 3 ? z_len : 3); + ++ /* Leave enough room in ifname or ofname for suffix: */ ++ if (strlen(iname) >= sizeof(ifname) - max_suffix_len) { ++ strncpy(ifname, iname, sizeof(ifname) - 1); ++ /* last byte of ifname is already zero and never overwritten */ ++ error("file name too long"); ++ } + strcpy(ifname, iname); + + /* If input file exists, return OK. */ diff --git a/archivers/gzip/Makefile b/archivers/gzip/Makefile index d6785263b6a..218b271d2c9 100644 --- a/archivers/gzip/Makefile +++ b/archivers/gzip/Makefile @@ -1,8 +1,7 @@ -# $NetBSD: Makefile,v 1.13 2004/07/02 21:06:35 minskim Exp $ +# $NetBSD: Makefile,v 1.14 2004/10/12 18:28:28 tv Exp $ # -DISTNAME= gzip-1.2.4a -PKGREVISION= 1 +DISTNAME= gzip-1.2.4b CATEGORIES= archivers MASTER_SITES= # empty DISTFILES= # empty @@ -11,8 +10,8 @@ MAINTAINER= tech-pkg@NetBSD.org HOMEPAGE= http://www.gnu.org/software/gzip/gzip.html COMMENT= The "meta-package" for the GZIP compression utility -DEPENDS+= gzip-base-1.2.4anb1:../../archivers/gzip-base -DEPENDS+= gzip-info-1.2.4a:../../archivers/gzip-info +DEPENDS+= gzip-base-1.2.4b{,nb[0-9]*}:../../archivers/gzip-base +DEPENDS+= gzip-info-1.2.4*:../../archivers/gzip-info PKG_INSTALLATION_TYPES= overwrite pkgviews -- cgit v1.2.3