From 2fa40f29faba45d73042f2f460a8afc1155a70c3 Mon Sep 17 00:00:00 2001 From: drochner Date: Thu, 14 Feb 2013 16:51:32 +0000 Subject: Try to fix a possible buffer overrun (CVE-2012-4428). Didn't find a patch upstream nor anywhere else, hope this is correct. Someone please review. Being here, fix a memcpy() size bug on 64-bit systems. bump PKGREV --- net/openslp/Makefile | 4 ++-- net/openslp/distinfo | 4 +++- net/openslp/patches/patch-CVE-2012-4428 | 42 +++++++++++++++++++++++++++++++++ net/openslp/patches/patch-am | 15 ++++++++++++ 4 files changed, 62 insertions(+), 3 deletions(-) create mode 100644 net/openslp/patches/patch-CVE-2012-4428 create mode 100644 net/openslp/patches/patch-am (limited to 'net/openslp') diff --git a/net/openslp/Makefile b/net/openslp/Makefile index 1d0f6e815fe..ba0441b1a2a 100644 --- a/net/openslp/Makefile +++ b/net/openslp/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.40 2013/02/06 23:23:21 jperkin Exp $ +# $NetBSD: Makefile,v 1.41 2013/02/14 16:51:32 drochner Exp $ DISTNAME= openslp-1.2.1 -PKGREVISION= 5 +PKGREVISION= 6 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=openslp/} diff --git a/net/openslp/distinfo b/net/openslp/distinfo index 64bd452dea8..3517cbe12a5 100644 --- a/net/openslp/distinfo +++ b/net/openslp/distinfo @@ -1,8 +1,9 @@ -$NetBSD: distinfo,v 1.16 2011/04/08 12:19:17 drochner Exp $ +$NetBSD: distinfo,v 1.17 2013/02/14 16:51:32 drochner Exp $ SHA1 (openslp-1.2.1.tar.gz) = 47ab19154084d2b467f09525f5351e9ab7193cf9 RMD160 (openslp-1.2.1.tar.gz) = a31d516ba784ad893a740946082fe5e0f15a37ea Size (openslp-1.2.1.tar.gz) = 886195 bytes +SHA1 (patch-CVE-2012-4428) = 2ada5f48b06b9b5dd37e5e017e50372c3806c021 SHA1 (patch-aa) = 670b3fa3c95453e5a5efca04bc83a0da06d03d2b SHA1 (patch-ac) = 031177b9334b570e1021887ae2bdf56f4ba02c48 SHA1 (patch-ae) = 1332580b2d9cb3e2e5c5da219c1036b9701161e5 @@ -11,3 +12,4 @@ SHA1 (patch-ai) = 11baa3ef891677f1df78f75b93001580ff450e13 SHA1 (patch-aj) = 8e1d32772cf59a938a4d9d9d0957d223f4ea6c06 SHA1 (patch-ak) = e64ede590e4af9d8951177b68c4bbf1b56ebdfae SHA1 (patch-al) = 19fa24e2ac362c3e45413826cd139ced984e8adc +SHA1 (patch-am) = 7b8a47f0998202aab9c82278a2c405584eb3fea4 diff --git a/net/openslp/patches/patch-CVE-2012-4428 b/net/openslp/patches/patch-CVE-2012-4428 new file mode 100644 index 00000000000..67a25a84362 --- /dev/null +++ b/net/openslp/patches/patch-CVE-2012-4428 @@ -0,0 +1,42 @@ +$NetBSD: patch-CVE-2012-4428,v 1.1 2013/02/14 16:51:32 drochner Exp $ + +try to prevent list overrun (upstream code is completely rewritten) + +--- common/slp_compare.c.orig 2005-02-15 20:07:43.000000000 +0000 ++++ common/slp_compare.c +@@ -270,9 +270,9 @@ int SLPContainsStringList(int listlen, + itembegin = itemend; + + /* seek to the end of the next list item */ +- while(1) ++ while(itemend != listend) + { +- if(itemend == listend || *itemend == ',') ++ if(*itemend == ',') + { + if(*(itemend - 1) != '\\') + { +@@ -326,9 +326,9 @@ int SLPIntersectStringList(int list1len, + itembegin = itemend; + + /* seek to the end of the next list item */ +- while(1) ++ while(itemend != listend) + { +- if(itemend == listend || *itemend == ',') ++ if(*itemend == ',') + { + if(*(itemend - 1) != '\\') + { +@@ -415,9 +415,9 @@ int SLPUnionStringList(int list1len, + itembegin = itemend; + + /* seek to the end of the next list item */ +- while(1) ++ while(itemend != listend) + { +- if(itemend == listend || *itemend == ',') ++ if(*itemend == ',') + { + if(*(itemend - 1) != '\\') + { diff --git a/net/openslp/patches/patch-am b/net/openslp/patches/patch-am new file mode 100644 index 00000000000..68b40fa9d70 --- /dev/null +++ b/net/openslp/patches/patch-am @@ -0,0 +1,15 @@ +$NetBSD: patch-am,v 1.1 2013/02/14 16:51:32 drochner Exp $ + +size of pointer vs size of target (fixed upstream) + +--- slpd/slpd_socket.c.orig 2005-02-09 00:09:46.000000000 +0000 ++++ slpd/slpd_socket.c +@@ -183,7 +183,7 @@ int DropSLPMulticastGroup(sockfd_t sockf + memcpy(&mreq.imr_multiaddr, maddr, sizeof(struct in_addr)); + + /* drop for the specified interface */ +- memcpy(&mreq.imr_interface,addr,sizeof(addr)); ++ memcpy(&mreq.imr_interface,addr,sizeof(struct in_addr)); + + return setsockopt(sockfd, IPPROTO_IP, IP_DROP_MEMBERSHIP, (char*)&mreq,sizeof(mreq)); + } -- cgit v1.2.3