diff options
| author | Koop Mast <kwm@FreeBSD.org> | 2017-08-20 07:59:26 +0000 |
|---|---|---|
| committer | Koop Mast <kwm@FreeBSD.org> | 2017-08-20 07:59:26 +0000 |
| commit | d28fb92beee809b5fd5479ec4d16fcece83052d9 (patch) | |
| tree | 0c209b585cc524da2853025d5d17521f8b00a065 | |
| parent | 3642c7ececb96c0343f92f7e2f03d15cee961654 (diff) | |
| download | ports-d28fb92beee809b5fd5479ec4d16fcece83052d9.tar.gz ports-d28fb92beee809b5fd5479ec4d16fcece83052d9.zip | |
MFH: r448358
Fix CVE-2017-2885
Obtained from: libsoup upstream
Security: 8e7bbddd-8338-11e7-867f-b499baebfeaf
Approved by: ports-secteam@ (delphij@)
Notes
Notes:
svn path=/branches/2017Q3/; revision=448360
| -rw-r--r-- | devel/libsoup/Makefile | 1 | ||||
| -rw-r--r-- | devel/libsoup/files/patch-libsoup_soup-filter-input-stream.c | 58 |
2 files changed, 59 insertions, 0 deletions
diff --git a/devel/libsoup/Makefile b/devel/libsoup/Makefile index 7cc5e3e48e8c..1e5163f964a8 100644 --- a/devel/libsoup/Makefile +++ b/devel/libsoup/Makefile @@ -3,6 +3,7 @@ PORTNAME= libsoup PORTVERSION= 2.52.2 +PORTREVISION= 1 CATEGORIES= devel gnome MASTER_SITES= GNOME DIST_SUBDIR= gnome2 diff --git a/devel/libsoup/files/patch-libsoup_soup-filter-input-stream.c b/devel/libsoup/files/patch-libsoup_soup-filter-input-stream.c new file mode 100644 index 000000000000..8d44c38ba9c1 --- /dev/null +++ b/devel/libsoup/files/patch-libsoup_soup-filter-input-stream.c @@ -0,0 +1,58 @@ +From 03c91c76daf70ee227f38304c5e45a155f45073d Mon Sep 17 00:00:00 2001 +From: Dan Winship <danw@gnome.org> +Date: Thu, 3 Aug 2017 09:56:43 -0400 +Subject: Fix chunked decoding buffer overrun (CVE-2017-2885) + +https://bugzilla.gnome.org/show_bug.cgi?id=785774 +--- + libsoup/soup-filter-input-stream.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/libsoup/soup-filter-input-stream.c b/libsoup/soup-filter-input-stream.c +index cde4d12..2c30bf9 100644 +--- libsoup/soup-filter-input-stream.c ++++ libsoup/soup-filter-input-stream.c +@@ -198,7 +198,7 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, + GCancellable *cancellable, + GError **error) + { +- gssize nread; ++ gssize nread, read_length; + guint8 *p, *buf, *end; + gboolean eof = FALSE; + GError *my_error = NULL; +@@ -251,10 +251,11 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, + } else + buf = fstream->priv->buf->data; + +- /* Scan for the boundary */ +- end = buf + fstream->priv->buf->len; +- if (!eof) +- end -= boundary_length; ++ /* Scan for the boundary within the range we can possibly return. */ ++ if (include_boundary) ++ end = buf + MIN (fstream->priv->buf->len, length) - boundary_length; ++ else ++ end = buf + MIN (fstream->priv->buf->len - boundary_length, length); + for (p = buf; p <= end; p++) { + if (*p == *(guint8*)boundary && + !memcmp (p, boundary, boundary_length)) { +@@ -268,10 +269,9 @@ soup_filter_input_stream_read_until (SoupFilterInputStream *fstream, + if (!*got_boundary && fstream->priv->buf->len < length && !eof) + goto fill_buffer; + +- /* Return everything up to 'p' (which is either just after the boundary if +- * include_boundary is TRUE, just before the boundary if include_boundary is +- * FALSE, @boundary_len - 1 bytes before the end of the buffer, or end-of- +- * file). +- */ +- return read_from_buf (fstream, buffer, p - buf); ++ if (eof && !*got_boundary) ++ read_length = MIN (fstream->priv->buf->len, length); ++ else ++ read_length = p - buf; ++ return read_from_buf (fstream, buffer, read_length); + } +-- +cgit v0.12 + |