diff options
| author | Martin Wilke <miwi@FreeBSD.org> | 2009-03-18 16:39:04 +0000 |
|---|---|---|
| committer | Martin Wilke <miwi@FreeBSD.org> | 2009-03-18 16:39:04 +0000 |
| commit | 7e283172825ebeb575985e9f29e640418e7ac4b3 (patch) | |
| tree | a96570c5a773b9031c836e1c66ad97f73767a896 /net/netatalk/files | |
| parent | 7130b9a37cea2d879955158e093707e7ab7bcb8b (diff) | |
| download | ports-7e283172825ebeb575985e9f29e640418e7ac4b3.tar.gz ports-7e283172825ebeb575985e9f29e640418e7ac4b3.zip | |
Notes
Diffstat (limited to 'net/netatalk/files')
| -rw-r--r-- | net/netatalk/files/patch-CVE-2008-5718 | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/net/netatalk/files/patch-CVE-2008-5718 b/net/netatalk/files/patch-CVE-2008-5718 new file mode 100644 index 000000000000..f5befd427e20 --- /dev/null +++ b/net/netatalk/files/patch-CVE-2008-5718 @@ -0,0 +1,143 @@ +--- etc/papd/lp.c 2005/04/28 20:49:49 1.15 ++++ etc/papd/lp.c 2008/08/14 20:02:47 1.16 +@@ -258,9 +258,9 @@ + destlen -= len; + } + +- /* stuff up to next $ */ ++ /* stuff up to next % */ + src = p + 2; +- p = strchr(src, '$'); ++ p = strchr(src, '%'); + len = p ? MIN((size_t)(p - src), destlen) : destlen; + if (len > 0) { + strncpy(dest, src, len); + +--- etc/papd/lp.c 2008/08/14 20:02:47 1.16 ++++ etc/papd/lp.c 2008/08/14 20:18:50 1.17 +@@ -212,10 +212,37 @@ + + #define is_var(a, b) (strncmp((a), (b), 2) == 0) + ++static size_t quote(char *dest, char *src, const size_t bsize, size_t len) ++{ ++size_t used = 0; ++ ++ while (len && used < bsize ) { ++ switch (*src) { ++ case '$': ++ case '\\': ++ case '"': ++ case '`': ++ if (used + 2 > bsize ) ++ return used; ++ *dest = '\\'; ++ dest++; ++ used++; ++ break; ++ } ++ *dest = *src; ++ src++; ++ dest++; ++ len--; ++ used++; ++ } ++ return used; ++} ++ ++ + static char* pipexlate(char *src) + { + char *p, *q, *dest; +- static char destbuf[MAXPATHLEN]; ++ static char destbuf[MAXPATHLEN +1]; + size_t destlen = MAXPATHLEN; + int len = 0; + +@@ -224,13 +251,15 @@ + if (!src) + return NULL; + +- strncpy(dest, src, MAXPATHLEN); +- if ((p = strchr(src, '%')) == NULL) /* nothing to do */ ++ memset(dest, 0, MAXPATHLEN +1); ++ if ((p = strchr(src, '%')) == NULL) { /* nothing to do */ ++ strncpy(dest, src, MAXPATHLEN); + return destbuf; +- +- /* first part of the path. just forward to the next variable. */ ++ } ++ /* first part of the path. copy and forward to the next variable. */ + len = MIN((size_t)(p - src), destlen); + if (len > 0) { ++ strncpy(dest, src, len); + destlen -= len; + dest += len; + } +@@ -246,17 +275,20 @@ + q = lp.lp_created_for; + } else if (is_var(p, "%%")) { + q = "%"; +- } else +- q = p; ++ } + + /* copy the stuff over. if we don't understand something that we + * should, just skip it over. */ + if (q) { +- len = MIN(p == q ? 2 : strlen(q), destlen); ++ len = MIN(strlen(q), destlen); ++ len = quote(dest, q, destlen, len); ++ } ++ else { ++ len = MIN(2, destlen); + strncpy(dest, q, len); +- dest += len; +- destlen -= len; + } ++ dest += len; ++ destlen -= len; + + /* stuff up to next % */ + src = p + 2; +--- etc/papd/lp.c 2009/01/21 02:43:46 1.21 ++++ etc/papd/lp.c 2009/01/28 18:03:15 1.22 +@@ -217,7 +217,26 @@ + case '$': + case '\\': + case '"': ++ case ';': ++ case '&': ++ case '(': ++ case ')': ++ case ' ': ++ case '*': ++ case '#': ++ case '|': ++ case '>': ++ case '<': ++ case '[': ++ case ']': ++ case '{': ++ case '}': ++ case '^': ++ case '?': ++ case '~': + case '`': ++ case '\x0A': ++ case '\xFF': + if (used + 2 > bsize ) + return used; + *dest = '\\'; +@@ -247,9 +266,9 @@ + if (!src) + return NULL; + +- memset(dest, 0, MAXPATHLEN +1); ++ memset(dest, 0, sizeof(destbuf)); + if ((p = strchr(src, '%')) == NULL) { /* nothing to do */ +- strncpy(dest, src, MAXPATHLEN); ++ strncpy(dest, src, sizeof(dest) - 1); + return destbuf; + } + /* first part of the path. copy and forward to the next variable. */ |