diff options
author | Jacques Vidrine <nectar@FreeBSD.org> | 2004-04-16 16:25:36 +0000 |
---|---|---|
committer | Jacques Vidrine <nectar@FreeBSD.org> | 2004-04-16 16:25:36 +0000 |
commit | 11758f81a7c4106629caf4e47fdf27fc0f2e9f2b (patch) | |
tree | fdb7b71ba42aa65187547cad536bc3bee8795e4b /security/ident2 | |
parent | 86fa33ed95cf5f6a59f555251ae099c5000fff3a (diff) |
Jack of RaptureSecurity reported a double byte buffer overflow in
ident2. The bug may allow a remote attacker to execute arbitrary code
within the context of the ident2 daemon. The daemon typically runs as
user-ID `nobody', but with group-ID `wheel'.
Notes
Notes:
svn path=/head/; revision=107249
Diffstat (limited to 'security/ident2')
-rw-r--r-- | security/ident2/Makefile | 1 | ||||
-rw-r--r-- | security/ident2/files/patch-common.c | 53 |
2 files changed, 54 insertions, 0 deletions
diff --git a/security/ident2/Makefile b/security/ident2/Makefile index 07010ab6561f..f4d19f4562aa 100644 --- a/security/ident2/Makefile +++ b/security/ident2/Makefile @@ -7,6 +7,7 @@ PORTNAME= ident2 PORTVERSION= 1.04 +PORTREVISION= 1 CATEGORIES= security net MASTER_SITES= http://michael.bacarella.com/projects/ident2/ DISTNAME= ident2-v${PORTVERSION}_FINAL diff --git a/security/ident2/files/patch-common.c b/security/ident2/files/patch-common.c new file mode 100644 index 000000000000..490f513be938 --- /dev/null +++ b/security/ident2/files/patch-common.c @@ -0,0 +1,53 @@ +*** common.c.orig Fri Apr 16 10:02:41 2004 +--- common.c Fri Apr 16 10:17:43 2004 +*************** +*** 41,63 **** + /* + * a (skewed) fgets() that works on file descriptors + * the '\r' charecter is ignored + */ + static int +! _getl (int d, char *p, u_short l) + { +! size_t n = 0; + +! while (read (d, p, 1) == 1) { + if (*p == '\n') + break; + if (*p == '\r') + p--; /* ignore \r */ +- p++; +- if (n++ >= l) +- break; + } +! *p = 0; +! return n; + } + + /* +--- 41,65 ---- + /* + * a (skewed) fgets() that works on file descriptors + * the '\r' charecter is ignored ++ * returns the number of bytes written into the given ++ * buffer, including the terminating NUL + */ + static int +! _getl (int d, char *begin, u_short l) + { +! char *p, *end; + +! end = &begin[l-1]; /* leave room for terminating NUL */ +! for (p = begin; p < end; ++p) { +! if (read (d, p, 1) != 1) +! break; + if (*p == '\n') + break; + if (*p == '\r') + p--; /* ignore \r */ + } +! *p++ = 0; +! return p-begin; + } + + /* |