summaryrefslogtreecommitdiff
path: root/security/krb5-16
diff options
context:
space:
mode:
authorCy Schubert <cy@FreeBSD.org>2005-03-31 18:46:44 +0000
committerCy Schubert <cy@FreeBSD.org>2005-03-31 18:46:44 +0000
commit9d07f2a70e721bbca48833850eb115cbc1158565 (patch)
tree0d32e4e3748179b0007bff39e622ea72e5d8d8dd /security/krb5-16
parent- Really fix packing list. (diff)
Implement a fix for MITKRB5-SA-2005-001: buffer overflows in telnet client.
Approved by: portsmgr (krion) Obtained from: Tom Yu <tlyu@mit.edu> on kerberos-announce
Diffstat (limited to 'security/krb5-16')
-rw-r--r--security/krb5-16/Makefile1
-rw-r--r--security/krb5-16/files/patch-appl::telnet::telnet::telnet.c95
2 files changed, 96 insertions, 0 deletions
diff --git a/security/krb5-16/Makefile b/security/krb5-16/Makefile
index 06e262d6d409..f1bddec939d9 100644
--- a/security/krb5-16/Makefile
+++ b/security/krb5-16/Makefile
@@ -7,6 +7,7 @@
PORTNAME= krb5
PORTVERSION= 1.3.6
+PORTREVISION= 1
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PORTVERSION:C/\.[0-9]*$//}/
EXTRACT_SUFX= .tar
diff --git a/security/krb5-16/files/patch-appl::telnet::telnet::telnet.c b/security/krb5-16/files/patch-appl::telnet::telnet::telnet.c
new file mode 100644
index 000000000000..29f0d2c5ec40
--- /dev/null
+++ b/security/krb5-16/files/patch-appl::telnet::telnet::telnet.c
@@ -0,0 +1,95 @@
+Index: appl/telnet/telnet/telnet.c
+===================================================================
+RCS file: appl/telnet/telnet/telnet.c,v
+retrieving revision 5.18
+diff -c -r5.18 telnet.c
+*** telnet.c 15 Nov 2002 20:21:35 -0000 5.18
+--- telnet.c 15 Mar 2005 18:59:32 -0000
+***************
+*** 1475,1480 ****
+--- 1475,1482 ----
+ unsigned char flags;
+ cc_t value;
+ {
++ if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
++ return;
+ if ((*slc_replyp++ = func) == IAC)
+ *slc_replyp++ = IAC;
+ if ((*slc_replyp++ = flags) == IAC)
+***************
+*** 1488,1498 ****
+ {
+ register int len;
+
+- *slc_replyp++ = IAC;
+- *slc_replyp++ = SE;
+ len = slc_replyp - slc_reply;
+! if (len <= 6)
+ return;
+ if (NETROOM() > len) {
+ ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+ printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+--- 1490,1501 ----
+ {
+ register int len;
+
+ len = slc_replyp - slc_reply;
+! if (len <= 4 || (len + 2 > sizeof(slc_reply)))
+ return;
++ *slc_replyp++ = IAC;
++ *slc_replyp++ = SE;
++ len += 2;
+ if (NETROOM() > len) {
+ ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+ printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+***************
+*** 1645,1650 ****
+--- 1648,1654 ----
+ register unsigned char *ep;
+ {
+ register unsigned char *vp, c;
++ unsigned int len, olen, elen;
+
+ if (opt_reply == NULL) /*XXX*/
+ return; /*XXX*/
+***************
+*** 1662,1680 ****
+ return;
+ }
+ vp = env_getvalue(ep);
+! if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+! strlen((char *)ep) + 6 > opt_replyend)
+ {
+! register unsigned int len;
+! opt_replyend += OPT_REPLY_SIZE;
+! len = opt_replyend - opt_reply;
+ opt_reply = (unsigned char *)realloc(opt_reply, len);
+ if (opt_reply == NULL) {
+ /*@*/ printf("env_opt_add: realloc() failed!!!\n");
+ opt_reply = opt_replyp = opt_replyend = NULL;
+ return;
+ }
+! opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+ opt_replyend = opt_reply + len;
+ }
+ if (opt_welldefined((char *) ep))
+--- 1666,1684 ----
+ return;
+ }
+ vp = env_getvalue(ep);
+! elen = 2 * (vp ? strlen((char *)vp) : 0) +
+! 2 * strlen((char *)ep) + 6;
+! if ((opt_replyend - opt_replyp) < elen)
+ {
+! len = opt_replyend - opt_reply + elen;
+! olen = opt_replyp - opt_reply;
+ opt_reply = (unsigned char *)realloc(opt_reply, len);
+ if (opt_reply == NULL) {
+ /*@*/ printf("env_opt_add: realloc() failed!!!\n");
+ opt_reply = opt_replyp = opt_replyend = NULL;
+ return;
+ }
+! opt_replyp = opt_reply + olen;
+ opt_replyend = opt_reply + len;
+ }
+ if (opt_welldefined((char *) ep))