summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorJacques Vidrine <nectar@FreeBSD.org>2004-04-16 16:25:36 +0000
committerJacques Vidrine <nectar@FreeBSD.org>2004-04-16 16:25:36 +0000
commit11758f81a7c4106629caf4e47fdf27fc0f2e9f2b (patch)
treefdb7b71ba42aa65187547cad536bc3bee8795e4b /security
parentAdd mod_auth_useragent 1.0 (diff)
Jack of RaptureSecurity reported a double byte buffer overflow in
ident2. The bug may allow a remote attacker to execute arbitrary code within the context of the ident2 daemon. The daemon typically runs as user-ID `nobody', but with group-ID `wheel'.
Diffstat (limited to 'security')
-rw-r--r--security/ident2/Makefile1
-rw-r--r--security/ident2/files/patch-common.c53
2 files changed, 54 insertions, 0 deletions
diff --git a/security/ident2/Makefile b/security/ident2/Makefile
index 07010ab6561f..f4d19f4562aa 100644
--- a/security/ident2/Makefile
+++ b/security/ident2/Makefile
@@ -7,6 +7,7 @@
PORTNAME= ident2
PORTVERSION= 1.04
+PORTREVISION= 1
CATEGORIES= security net
MASTER_SITES= http://michael.bacarella.com/projects/ident2/
DISTNAME= ident2-v${PORTVERSION}_FINAL
diff --git a/security/ident2/files/patch-common.c b/security/ident2/files/patch-common.c
new file mode 100644
index 000000000000..490f513be938
--- /dev/null
+++ b/security/ident2/files/patch-common.c
@@ -0,0 +1,53 @@
+*** common.c.orig Fri Apr 16 10:02:41 2004
+--- common.c Fri Apr 16 10:17:43 2004
+***************
+*** 41,63 ****
+ /*
+ * a (skewed) fgets() that works on file descriptors
+ * the '\r' charecter is ignored
+ */
+ static int
+! _getl (int d, char *p, u_short l)
+ {
+! size_t n = 0;
+
+! while (read (d, p, 1) == 1) {
+ if (*p == '\n')
+ break;
+ if (*p == '\r')
+ p--; /* ignore \r */
+- p++;
+- if (n++ >= l)
+- break;
+ }
+! *p = 0;
+! return n;
+ }
+
+ /*
+--- 41,65 ----
+ /*
+ * a (skewed) fgets() that works on file descriptors
+ * the '\r' charecter is ignored
++ * returns the number of bytes written into the given
++ * buffer, including the terminating NUL
+ */
+ static int
+! _getl (int d, char *begin, u_short l)
+ {
+! char *p, *end;
+
+! end = &begin[l-1]; /* leave room for terminating NUL */
+! for (p = begin; p < end; ++p) {
+! if (read (d, p, 1) != 1)
+! break;
+ if (*p == '\n')
+ break;
+ if (*p == '\r')
+ p--; /* ignore \r */
+ }
+! *p++ = 0;
+! return p-begin;
+ }
+
+ /*