diff options
| author | Joe Marcus Clarke <marcus@FreeBSD.org> | 2004-08-12 20:38:43 +0000 |
|---|---|---|
| committer | Joe Marcus Clarke <marcus@FreeBSD.org> | 2004-08-12 20:38:43 +0000 |
| commit | ef8ce85600799cc5fcba8aed92e721f3d4501d24 (patch) | |
| tree | d907e6d859c5e6ac0976fbd0f7220eb7546a9355 /net | |
| parent | update to 0.4.94 (diff) | |
Fix the remotely exploitable buffer overflows in the MSN protocol.
Submitted by: nectar
Obtained from: Sebastian Krahmer
Notes
Notes:
svn path=/head/; revision=116064
Diffstat (limited to 'net')
| -rw-r--r-- | net/gaim/Makefile | 3 | ||||
| -rw-r--r-- | net/gaim/files/patch-msn | 45 |
2 files changed, 46 insertions, 2 deletions
diff --git a/net/gaim/Makefile b/net/gaim/Makefile index 8d19f30f0bb7..1dd76e2958eb 100644 --- a/net/gaim/Makefile +++ b/net/gaim/Makefile @@ -6,12 +6,11 @@ PORTNAME= gaim PORTVERSION= 0.81 +PORTREVISION= 1 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} -FORBIDDEN= MSN component contains remotely exploitable buffer overflows http://vuxml.freebsd.org/5b8f9a02-ec93-11d8-b913-000c41e2cdad.html - MAINTAINER?= marcus@FreeBSD.org COMMENT= Multi-protocol instant messaging client diff --git a/net/gaim/files/patch-msn b/net/gaim/files/patch-msn new file mode 100644 index 000000000000..58f47d5324f1 --- /dev/null +++ b/net/gaim/files/patch-msn @@ -0,0 +1,45 @@ +--- src/protocols/msn/slp.c.orig 2004-08-09 11:21:34.000000000 +0200 ++++ src/protocols/msn/slp.c 2004-08-09 11:21:42.000000000 +0200 +@@ -640,13 +640,17 @@ + /* It's not valid. Kill this off. */ + char temp[32]; + const char *c; ++ size_t offset; + ++ memset(temp, 0, sizeof(temp)); + /* Eww */ + if ((c = strchr(status, '\r')) || (c = strchr(status, '\n')) || + (c = strchr(status, '\0'))) + { +- strncpy(temp, status, c - status); +- temp[c - status] = '\0'; ++ offset = c - status; ++ if (offset >= sizeof(temp)) ++ offset = sizeof(temp) - 1; ++ strncpy(temp, status, offset); + } + + gaim_debug_error("msn", "Received non-OK result: %s\n", temp); +--- src/protocols/msn/object.c.orig 2004-06-06 05:42:54.000000000 +0200 ++++ src/protocols/msn/object.c 2004-08-09 11:30:43.000000000 +0200 +@@ -35,11 +35,17 @@ + if ((tag = strstr(str, id "=\"")) != NULL) \ + { \ + char buf[16]; \ ++ size_t offset; \ + tag += strlen(id "=\""); \ + c = strchr(tag, '"'); \ +- strncpy(buf, tag, c - tag); \ +- buf[c - tag] = '\0'; \ +- obj->field = atoi(buf); \ ++ if (c != NULL) { \ ++ memset(buf, 0, sizeof(buf)); \ ++ offset = c - tag; \ ++ if (offset >= sizeof(buf)) \ ++ offset = sizeof(buf) - 1; \ ++ strncpy(buf, tag, offset); \ ++ obj->field = atoi(buf); \ ++ } \ + } + + static GList *local_objs; |