diff options
| author | Niels Heinen <niels@FreeBSD.org> | 2005-02-01 09:32:47 +0000 |
|---|---|---|
| committer | Niels Heinen <niels@FreeBSD.org> | 2005-02-01 09:32:47 +0000 |
| commit | 4623e0c26127215f0446d81029d0137fd6d19113 (patch) | |
| tree | c468f8e5fa6830ef1f8e73c4a868e489189ac75d /news | |
| parent | Fixed a buffer overflow vulnerability in the NNTP server (diff) | |
Fixed insecure sscanf usage (no length checking) in the processing
of NNTP server responses.
Approved by: nectar (mentor), maintainer (timeout)
VuXML: http://vuxml.freebsd.org/76e0b133-6bfd-11d9-a5df-00065be4b5b6.html
Notes
Notes:
svn path=/head/; revision=127834
Diffstat (limited to 'news')
| -rw-r--r-- | news/newsfetch/Makefile | 2 | ||||
| -rw-r--r-- | news/newsfetch/files/patch-nntp.c | 52 |
2 files changed, 43 insertions, 11 deletions
diff --git a/news/newsfetch/Makefile b/news/newsfetch/Makefile index e5dd3ffe67e6..93e934f57d76 100644 --- a/news/newsfetch/Makefile +++ b/news/newsfetch/Makefile @@ -7,7 +7,7 @@ PORTNAME= newsfetch PORTVERSION= 1.21 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= news MASTER_SITES= ${MASTER_SITE_SUNSITE} MASTER_SITE_SUBDIR= system/news/readers diff --git a/news/newsfetch/files/patch-nntp.c b/news/newsfetch/files/patch-nntp.c index 19d5a9a04534..55053131253a 100644 --- a/news/newsfetch/files/patch-nntp.c +++ b/news/newsfetch/files/patch-nntp.c @@ -1,6 +1,14 @@ ---- nntp.c.orig Sat Aug 3 19:24:46 2002 -+++ nntp.c Sat Aug 3 19:26:29 2002 -@@ -33,7 +33,7 @@ +--- nntp.c.orig Thu Jul 23 12:03:11 1998 ++++ nntp.c Thu Jan 27 17:19:01 2005 +@@ -20,6 +20,7 @@ +
+ char *header;
+ #define MAXBUFSIZE 500
++#define GROUP_FMT "%99s" + char command_buf[MAXBUFSIZE+1];
+
+ readNNTPdata()
+@@ -33,7 +34,7 @@ {
/* dummy read to flush input */
readNNTPdata();
@@ -9,7 +17,17 @@ readNNTPdata();
return(get_error(command_buf));
}
-@@ -151,7 +151,7 @@ +@@ -140,7 +141,8 @@ + else
+ fprintf(rctmpfp,"%s",command_buf);
+ }
+- items_read=sscanf(command_buf,"%s %d %d", group, &first_article, &max_article);
++ items_read=sscanf(command_buf,GROUP_FMT "%d %d", group, &first_article, &max_article);
++ group[sizeof(group)-1] = '\0';
+ if(items_read < 2)
+ return(0);
+ return(items_read);
+@@ -151,7 +153,7 @@ int first_art, last_art, total_art, tmp ;
fprintf(stderr,"%s: ",group);
@@ -18,7 +36,7 @@ readNNTPdata();
#ifdef DEBUG
-@@ -180,7 +180,7 @@ +@@ -180,7 +182,7 @@ first_article = last_art - max_article + 1;
}
@@ -27,7 +45,7 @@ readNNTPdata();
while(!get_error1(command_buf))
-@@ -196,7 +196,7 @@ +@@ -196,7 +198,7 @@ return(0);
}
@@ -36,7 +54,7 @@ readNNTPdata();
}
fprintf(stderr,"articles %d to %d\n",first_article,last_art);
-@@ -256,7 +256,7 @@ +@@ -256,7 +258,7 @@ fprintf(stderr," %c",0xd);
}
@@ -45,7 +63,7 @@ readNNTPdata();
if(!get_error(command_buf))
return(0);
-@@ -275,7 +275,7 @@ +@@ -275,7 +277,7 @@ }
/* Make it little fast */
@@ -54,7 +72,7 @@ article_fetching=1;
-@@ -329,7 +329,7 @@ +@@ -329,17 +331,19 @@ char groupname[100];
fprintf(stderr, "\nList of NewsGroups:\n");
@@ -63,7 +81,21 @@ readNNTPdata();
if(!get_error2(command_buf))
exit(1);
-@@ -348,7 +348,7 @@ + readNNTPdata();
+- sscanf(command_buf,"%s",groupname);
++ sscanf(command_buf,GROUP_FMT,groupname);
++ groupname[sizeof(groupname)-1] = '\0';
+ while(command_buf[0] != '.' || command_buf[1] != 13 )/*|| command_buf[1] != 10)*/
+ {
+ fprintf(stderr,"%s\n",groupname);
+ readNNTPdata();
+- sscanf(command_buf,"%s",groupname);
++ sscanf(command_buf,GROUP_FMT,groupname);
++ groupname[sizeof(groupname)-1] = '\0';
+ }
+ exit(1);
+
+@@ -348,7 +352,7 @@ sendQuit()
{
|