From c79324b8fc14576f7aa5a7b144a2767a74e8a595 Mon Sep 17 00:00:00 2001
From: "Simon L. B. Nielsen" <simon@FreeBSD.org>
Date: Wed, 13 Oct 2004 10:17:01 +0000
Subject: Security update to sharutils: - Fix two buffer overflows. [1] - Fix
 format string handling problems with command line parsing   shar -o. [2]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Obtained from:	Gentoo [1] [2]
Patch by:	Michael Schröder [2]
VuXML:		26c9e8c6-1c99-11d9-814e-0001020eed82 [1]
Approved by:	erwin
---
 archivers/sharutils/files/patch-buffer-check | 98 ++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)
 create mode 100644 archivers/sharutils/files/patch-buffer-check

(limited to 'archivers/sharutils/files/patch-buffer-check')

diff --git a/archivers/sharutils/files/patch-buffer-check b/archivers/sharutils/files/patch-buffer-check
new file mode 100644
index 000000000000..46cf35e8a7f4
--- /dev/null
+++ b/archivers/sharutils/files/patch-buffer-check
@@ -0,0 +1,98 @@
+Index: src/shar.c
+===================================================================
+RCS file: /home/ke/cvsroot/sharutils/src/shar.c,v
+retrieving revision 1.22
+diff -u -r1.22 shar.c
+--- src/shar.c	2 Dec 2002 20:52:10 -0000	1.22
++++ src/shar.c	15 May 2004 09:13:16 -0000
+@@ -255,11 +255,11 @@
+ /* Position for first file in the shar file.  */
+ static off_t first_file_position;
+ 
+-/* Base for output filename.  FIXME: No fix limit in GNU... */
+-static char output_base_name[50];
++/* Base for output filename.  */
++static char *output_base_name;
+ 
+-/* Actual output filename.  FIXME: No fix limit in GNU... */
+-static char output_filename[50];
++/* Actual output filename.  */
++static char *output_filename;
+ 
+ static char *submitter_address = NULL;
+ 
+@@ -1727,7 +1727,12 @@
+ static void
+ open_output ()
+ {
+-  sprintf (output_filename, output_base_name, ++part_number);
++  size_t l;
++  l = strlen(output_base_name) + 128;
++  if (output_filename)
++    free(output_filename);
++  output_filename = xmalloc(l);
++  snprintf(output_filename, l, output_base_name, ++part_number);
+   output = fopen (output_filename, "w");
+   if (!output)
+     error (EXIT_FAILURE, errno, _("Opening `%s'"), output_filename);
+@@ -1907,6 +1912,42 @@
+     file_size_limit = lim;
+ }
+ 
++
++char *parse_output_base_name(char *arg)
++{
++  int c;
++  int hadarg = 0;
++  char *fmt, *p;
++
++  for (p = arg ; (c = *p++) != 0; )
++    {
++      if (c != '%')
++	continue;
++      c = *p++;
++      if (c == '%')
++	continue;
++      if (hadarg)
++	return 0;
++      while (c != 0 && strchr("#0+- 'I", c) != 0)
++	c = *p++;
++      while (c != 0 && c >= '0' && c <= '9')
++	c = *p++;
++      if (c == '.')
++	c = *p++;
++      while (c != 0 && c >= '0' && c <= '9')
++	c = *p++;
++      if (c == 0 || strchr("diouxX", c) == 0)
++	return 0;
++      hadarg = 1;
++    }
++  fmt = xmalloc(strlen(arg) + (hadarg ? 1 : 6));
++  strcpy(fmt, arg);
++  if (!hadarg)
++    strcat(fmt, ".%02d");
++  return fmt;
++}
++
++
+ /*---.
+ | ?  |
+ `---*/
+@@ -2047,9 +2088,14 @@
+ 	break;
+ 
+       case 'o':
+-	strcpy (output_base_name, optarg);
+-	if (!strchr (output_base_name, '%'))
+-	  strcat (output_base_name, ".%02d");
++	if (output_base_name)
++	  free (output_base_name);
++        output_base_name = parse_output_base_name(optarg);
++        if (!output_base_name)
++	  {
++	    fprintf (stderr, _("illegal output prefix\n"));
++	    exit (EXIT_FAILURE);
++	  }
+ 	part_number = 0;
+ 	open_output ();
+ 	break;
-- 
cgit v1.2.3