OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 13-Apr-2004 09:57:01 Branch: OPENPKG_2_0_SOLID Handle: 2004041308570100 Modified files: (Branch: OPENPKG_2_0_SOLID) openpkg-src/sharutils sharutils.patch sharutils.spec Log: MFC: GNU Sharutils buffer overflow vulnerability - improved patch Summary: Revision Changes Path 1.1.2.2 +47 -7 openpkg-src/sharutils/sharutils.patch 1.25.2.3 +1 -1 openpkg-src/sharutils/sharutils.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/sharutils/sharutils.patch ============================================================================ $ cvs diff -u -r1.1.2.1 -r1.1.2.2 sharutils.patch --- openpkg-src/sharutils/sharutils.patch 7 Apr 2004 12:42:11 -0000 1.1.2.1 +++ openpkg-src/sharutils/sharutils.patch 13 Apr 2004 07:57:01 -0000 1.1.2.2 @@ -1,16 +1,56 @@ http://www.securityfocus.com/archive/1/359639 GNU Sharutils buffer overflow vulnerability -Index: src/shar.c ---- src/shar.c.orig 2004-04-07 14:27:20.000000000 +0200 -+++ src/shar.c 2004-04-07 14:30:27.000000000 +0200 -@@ -1905,7 +1905,7 @@ +http://marc.theaimsgroup.com/?l=bugtraq&m=108164583423126 +http://marc.theaimsgroup.com/?l=bugtraq&m=108164583423126&q=p3 +GNU Sharutils buffer overflow vulnerability - improved patch + +--- src/shar.orig.c 2004-04-07 16:18:23.000000000 +0100 ++++ src/shar.c 2004-04-07 16:39:04.000000000 +0100 +@@ -212,10 +212,10 @@ + static long first_file_position; + + /* Base for output filename. FIXME: No fix limit in GNU... */ +-static char output_base_name[50]; ++static char output_base_name[512]; + + /* Actual output filename. FIXME: No fix limit in GNU... */ +-static char output_filename[50]; ++static char output_filename[512]; + + static char *submitter_address = NULL; + +@@ -1905,9 +1905,29 @@ break; case 'o': - strcpy (output_base_name, optarg); -+ strncpy (output_base_name, optarg, sizeof(output_base_name)); - if (!strchr (output_base_name, '%')) - strcat (output_base_name, ".%02d"); +- if (!strchr (output_base_name, '%')) +- strcat (output_base_name, ".%02d"); ++ /* ++ * Note: the magic '6' below is exactly sizeof(".%02d"). ++ * Don't forget to increase size of output_filename[] appropriately ++ * when you increase field width from 2 up to something greater than 4. ++ */ ++ { ++ register int i = 0; ++ register char *str = optarg; ++ ++ while (i < sizeof(output_base_name) - 6) { ++ register char c; ++ ++ output_base_name[i++] = (c = *str++); ++ if (c == '%') ++ if (i < sizeof(output_base_name) - 6) ++ output_base_name[i++] = c; ++ else { ++ i--; ++ break; ++ } ++ } ++ strcpy (output_base_name + i, ".%02d"); ++ } part_number = 0; + open_output (); + break; @@ . patch -p0 <<'@@ .' Index: openpkg-src/sharutils/sharutils.spec ============================================================================ $ cvs diff -u -r1.25.2.2 -r1.25.2.3 sharutils.spec --- openpkg-src/sharutils/sharutils.spec 7 Apr 2004 12:42:11 -0000 1.25.2.2 +++ openpkg-src/sharutils/sharutils.spec 13 Apr 2004 07:57:01 -0000 1.25.2.3 @@ -34,7 +34,7 @@ Group: Archiver License: GPL Version: 4.2.1 -Release: 2.0.1 +Release: 2.0.2 # list of sources Source0: ftp://ftp.gnu.org/gnu/sharutils/sharutils-%{version}.tar.gz @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]