Author: jim
Date: 2005-08-09 16:37:19 -0600 (Tue, 09 Aug 2005)
New Revision: 1056
Added:
trunk/bzip2/bzip2-1.0.3-bzgrep_security-1.patch
trunk/firefox/firefox-1.0.6-gcc4-compile-1.patch
trunk/httpd/httpd-2.0.54-security_fixes-1.patch
trunk/nasm/
trunk/nasm/nasm-0.98.39-security_fix-1.patch
trunk/thunderbird/thunderbird-1.0.6-gcc4-compile-1.patch
Modified:
trunk/
Log:
[EMAIL PROTECTED]: jim | 2005-08-09 15:36:39 -0700
Added: nasm-0.98.39-security_fix-1.patch bzip2-1.0.3-bzgrep_security-1.patch
httpd-2.0.54-security_fixes-1.patch firefox-1.0.6-gcc4-compile-1.patch
thunderbird-1.0.6-gcc4-compile-1.patch
Property changes on: trunk
___________________________________________________________________
Name: svk:merge
- cc2644d5-6cf8-0310-b111-c40428001e49:/patches:1130
+ cc2644d5-6cf8-0310-b111-c40428001e49:/patches:1134
Added: trunk/bzip2/bzip2-1.0.3-bzgrep_security-1.patch
===================================================================
--- trunk/bzip2/bzip2-1.0.3-bzgrep_security-1.patch 2005-08-09 05:19:24 UTC
(rev 1055)
+++ trunk/bzip2/bzip2-1.0.3-bzgrep_security-1.patch 2005-08-09 22:37:19 UTC
(rev 1056)
@@ -0,0 +1,35 @@
+Submitted By: Ken Moffat <[EMAIL PROTECTED]>
+Date: 2005-08-09
+Initial Package Version: 1.0.3
+Upstream Status: Unknown.
+Origin: Jyri Ryska (RedHat) for fedora3
+Description: Fixes filename sanitisation in bzgrep.
+ This fixes CAN-2005-0758 (if a user can be tricked into running
+bzgrep in an untrusted directory containing files with carefully
+crafted filenames, arbitrary commands could be executed as the user
+running bzgrep). Risk is reported as low. I've modified it to force
+the interpreter to be bash, some of the other shells in use won't
+like the bash syntax.
+
+diff -Naur bzip2-1.0.3/bzgrep bzip2-1.0.3-new/bzgrep
+--- bzip2-1.0.3/bzgrep 2004-10-09 12:29:32.000000000 +0100
++++ bzip2-1.0.3-new/bzgrep 2005-08-09 21:36:37.000000000 +0100
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+
+ # Bzgrep wrapped for bzip2,
+ # adapted from zgrep by Philippe Troin <[EMAIL PROTECTED]> for Debian
GNU/Linux.
+@@ -63,7 +63,11 @@
+ bzip2 -cdfq "$i" | $grep $opt "$pat"
+ r=$?
+ else
+- bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${i}:|"
++ j=${i//\\/\\\\}
++ j=${j//|/\\|}
++ j=${j//&/\\&}
++ j=`printf "%s" "$j" | tr '\n' ' '`
++ bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${j}:|"
+ r=$?
+ fi
+ test "$r" -ne 0 && res="$r"
Added: trunk/firefox/firefox-1.0.6-gcc4-compile-1.patch
===================================================================
--- trunk/firefox/firefox-1.0.6-gcc4-compile-1.patch 2005-08-09 05:19:24 UTC
(rev 1055)
+++ trunk/firefox/firefox-1.0.6-gcc4-compile-1.patch 2005-08-09 22:37:19 UTC
(rev 1056)
@@ -0,0 +1,128 @@
+Submitted By: Richard Downing <richard at linuxfromscratch dot org>
+Date: 2005-08-09
+Initial Package Version: 1.0.6
+Upstream Status: Not known
+Origin: http://cvs.fedora.redhat.com
+Description: This patch allows firefox-1.0.6 and thunderbird 1.0.6 compile
+with gcc-4.0.1.
+
+Index: gfx/src/freetype/nsFreeType.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/gfx/src/freetype/nsFreeType.cpp,v
+retrieving revision 1.24
+diff -u -r1.24 nsFreeType.cpp
+--- gfx/src/freetype/nsFreeType.cpp 7 Feb 2004 15:22:30 -0000 1.24
++++ gfx/src/freetype/nsFreeType.cpp 4 Mar 2005 19:59:53 -0000
+@@ -96,7 +96,7 @@
+ // Define the FreeType2 functions we resolve at run time.
+ // see the comment near nsFreeType2::DoneFace() for more info
+ //
+-#define NS_FT2_OFFSET(f) (int)&((nsFreeType2*)0)->f
++#define NS_FT2_OFFSET(f) (NS_PTR_TO_INT32(&((nsFreeType2*)0)->f))
+ FtFuncList nsFreeType2::FtFuncs [] = {
+ {"FT_Done_Face", NS_FT2_OFFSET(nsFT_Done_Face),
PR_TRUE},
+ {"FT_Done_FreeType", NS_FT2_OFFSET(nsFT_Done_FreeType),
PR_TRUE},
+Index: netwerk/protocol/http/src/nsHttpConnectionMgr.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/netwerk/protocol/http/src/nsHttpConnectionMgr.cpp,v
+retrieving revision 1.7.20.1
+diff -u -r1.7.20.1 nsHttpConnectionMgr.cpp
+--- netwerk/protocol/http/src/nsHttpConnectionMgr.cpp 1 Sep 2004 23:31:03
-0000 1.7.20.1
++++ netwerk/protocol/http/src/nsHttpConnectionMgr.cpp 4 Mar 2005 19:59:57
-0000
+@@ -834,8 +834,8 @@
+ void
+ nsHttpConnectionMgr::OnMsgUpdateParam(nsresult status, void *param)
+ {
+- PRUint16 name = (PRUint32(param) & 0xFFFF0000) >> 16;
+- PRUint16 value = PRUint32(param) & 0x0000FFFF;
++ PRUint16 name = (NS_PTR_TO_INT32(param) & 0xFFFF0000) >> 16;
++ PRUint16 value = NS_PTR_TO_INT32(param) & 0x0000FFFF;
+
+ switch (name) {
+ case MAX_CONNECTIONS:
+Index: security/nss/lib/pki1/oiddata.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/pki1/oiddata.h,v
+retrieving revision 1.1
+diff -u -r1.1 oiddata.h
+--- security/nss/lib/pki1/oiddata.h 4 Jan 2002 05:22:07 -0000 1.1
++++ security/nss/lib/pki1/oiddata.h 4 Mar 2005 19:59:58 -0000
+@@ -43,9 +43,6 @@
+ #include "nsspki1t.h"
+ #endif /* NSSPKI1T_H */
+
+-extern const NSSOID nss_builtin_oids[];
+-extern const PRUint32 nss_builtin_oid_count;
+-
+ /*extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];*/
+ /*extern const PRUint32 nss_attribute_type_alias_count;*/
+
+Index: security/nss/lib/pki1/pki1.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/pki1/pki1.h,v
+retrieving revision 1.2
+diff -u -r1.2 pki1.h
+--- security/nss/lib/pki1/pki1.h 19 Jul 2001 20:40:42 -0000 1.2
++++ security/nss/lib/pki1/pki1.h 4 Mar 2005 19:59:59 -0000
+@@ -58,6 +58,8 @@
+ /* fgmr 19990505 moved these here from oiddata.h */
+ extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];
+ extern const PRUint32 nss_attribute_type_alias_count;
++extern const NSSOID nss_builtin_oids[];
++extern const PRUint32 nss_builtin_oid_count;
+
+ /*
+ * NSSOID
+Index: widget/src/gtk2/nsDragService.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/widget/src/gtk2/nsDragService.cpp,v
+retrieving revision 1.5
+diff -u -r1.5 nsDragService.cpp
+--- widget/src/gtk2/nsDragService.cpp 30 Oct 2003 01:48:41 -0000 1.5
++++ widget/src/gtk2/nsDragService.cpp 4 Mar 2005 20:00:01 -0000
+@@ -838,7 +838,7 @@
+ (GtkTargetEntry *)g_malloc(sizeof(GtkTargetEntry));
+ listTarget->target = g_strdup(gMimeListType);
+ listTarget->flags = 0;
+- listTarget->info = (guint)listAtom;
++ listTarget->info = (guint)(NS_PTR_TO_INT32(listAtom));
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("automatically adding target %s with id %ld\n",
+ listTarget->target, listAtom));
+@@ -877,7 +877,7 @@
+ (GtkTargetEntry
*)g_malloc(sizeof(GtkTargetEntry));
+ listTarget->target = g_strdup(gTextUriListType);
+ listTarget->flags = 0;
+- listTarget->info = (guint)listAtom;
++ listTarget->info =
(guint)NS_PTR_TO_INT32(listAtom);
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("automatically adding target %s with \
+ id %ld\n", listTarget->target, listAtom));
+@@ -914,7 +914,7 @@
+ (GtkTargetEntry *)g_malloc(sizeof(GtkTargetEntry));
+ target->target = g_strdup(flavorStr);
+ target->flags = 0;
+- target->info = (guint)atom;
++ target->info = (guint)NS_PTR_TO_INT32(atom);
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("adding target %s with id %ld\n",
+ target->target, atom));
+@@ -931,7 +931,7 @@
+ (GtkTargetEntry
*)g_malloc(sizeof(GtkTargetEntry));
+ plainTarget->target = g_strdup(kTextMime);
+ plainTarget->flags = 0;
+- plainTarget->info = (guint)plainAtom;
++ plainTarget->info =
(guint)NS_PTR_TO_INT32(plainAtom);
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("automatically adding target %s with \
+ id %ld\n", plainTarget->target,
plainAtom));
+@@ -948,7 +948,7 @@
+ (GtkTargetEntry
*)g_malloc(sizeof(GtkTargetEntry));
+ urlTarget->target = g_strdup(gMozUrlType);
+ urlTarget->flags = 0;
+- urlTarget->info = (guint)urlAtom;
++ urlTarget->info = (guint)NS_PTR_TO_INT32(urlAtom);
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("automatically adding target %s with \
+ id %ld\n", urlTarget->target, urlAtom));
+
Added: trunk/httpd/httpd-2.0.54-security_fixes-1.patch
===================================================================
--- trunk/httpd/httpd-2.0.54-security_fixes-1.patch 2005-08-09 05:19:24 UTC
(rev 1055)
+++ trunk/httpd/httpd-2.0.54-security_fixes-1.patch 2005-08-09 22:37:19 UTC
(rev 1056)
@@ -0,0 +1,77 @@
+Submitted By: Ken Moffat <[EMAIL PROTECTED]>
+Date: 2005-08-09
+Initial Package Version: 2.0.54
+Upstream Status: Unknown.
+Origin: debian
+Description: Fixes buffer overflow and http request smuggling.
+Debian's 043_CAN-2005-1268.patch and 044_CAN-2005-2088.patch
+(lead-in edited to apply with -p1)
+
+ CAN-2005-1268 off-by-one overflow in mod_ssl : to be exploited, server
+would need to be configured to use a malicious certificalte revocation
+list. This appears to have been made against an earlier version than
+2.0.54, but applies ok.
+
+ CAN-2005-2088 when acting as an http proxy, remote attacker can do
+"http request smuggling" - see
+http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
+
+--- apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:43:35 179780
++++ apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:54:53 179781
+@@ -1408,7 +1408,7 @@
+ BIO_printf(bio, ", nextUpdate: ");
+ ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
+
+- n = BIO_read(bio, buff, sizeof(buff));
++ n = BIO_read(bio, buff, sizeof(buff) - 1);
+ buff[n] = '\0';
+
+ BIO_free(bio);
+
+
+--- apache2/modules/proxy/proxy_http.c 2005-02-04 20:21:18.000000000 +0000
++++ apache2/modules/proxy/proxy_http.c 2005-08-02 09:25:21.000000000 +0000
+@@ -768,8 +768,24 @@
+ return r->status;
+
+ } else {
+- /* strip connection listed hop-by-hop headers from response */
+ const char *buf;
++
++ /* can't have both Content-Length and Transfer-Encoding */
++ if (apr_table_get(r->headers_out, "Transfer-Encoding")
++ && apr_table_get(r->headers_out, "Content-Length")) {
++ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
++ * and Content-Length are received, the latter MUST be
++ * ignored"; so unset it here to prevent any confusion
++ * later. */
++ apr_table_unset(r->headers_out, "Content-Length");
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
++ r->server,
++ "proxy: server %s returned Transfer-Encoding
and Content-Length",
++ p_conn->name);
++ p_conn->close += 1;
++ }
++
++ /* strip connection listed hop-by-hop headers from response */
+ p_conn->close +=
ap_proxy_liststr(apr_table_get(r->headers_out,
+ "Connection"),
+ "close");
+--- apache2/server/protocol.c 2005-08-02 09:25:38.000000000 +0000
++++ apache2/server/protocol.c 2005-08-02 09:25:12.000000000 +0000
+@@ -885,6 +885,15 @@
+ apr_brigade_destroy(tmp_bb);
+ return r;
+ }
++
++ if (apr_table_get(r->headers_in, "Transfer-Encoding")
++ && apr_table_get(r->headers_in, "Content-Length")) {
++ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
++ * and Content-Length are received, the latter MUST be
++ * ignored"; so unset it here to prevent any confusion
++ * later. */
++ apr_table_unset(r->headers_in, "Content-Length");
++ }
+ }
+ else {
+ if (r->header_only) {
Added: trunk/nasm/nasm-0.98.39-security_fix-1.patch
===================================================================
--- trunk/nasm/nasm-0.98.39-security_fix-1.patch 2005-08-09 05:19:24 UTC
(rev 1055)
+++ trunk/nasm/nasm-0.98.39-security_fix-1.patch 2005-08-09 22:37:19 UTC
(rev 1056)
@@ -0,0 +1,21 @@
+Submitted By: Ken Moffat <[EMAIL PROTECTED]>
+Date: 2005-08-08
+Initial Package Version: 0.98.39
+Upstream Status: From upstream cvs
+Origin: Extracted by Ken Moffat
+Description: This is Jindrich Novy's patch to fix another buffer overrun
+in nasm, CAN-2005-1194 (users who can be persuaded to assemble and run a
+malicious source file can have arbitrary code executed via a buffer
+overflow).
+
+--- nasm-0.98.39/output/outieee.c.orig 2005-01-15 22:16:08.000000000 +0000
++++ nasm-0.98.39/output/outieee.c 2005-08-08 22:12:46.000000000 +0100
+@@ -1120,7 +1120,7 @@
+ va_list ap;
+
+ va_start(ap, format);
+- vsprintf(buffer, format, ap);
++ vsnprintf(buffer, sizeof(buffer), format, ap);
+ l = strlen(buffer);
+ for (i = 0; i < l; i++)
+ if ((buffer[i] & 0xff) > 31)
Added: trunk/thunderbird/thunderbird-1.0.6-gcc4-compile-1.patch
===================================================================
--- trunk/thunderbird/thunderbird-1.0.6-gcc4-compile-1.patch 2005-08-09
05:19:24 UTC (rev 1055)
+++ trunk/thunderbird/thunderbird-1.0.6-gcc4-compile-1.patch 2005-08-09
22:37:19 UTC (rev 1056)
@@ -0,0 +1,128 @@
+Submitted By: Richard Downing <richard at linuxfromscratch dot org>
+Date: 2005-08-09
+Initial Package Version: 1.0.6
+Upstream Status: Not known
+Origin: http://cvs.fedora.redhat.com
+Description: This patch allows firefox-1.0.6 and thunderbird 1.0.6 compile
+with gcc-4.0.1.
+
+Index: gfx/src/freetype/nsFreeType.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/gfx/src/freetype/nsFreeType.cpp,v
+retrieving revision 1.24
+diff -u -r1.24 nsFreeType.cpp
+--- gfx/src/freetype/nsFreeType.cpp 7 Feb 2004 15:22:30 -0000 1.24
++++ gfx/src/freetype/nsFreeType.cpp 4 Mar 2005 19:59:53 -0000
+@@ -96,7 +96,7 @@
+ // Define the FreeType2 functions we resolve at run time.
+ // see the comment near nsFreeType2::DoneFace() for more info
+ //
+-#define NS_FT2_OFFSET(f) (int)&((nsFreeType2*)0)->f
++#define NS_FT2_OFFSET(f) (NS_PTR_TO_INT32(&((nsFreeType2*)0)->f))
+ FtFuncList nsFreeType2::FtFuncs [] = {
+ {"FT_Done_Face", NS_FT2_OFFSET(nsFT_Done_Face),
PR_TRUE},
+ {"FT_Done_FreeType", NS_FT2_OFFSET(nsFT_Done_FreeType),
PR_TRUE},
+Index: netwerk/protocol/http/src/nsHttpConnectionMgr.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/netwerk/protocol/http/src/nsHttpConnectionMgr.cpp,v
+retrieving revision 1.7.20.1
+diff -u -r1.7.20.1 nsHttpConnectionMgr.cpp
+--- netwerk/protocol/http/src/nsHttpConnectionMgr.cpp 1 Sep 2004 23:31:03
-0000 1.7.20.1
++++ netwerk/protocol/http/src/nsHttpConnectionMgr.cpp 4 Mar 2005 19:59:57
-0000
+@@ -834,8 +834,8 @@
+ void
+ nsHttpConnectionMgr::OnMsgUpdateParam(nsresult status, void *param)
+ {
+- PRUint16 name = (PRUint32(param) & 0xFFFF0000) >> 16;
+- PRUint16 value = PRUint32(param) & 0x0000FFFF;
++ PRUint16 name = (NS_PTR_TO_INT32(param) & 0xFFFF0000) >> 16;
++ PRUint16 value = NS_PTR_TO_INT32(param) & 0x0000FFFF;
+
+ switch (name) {
+ case MAX_CONNECTIONS:
+Index: security/nss/lib/pki1/oiddata.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/pki1/oiddata.h,v
+retrieving revision 1.1
+diff -u -r1.1 oiddata.h
+--- security/nss/lib/pki1/oiddata.h 4 Jan 2002 05:22:07 -0000 1.1
++++ security/nss/lib/pki1/oiddata.h 4 Mar 2005 19:59:58 -0000
+@@ -43,9 +43,6 @@
+ #include "nsspki1t.h"
+ #endif /* NSSPKI1T_H */
+
+-extern const NSSOID nss_builtin_oids[];
+-extern const PRUint32 nss_builtin_oid_count;
+-
+ /*extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];*/
+ /*extern const PRUint32 nss_attribute_type_alias_count;*/
+
+Index: security/nss/lib/pki1/pki1.h
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/pki1/pki1.h,v
+retrieving revision 1.2
+diff -u -r1.2 pki1.h
+--- security/nss/lib/pki1/pki1.h 19 Jul 2001 20:40:42 -0000 1.2
++++ security/nss/lib/pki1/pki1.h 4 Mar 2005 19:59:59 -0000
+@@ -58,6 +58,8 @@
+ /* fgmr 19990505 moved these here from oiddata.h */
+ extern const nssAttributeTypeAliasTable nss_attribute_type_aliases[];
+ extern const PRUint32 nss_attribute_type_alias_count;
++extern const NSSOID nss_builtin_oids[];
++extern const PRUint32 nss_builtin_oid_count;
+
+ /*
+ * NSSOID
+Index: widget/src/gtk2/nsDragService.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/widget/src/gtk2/nsDragService.cpp,v
+retrieving revision 1.5
+diff -u -r1.5 nsDragService.cpp
+--- widget/src/gtk2/nsDragService.cpp 30 Oct 2003 01:48:41 -0000 1.5
++++ widget/src/gtk2/nsDragService.cpp 4 Mar 2005 20:00:01 -0000
+@@ -838,7 +838,7 @@
+ (GtkTargetEntry *)g_malloc(sizeof(GtkTargetEntry));
+ listTarget->target = g_strdup(gMimeListType);
+ listTarget->flags = 0;
+- listTarget->info = (guint)listAtom;
++ listTarget->info = (guint)(NS_PTR_TO_INT32(listAtom));
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("automatically adding target %s with id %ld\n",
+ listTarget->target, listAtom));
+@@ -877,7 +877,7 @@
+ (GtkTargetEntry
*)g_malloc(sizeof(GtkTargetEntry));
+ listTarget->target = g_strdup(gTextUriListType);
+ listTarget->flags = 0;
+- listTarget->info = (guint)listAtom;
++ listTarget->info =
(guint)NS_PTR_TO_INT32(listAtom);
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("automatically adding target %s with \
+ id %ld\n", listTarget->target, listAtom));
+@@ -914,7 +914,7 @@
+ (GtkTargetEntry *)g_malloc(sizeof(GtkTargetEntry));
+ target->target = g_strdup(flavorStr);
+ target->flags = 0;
+- target->info = (guint)atom;
++ target->info = (guint)NS_PTR_TO_INT32(atom);
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("adding target %s with id %ld\n",
+ target->target, atom));
+@@ -931,7 +931,7 @@
+ (GtkTargetEntry
*)g_malloc(sizeof(GtkTargetEntry));
+ plainTarget->target = g_strdup(kTextMime);
+ plainTarget->flags = 0;
+- plainTarget->info = (guint)plainAtom;
++ plainTarget->info =
(guint)NS_PTR_TO_INT32(plainAtom);
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("automatically adding target %s with \
+ id %ld\n", plainTarget->target,
plainAtom));
+@@ -948,7 +948,7 @@
+ (GtkTargetEntry
*)g_malloc(sizeof(GtkTargetEntry));
+ urlTarget->target = g_strdup(gMozUrlType);
+ urlTarget->flags = 0;
+- urlTarget->info = (guint)urlAtom;
++ urlTarget->info = (guint)NS_PTR_TO_INT32(urlAtom);
+ PR_LOG(sDragLm, PR_LOG_DEBUG,
+ ("automatically adding target %s with \
+ id %ld\n", urlTarget->target, urlAtom));
+
--
http://linuxfromscratch.org/mailman/listinfo/patches
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
