[pkgsrc/trunk]: pkgsrc/sysutils/coreutils Fix two security issues:

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/sysutils/coreutils Fix two security issues:
From: recht <recht%pkgsrc.org@localhost>
Date: Wed, 13 Oct 2021 23:08:06 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/4697f2a168c1
branches:  trunk
changeset: 463287:4697f2a168c1
user:      recht <recht%pkgsrc.org@localhost>
date:      Wed Nov 05 00:05:06 2003 +0000

description:
Fix two security issues:

1.)
An integer overflow in ls in the fileutils or coreutils packages may allow
local users to cause a denial of service or execute arbitrary code via a
large -w value, which could be remotely exploited via applications that use
ls, such as wu-ftpd.

2.)
ls in the fileutils or coreutils packages allows local users to consume a
large amount of memory via a large -w value, which can be remotely exploited
via applications that use ls, such as wu-ftpd.

See
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0854
and the original report
http://www.guninski.com/binls.html
for details.

Patches taken from Red Hat's Security Advisory RHSA-2003:309-01.

reported by reed@
bump PKGREVISION

diffstat:

 sysutils/coreutils/Makefile         |    4 +-
 sysutils/coreutils/distinfo         |    4 +-
 sysutils/coreutils/patches/patch-ab |  132 ++++++
 sysutils/coreutils/patches/patch-ac |  764 ++++++++++++++++++++++++++++++++++++
 4 files changed, 901 insertions(+), 3 deletions(-)

diffs (truncated from 929 to 300 lines):

diff -r b3d95a037ac1 -r 4697f2a168c1 sysutils/coreutils/Makefile
--- a/sysutils/coreutils/Makefile       Wed Nov 05 00:04:20 2003 +0000
+++ b/sysutils/coreutils/Makefile       Wed Nov 05 00:05:06 2003 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.11 2003/09/14 18:13:51 recht Exp $
+# $NetBSD: Makefile,v 1.12 2003/11/05 00:05:06 recht Exp $
 
 DISTNAME=      coreutils-5.0
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    sysutils
 MASTER_SITES=  ${MASTER_SITE_GNU:=coreutils/}
 EXTRACT_SUFX=  .tar.bz2
diff -r b3d95a037ac1 -r 4697f2a168c1 sysutils/coreutils/distinfo
--- a/sysutils/coreutils/distinfo       Wed Nov 05 00:04:20 2003 +0000
+++ b/sysutils/coreutils/distinfo       Wed Nov 05 00:05:06 2003 +0000
@@ -1,5 +1,7 @@
-$NetBSD: distinfo,v 1.1.1.1 2003/04/10 13:18:36 wiz Exp $
+$NetBSD: distinfo,v 1.2 2003/11/05 00:05:06 recht Exp $
 
 SHA1 (coreutils-5.0.tar.bz2) = ce67aacedfc917a92b5be62dd32095393c2f220c
 Size (coreutils-5.0.tar.bz2) = 3952653 bytes
 SHA1 (patch-aa) = 352b6b8eeff29159ebdbae4929db75d243a19354
+SHA1 (patch-ab) = 8cc6bbef46bdaf163129b06bf65ec2b775c57fe2
+SHA1 (patch-ac) = 761ba2182a191ca215f032228e678c8f0f5549be
diff -r b3d95a037ac1 -r 4697f2a168c1 sysutils/coreutils/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/coreutils/patches/patch-ab       Wed Nov 05 00:05:06 2003 +0000
@@ -0,0 +1,132 @@
+$NetBSD: patch-ab,v 1.1 2003/11/05 00:05:06 recht Exp $
+
+--- lib/xmalloc.c~     2002-11-21 21:39:59.000000000 +0100
++++ lib/xmalloc.c      2003-11-05 00:26:39.000000000 +0100
+@@ -22,7 +22,9 @@
+ #include <sys/types.h>
+ 
+ #if STDC_HEADERS
++# include <stdbool.h>
+ # include <stdlib.h>
++# include <string.h>
+ #else
+ void *calloc ();
+ void *malloc ();
+@@ -43,6 +45,10 @@
+ 
+ /* The following tests require AC_PREREQ(2.54).  */
+ 
++#ifndef SIZE_MAX
++# define SIZE_MAX ((size_t) -1)
++#endif
++
+ #ifndef HAVE_MALLOC
+ "you must run the autoconf test for a GNU libc compatible malloc"
+ #endif
+@@ -58,6 +64,15 @@
+ /* If non NULL, call this function when memory is exhausted. */
+ void (*xalloc_fail_func) PARAMS ((void)) = 0;
+ 
++/* Return true if array of N objects, each of size S, cannot exist due
++   to arithmetic overflow.  S must be nonzero.  */
++
++static inline bool
++array_size_overflow (size_t n, size_t s)
++{
++  return SIZE_MAX / s < n;
++}
++
+ /* If XALLOC_FAIL_FUNC is NULL, or does return, display this message
+    before exiting when memory is exhausted.  Goes through gettext. */
+ char const xalloc_msg_memory_exhausted[] = N_("memory exhausted");
+@@ -70,8 +85,20 @@
+   error (xalloc_exit_failure, 0, "%s", _(xalloc_msg_memory_exhausted));
+   /* The `noreturn' cannot be given to error, since it may return if
+      its first argument is 0.  To help compilers understand the
+-     xalloc_die does terminate, call exit. */
+-  exit (EXIT_FAILURE);
++     xalloc_die does terminate, call abort.  */
++  abort ();
++}
++
++/* Allocate an array of N objects, each with S bytes of memory,
++   dynamically, with error checking.  S must be nonzero.  */
++
++inline void *
++xnmalloc (size_t n, size_t s)
++{
++  void *p;
++  if (array_size_overflow (n, s) || ! (p = malloc (n * s)))
++    xalloc_die ();
++  return p;
+ }
+ 
+ /* Allocate N bytes of memory dynamically, with error checking.  */
+@@ -79,10 +106,16 @@
+ void *
+ xmalloc (size_t n)
+ {
+-  void *p;
++  return xnmalloc (n, 1);
++}
+ 
+-  p = malloc (n);
+-  if (p == 0)
++/* Change the size of an allocated block of memory P to an array of N
++   objects each of S bytes, with error checking.  S must be nonzero.  */
++
++inline void *
++xnrealloc (void *p, size_t n, size_t s)
++{
++  if (array_size_overflow (n, s) || ! (p = realloc (p, n * s)))
+     xalloc_die ();
+   return p;
+ }
+@@ -93,21 +126,39 @@
+ void *
+ xrealloc (void *p, size_t n)
+ {
+-  p = realloc (p, n);
+-  if (p == 0)
+-    xalloc_die ();
+-  return p;
++  return xnrealloc (p, n, 1);
+ }
+ 
+-/* Allocate memory for N elements of S bytes, with error checking.  */
++/* Allocate S bytes of zeroed memory dynamically, with error checking.
++   There's no need for xnzalloc (N, S), since it would be equivalent
++   to xcalloc (N, S).  */
++
++void *
++xzalloc (size_t s)
++{
++  return memset (xmalloc (s), 0, s);
++}
++
++/* Allocate zeroed memory for N elements of S bytes, with error
++   checking.  S must be nonzero.  */
+ 
+ void *
+ xcalloc (size_t n, size_t s)
+ {
+   void *p;
+-
+-  p = calloc (n, s);
+-  if (p == 0)
++  /* Test for overflow, since some calloc implementations don't have
++     proper overflow checks.  */
++  if (array_size_overflow (n, s) || ! (p = calloc (n, s)))
+     xalloc_die ();
+   return p;
+ }
++
++/* Clone an object P of size S, with error checking.  There's no need
++   for xnclone (P, N, S), since xclone (P, N * S) works without any
++   need for an arithmetic overflow check.  */
++
++void *
++xclone (void const *p, size_t s)
++{
++  return memcpy (xmalloc (s), p, s);
++}
diff -r b3d95a037ac1 -r 4697f2a168c1 sysutils/coreutils/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/coreutils/patches/patch-ac       Wed Nov 05 00:05:06 2003 +0000
@@ -0,0 +1,764 @@
+$NetBSD: patch-ac,v 1.1 2003/11/05 00:05:06 recht Exp $
+
+--- src/ls.c~  2003-03-20 00:01:51.000000000 +0100
++++ src/ls.c   2003-11-05 00:34:17.000000000 +0100
+@@ -243,7 +243,7 @@
+ 
+ struct bin_str
+   {
+-    int len;                  /* Number of bytes */
++    size_t len;                       /* Number of bytes */
+     const char *string;               /* Pointer to the same */
+   };
+ 
+@@ -265,15 +265,15 @@
+ static void print_color_indicator (const char *name, mode_t mode, int linkok);
+ static void put_indicator (const struct bin_str *ind);
+ static int put_indicator_direct (const struct bin_str *ind);
+-static int length_of_file_name_and_frills (const struct fileinfo *f);
++static size_t length_of_file_name_and_frills (const struct fileinfo *f);
+ static void add_ignore_pattern (const char *pattern);
+ static void attach (char *dest, const char *dirname, const char *name);
+ static void clear_files (void);
+ static void extract_dirs_from_files (const char *dirname,
+                                    int ignore_dot_and_dot_dot);
+ static void get_link_name (const char *filename, struct fileinfo *f);
+-static void indent (int from, int to);
+-static void init_column_info (void);
++static void indent (size_t from, size_t to);
++static size_t calculate_columns (bool by_columns);
+ static void print_current_files (void);
+ static void print_dir (const char *name, const char *realname);
+ static void print_file_name_and_frills (const struct fileinfo *f);
+@@ -319,10 +319,10 @@
+ static struct fileinfo *files;  /* FIXME: rename this to e.g. cwd_file */
+ 
+ /* Length of block that `files' points to, measured in files.  */
+-static int nfiles;  /* FIXME: rename this to e.g. cwd_n_alloc */
++static size_t nfiles;  /* FIXME: rename this to e.g. cwd_n_alloc */
+ 
+ /* Index of first unused in `files'.  */
+-static int files_index;  /* FIXME: rename this to e.g. cwd_n_used */
++static size_t files_index;  /* FIXME: rename this to e.g. cwd_n_used */
+ 
+ /* When nonzero, in a color listing, color each symlink name according to the
+    type of file it points to.  Otherwise, color them according to the `ln'
+@@ -632,7 +632,7 @@
+ 
+ /* The number of chars per hardware tab stop.  Setting this to zero
+    inhibits the use of TAB characters for separating columns.  -T */
+-static int tabsize;
++static size_t tabsize;
+ 
+ /* Nonzero means we are listing the working directory because no
+    non-option arguments were given. */
+@@ -646,7 +646,7 @@
+ /* The line length to use for breaking lines in many-per-line format.
+    Can be set with -w.  */
+ 
+-static int line_length;
++static size_t line_length;
+ 
+ /* If nonzero, the file listing format requires that stat be called on
+    each file. */
+@@ -799,16 +799,16 @@
+ /* Information about filling a column.  */
+ struct column_info
+ {
+-  int valid_len;
+-  int line_len;
+-  int *col_arr;
++  bool valid_len;
++  size_t line_len;
++  size_t *col_arr;
+ };
+ 
+ /* Array with information about column filledness.  */
+ static struct column_info *column_info;
+ 
+ /* Maximum number of columns ever possible for this display.  */
+-static int max_idx;
++static size_t max_idx;
+ 
+ /* The minimum width of a colum is 3: 1 character for the name and 2
+    for the separating white space.  */
+@@ -904,18 +904,18 @@
+ static void
+ dired_dump_obstack (const char *prefix, struct obstack *os)
+ {
+-  int n_pos;
++  size_t n_pos;
+ 
+   n_pos = obstack_object_size (os) / sizeof (dired_pos);
+   if (n_pos > 0)
+     {
+-      int i;
++      size_t i;
+       size_t *pos;
+ 
+       pos = (size_t *) obstack_finish (os);
+       fputs (prefix, stdout);
+       for (i = 0; i < n_pos; i++)
+-      printf (" %lu", (unsigned long) pos[i]);
++      printf (" %lu", (unsigned long int) pos[i]);
+       putchar ('\n');
+     }
+ }
+@@ -952,7 +952,7 @@
+   struct dev_ino *ent_from_table;
+   int found_match;
+ 
+-  ent = XMALLOC (struct dev_ino, 1);
++  ent = xmalloc (sizeof *ent);
+   ent->st_ino = ino;
+   ent->st_dev = dev;
+ 
+@@ -1134,7 +1134,7 @@
+     }
+ 
+   nfiles = 100;
+-  files = XMALLOC (struct fileinfo, nfiles);
++  files = xnmalloc (nfiles, sizeof *files);
+   files_index = 0;
+ 
+   clear_files ();
+@@ -1322,11 +1322,11 @@
+     char const *p = getenv ("COLUMNS");
+     if (p && *p)
+       {
+-      long int tmp_long;
+-      if (xstrtol (p, NULL, 0, &tmp_long, NULL) == LONGINT_OK
+-          && 0 < tmp_long && tmp_long <= INT_MAX)
++      unsigned long int tmp_ulong;
++      if (xstrtoul (p, NULL, 0, &tmp_ulong, NULL) == LONGINT_OK
++          && 0 < tmp_ulong && tmp_ulong <= SIZE_MAX)
+         {
Prev by Date: [pkgsrc/trunk]: pkgsrc/doc note update of coreutils to 5.0nb3
Next by Date: [pkgsrc/trunk]: pkgsrc/net/spread Update the checksum. The archive changed in...
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc note update of coreutils to 5.0nb3
Next by Thread: [pkgsrc/trunk]: pkgsrc/net/spread Update the checksum. The archive changed in...
Indexes:
Home | Main Index | Thread Index | Old Index