pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/x11/openmotif Fix a number of buffer overflows in Open...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/fc8df1f6a64a
branches:  trunk
changeset: 505788:fc8df1f6a64a
user:      joerg <joerg%pkgsrc.org@localhost>
date:      Sat Jan 07 21:08:12 2006 +0000

description:
Fix a number of buffer overflows in OpenMotif's UIL implementation.
For non-propolice systems this might be exploitable when the
user-provided data (e.g. certain filenames) or the locale files are
manipulated.

Mostly-found-by: xfocus, see [xfocus-SD-051202] on VulnWatch. Some
additional cases are handled which have the same impact.
Bump revision.

diffstat:

 x11/openmotif/Makefile         |   3 +-
 x11/openmotif/distinfo         |   4 +-
 x11/openmotif/patches/patch-bj |  70 ++++++++++++++++++++++++++++++++++++++++++
 x11/openmotif/patches/patch-bk |  16 +++++++++
 4 files changed, 91 insertions(+), 2 deletions(-)

diffs (123 lines):

diff -r 78bcc7770637 -r fc8df1f6a64a x11/openmotif/Makefile
--- a/x11/openmotif/Makefile    Sat Jan 07 20:26:13 2006 +0000
+++ b/x11/openmotif/Makefile    Sat Jan 07 21:08:12 2006 +0000
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.39 2005/12/12 19:55:41 joerg Exp $
+# $NetBSD: Makefile,v 1.40 2006/01/07 21:08:12 joerg Exp $
 
 PKGVER=                2.2.3
 DISTNAME=      openMotif-${PKGVER}
 PKGNAME=       openmotif-${PKGVER}
+PKGREVISION=   1
 CATEGORIES=    x11
 MASTER_SITES=  http://ftp.motifzone.com/src/
 
diff -r 78bcc7770637 -r fc8df1f6a64a x11/openmotif/distinfo
--- a/x11/openmotif/distinfo    Sat Jan 07 20:26:13 2006 +0000
+++ b/x11/openmotif/distinfo    Sat Jan 07 21:08:12 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2006/01/04 15:53:15 joerg Exp $
+$NetBSD: distinfo,v 1.22 2006/01/07 21:08:12 joerg Exp $
 
 SHA1 (openMotif-2.2.3.tar.gz) = c463653d9f8e24b35522c3ba6363ddf7a282eab4
 RMD160 (openMotif-2.2.3.tar.gz) = b99230d508da57bca72b6920d28fce4187bf5179
@@ -23,3 +23,5 @@
 SHA1 (patch-bg) = 582f455b066bd4f12160d719c885e9d8423632e5
 SHA1 (patch-bh) = 09401eb3e5e6e7e911a9268f2ba0cd6ddaeed3b4
 SHA1 (patch-bi) = 4dced20ce293f8635f121f77e9112e93766b9723
+SHA1 (patch-bj) = ac2b1d9fc09ff1bc712e776a3e2e469c1993c385
+SHA1 (patch-bk) = 3d8c264c8060616878dec5a7a21a479aa801e95d
diff -r 78bcc7770637 -r fc8df1f6a64a x11/openmotif/patches/patch-bj
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/openmotif/patches/patch-bj    Sat Jan 07 21:08:12 2006 +0000
@@ -0,0 +1,70 @@
+$NetBSD: patch-bj,v 1.3 2006/01/07 21:08:12 joerg Exp $
+
+--- clients/uil/UilDiags.c.orig        2006-01-06 20:46:16.000000000 +0100
++++ clients/uil/UilDiags.c
+@@ -293,12 +293,12 @@ void     diag_issue_diagnostic
+     va_start(ap, l_start_column);
+ 
+ #ifndef NO_MESSAGE_CATALOG
+-    vsprintf( msg_buffer, 
++    vsnprintf( msg_buffer, sizeof(msg_buffer),
+             catgets(uil_catd, UIL_SET1, msg_cat_table[ message_number ],
+                     diag_rz_msg_table[ message_number ].ac_text), 
+            ap );
+ #else
+-    vsprintf( msg_buffer, 
++    vsnprintf( msg_buffer, sizeof(msg_buffer), 
+             diag_rz_msg_table[ message_number ].ac_text, 
+             ap );
+ #endif
+@@ -317,13 +317,13 @@ void     diag_issue_diagnostic
+           */
+ 
+ #ifndef NO_MESSAGE_CATALOG
+-          sprintf( loc_buffer,
++          snprintf( loc_buffer, sizeof(loc_buffer),
+                    catgets(uil_catd, UIL_SET_MISC,
+                            UIL_MISC_0, "\t\t line: %d  file: %s"),
+                    az_src_rec->w_line_number,
+                    src_get_file_name( az_src_rec ) );
+ #else
+-          sprintf( loc_buffer,
++          snprintf( loc_buffer, sizeof(loc_buffer),
+                    "\t\t line: %d  file: %s",
+                    az_src_rec->w_line_number,
+                    src_get_file_name( az_src_rec ) );
+@@ -371,7 +371,7 @@ void       diag_issue_diagnostic
+ 
+           if (l_start_column != diag_k_no_column)
+ #ifndef NO_MESSAGE_CATALOG
+-            sprintf(loc_buffer,
++            snprintf(loc_buffer, sizeof(loc_buffer),
+                     catgets(uil_catd, UIL_SET_MISC,
+                             UIL_MISC_1, 
+                             "\t\t line: %d  position: %d  file: %s"),
+@@ -379,7 +379,7 @@ void       diag_issue_diagnostic
+                     l_start_column + 1,
+                     src_get_file_name( az_src_rec ) );
+ #else
+-            sprintf(loc_buffer,
++            snprintf(loc_buffer, sizeof(loc_buffer),
+                     "\t\t line: %d  position: %d  file: %s",
+                     az_src_rec->w_line_number,
+                     l_start_column + 1,
+@@ -387,13 +387,14 @@ void     diag_issue_diagnostic
+ #endif
+           else
+ #ifndef NO_MESSAGE_CATALOG
+-              sprintf( loc_buffer, catgets(uil_catd, UIL_SET_MISC,
++              snprintf( loc_buffer, sizeof(loc_buffer),
++                       catgets(uil_catd, UIL_SET_MISC,
+                                            UIL_MISC_0,
+                                            "\t\t line: %d  file: %s"),
+                        az_src_rec->w_line_number,
+                        src_get_file_name( az_src_rec ) );
+ #else
+-              sprintf( loc_buffer,
++              snprintf( loc_buffer, sizeof(loc_buffer),
+                        "\t\t line: %d  file: %s",
+                        az_src_rec->w_line_number,
+                        src_get_file_name( az_src_rec ) );
diff -r 78bcc7770637 -r fc8df1f6a64a x11/openmotif/patches/patch-bk
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/openmotif/patches/patch-bk    Sat Jan 07 21:08:12 2006 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-bk,v 1.1 2006/01/07 21:08:12 joerg Exp $
+
+--- clients/uil/UilSrcSrc.c.orig       2006-01-06 20:50:23.000000000 +0100
++++ clients/uil/UilSrcSrc.c
+@@ -629,8 +629,10 @@ open_source_file( XmConst char          
+     char                      buffer[256];
+ 
+ 
+-    /* place the file name in the expanded_name buffer */
++    if (strlen(c_file_name) >= sizeof(buffer + 1))
++      return src_k_open_error;
+ 
++    /* place the file name in the expanded_name buffer */
+     strcpy(buffer, c_file_name);
+ 
+ /*    Determine if this is the main file or an include file.  */



Home | Main Index | Thread Index | Old Index