pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/mcrypt
Module Name: pkgsrc
Committed By: ginsbach
Date: Wed May 30 14:58:03 UTC 2018
Modified Files:
pkgsrc/security/mcrypt: Makefile distinfo
Added Files:
pkgsrc/security/mcrypt/patches: patch-doc_mcrypt.1 patch-src_errors.c
patch-src_extra.c patch-src_gaaout.c patch-src_mcrypt.c
patch-src_mcrypt.gaa patch-src_mcrypt__int.h patch-src_rfc2440.c
Log Message:
Add various patches from (Brew, Debian, Red Hat, SUSE)
Upstream for mcrypt is effectively dead so incorporate patches from
other OSS packaging systems. These patches address the following:
* CVE-2012-4409 (fix)
* CVE-2012-4527 (fix)
* Spelling and grammar fixes for man page
* Fix potential format-string attacks (no vulnerability Id)
* Fix potential buffer overflows (no vulnerability Id)
* Make native format default as in Debian, Red Hat, and SUSE since
openpgp format handling is seriously broken.
* Fix ARM build [unclear if this is necessary for non-Linux systems]
* Correct include file for OSX
To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 pkgsrc/security/mcrypt/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/security/mcrypt/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/mcrypt/patches/patch-doc_mcrypt.1 \
pkgsrc/security/mcrypt/patches/patch-src_errors.c \
pkgsrc/security/mcrypt/patches/patch-src_extra.c \
pkgsrc/security/mcrypt/patches/patch-src_gaaout.c \
pkgsrc/security/mcrypt/patches/patch-src_mcrypt.c \
pkgsrc/security/mcrypt/patches/patch-src_mcrypt.gaa \
pkgsrc/security/mcrypt/patches/patch-src_mcrypt__int.h \
pkgsrc/security/mcrypt/patches/patch-src_rfc2440.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/mcrypt/Makefile
diff -u pkgsrc/security/mcrypt/Makefile:1.26 pkgsrc/security/mcrypt/Makefile:1.27
--- pkgsrc/security/mcrypt/Makefile:1.26 Thu Mar 5 22:47:54 2015
+++ pkgsrc/security/mcrypt/Makefile Wed May 30 14:58:03 2018
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.26 2015/03/05 22:47:54 tnn Exp $
+# $NetBSD: Makefile,v 1.27 2018/05/30 14:58:03 ginsbach Exp $
DISTNAME= mcrypt-2.6.8
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= security devel
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=mcrypt/}
Index: pkgsrc/security/mcrypt/distinfo
diff -u pkgsrc/security/mcrypt/distinfo:1.8 pkgsrc/security/mcrypt/distinfo:1.9
--- pkgsrc/security/mcrypt/distinfo:1.8 Wed Nov 4 01:17:50 2015
+++ pkgsrc/security/mcrypt/distinfo Wed May 30 14:58:03 2018
@@ -1,6 +1,14 @@
-$NetBSD: distinfo,v 1.8 2015/11/04 01:17:50 agc Exp $
+$NetBSD: distinfo,v 1.9 2018/05/30 14:58:03 ginsbach Exp $
SHA1 (mcrypt-2.6.8.tar.gz) = 8ae0e866714fbbb96a0a6fa9f099089dc93f1d86
RMD160 (mcrypt-2.6.8.tar.gz) = 5115c679ee5d34b9fb9e976c12240c48370df514
SHA512 (mcrypt-2.6.8.tar.gz) = eae5f831e950df69eb93efc8314100b4b5dc8a535b1d00f500e6b25382efcec321346776a92dadf101b878ef46a47de2e9e81f5ddf5c73563ece4741f169c8d1
Size (mcrypt-2.6.8.tar.gz) = 471915 bytes
+SHA1 (patch-doc_mcrypt.1) = 93ccc6b07b09535e09d65e2862571b1c592fc141
+SHA1 (patch-src_errors.c) = b8467130c6cc7f3a650d8a737e1b5a75c8db5e9e
+SHA1 (patch-src_extra.c) = f265989f7e8ad7ec6fd8afece3b8a785f49d13ae
+SHA1 (patch-src_gaaout.c) = 73001f8b98dc87354f7550e2080ac7ab3a59ceb6
+SHA1 (patch-src_mcrypt.c) = c1c99aa4dcf5912e43ab831f0ee32611ea029400
+SHA1 (patch-src_mcrypt.gaa) = 1fefccbf336a99bcb83dd05739c53a40b1f0a9ce
+SHA1 (patch-src_mcrypt__int.h) = 94caaff9bb0d48c6c6406e3f8965db82e7f93408
+SHA1 (patch-src_rfc2440.c) = 4c7b885bfa9e451f3082e3338eadcaedbbb9d6cc
Added files:
Index: pkgsrc/security/mcrypt/patches/patch-doc_mcrypt.1
diff -u /dev/null pkgsrc/security/mcrypt/patches/patch-doc_mcrypt.1:1.1
--- /dev/null Wed May 30 14:58:03 2018
+++ pkgsrc/security/mcrypt/patches/patch-doc_mcrypt.1 Wed May 30 14:58:03 2018
@@ -0,0 +1,70 @@
+$NetBSD: patch-doc_mcrypt.1,v 1.1 2018/05/30 14:58:03 ginsbach Exp $
+
+* Spelling and grammar fixes.
+
+ From: Red Hat, SUSE
+
+--- doc/mcrypt.1.orig 2003-09-08 17:25:41.000000000 +0000
++++ doc/mcrypt.1
+@@ -81,7 +81,7 @@ two blocks in CBC and CFB modes, but onl
+ Mcrypt uses a 32 bit CRC to check for errors in the encrypted files.
+ .PP
+ .B Extra security:
+-For the very paranoid, if mcrypt is executed with superuser priviledges it
++For the very paranoid, if mcrypt is executed with superuser privileges it
+ ensures that no important data (keys etc.) are written to disk, as swap etc.
+ Keep in mind that mcrypt was not designed to be a setuid program, so you
+ shouldn't make it one.
+@@ -165,11 +165,11 @@ license and quit.
+ .TP
+ .B \-o --keymode MODE
+ MODE may be one of the keymodes listed by the --list-keymodes parameter.
+-It actually is the convertion to the key before it is fed to the algorithm.
++It actually is the conversion to the key before it is fed to the algorithm.
+ It is recommended to leave it as is, if you do not know what it is.
+ However if you still want to use this option, you might want to
+ use the 'hex' mode which allows you to specify the key in hex
+-(and no convertion will by applied).
++(and no conversion will be applied).
+ .TP
+ .B \-h --hash HASH_ALGORITHM
+ HASH_ALGORITHM may be one of the algorithms listed by the --list-hash parameter.
+@@ -194,10 +194,10 @@ The security lies on the algorithm not o
+ default. This flag must also be specified when decrypting a bare encrypted
+ file.
+ When the bare flag is specified decryption and encryption are faster. This
+-may be usefull when using mcrypt to encrypt a link or something like that.
++may be useful when using mcrypt to encrypt a link or something like that.
+ .TP
+ .B --flush
+-Flushes the output (ciphertext or plaintext) immediately. Usefull if mcrypt
++Flushes the output (ciphertext or plaintext) immediately. Useful if mcrypt
+ is used with pipes.
+ .TP
+ .B --time
+@@ -205,7 +205,7 @@ Prints some timing information (encrypti
+ .TP
+ .B --nodelete
+ When this option is specified mcrypt does not delete the output file, even
+-if decryption failed. This is usefull if you want to decrypt a corrupted
++if decryption failed. This is useful if you want to decrypt a corrupted
+ file.
+ .TP
+ .B \-q --quiet
+@@ -217,13 +217,13 @@ succeeds. This is not the default in ord
+ to remove sensitive data.
+ .TP
+ .B \ --list
+-Lists all the algorithms current supported.
++Lists all the algorithms currently supported.
+ .TP
+ .B \ --list-keymodes
+-Lists all the key modes current supported.
++Lists all the key modes currently supported.
+ .TP
+ .B \ --list-hash
+-Lists all the hash algorithms current supported.
++Lists all the hash algorithms currently supported.
+ .TP
+ .B \-r --random
+ Use /dev/(s)random instead of /dev/urandom. This may need some key input
Index: pkgsrc/security/mcrypt/patches/patch-src_errors.c
diff -u /dev/null pkgsrc/security/mcrypt/patches/patch-src_errors.c:1.1
--- /dev/null Wed May 30 14:58:03 2018
+++ pkgsrc/security/mcrypt/patches/patch-src_errors.c Wed May 30 14:58:03 2018
@@ -0,0 +1,38 @@
+$NetBSD: patch-src_errors.c,v 1.1 2018/05/30 14:58:03 ginsbach Exp $
+
+* Fix potential format-string attacks via filename arguments and
+ possibly others. (No vulnerability Id)
+
+ From: Debian, Red Hat, SUSE
+
+--- src/errors.c.orig 2007-11-07 17:10:19.000000000 +0000
++++ src/errors.c
+@@ -24,24 +24,24 @@ extern int quiet;
+
+ void err_quit(char *errmsg)
+ {
+- fprintf(stderr, errmsg);
++ fprintf(stderr, "%s", errmsg);
+ exit(-1);
+ }
+
+ void err_warn(char *errmsg)
+ {
+ if (quiet <= 1)
+- fprintf(stderr, errmsg);
++ fprintf(stderr, "%s", errmsg);
+ }
+
+ void err_info(char *errmsg)
+ {
+ if (quiet == 0)
+- fprintf(stderr, errmsg);
++ fprintf(stderr, "%s", errmsg);
+ }
+
+ void err_crit(char *errmsg)
+ {
+ if (quiet <= 2)
+- fprintf(stderr, errmsg);
++ fprintf(stderr, "%s", errmsg);
+ }
Index: pkgsrc/security/mcrypt/patches/patch-src_extra.c
diff -u /dev/null pkgsrc/security/mcrypt/patches/patch-src_extra.c:1.1
--- /dev/null Wed May 30 14:58:03 2018
+++ pkgsrc/security/mcrypt/patches/patch-src_extra.c Wed May 30 14:58:03 2018
@@ -0,0 +1,51 @@
+$NetBSD: patch-src_extra.c,v 1.1 2018/05/30 14:58:03 ginsbach Exp $
+
+* Fix buffer overflow when decrypting a file with a too long salt.
+ (CVE-2012-4409)
+* Fix other potential buffer overflows in check_file_head.
+ (No vulnerability Id)
+
+ From: Debian, Red Hat, SUSE
+
+--- src/extra.c.orig 2007-11-07 17:10:20.000000000 +0000
++++ src/extra.c
+@@ -223,7 +223,8 @@ int check_file_head(FILE * fstream, char
+ }
+
+ read_until_null(tmp_buf, fstream);
+- strcpy(algorithm, tmp_buf);
++ strncpy(algorithm, tmp_buf, 50);
++ algorithm[49] = '\0';
+
+ fread(&keylen, sizeof(short int), 1, fstream);
+ #ifdef WORDS_BIGENDIAN
+@@ -233,15 +234,19 @@ int check_file_head(FILE * fstream, char
+ #endif
+
+ read_until_null(tmp_buf, fstream);
+- strcpy(mode, tmp_buf);
++ strncpy(mode, tmp_buf, 50);
++ mode[49] = '\0';
+
+ read_until_null(tmp_buf, fstream);
+- strcpy(keymode, tmp_buf);
++ strncpy(keymode, tmp_buf, 50);
++ keymode[49] = '\0';
+ fread(&sflag, 1, 1, fstream);
+ if (m_getbit(6, flags) == 1) { /* if the salt bit is set */
+ if (m_getbit(0, sflag) != 0) { /* if the first bit is set */
+ *salt_size = m_setbit(0, sflag, 0);
+ if (*salt_size > 0) {
++ if (*salt_size > sizeof(tmp_buf))
++ err_quit(_("Salt is too long\n"));
+ fread(tmp_buf, 1, *salt_size,
+ fstream);
+ memmove(salt, tmp_buf, *salt_size);
+@@ -503,6 +508,7 @@ char **read_key_file(char *file, int *nu
+ }
+
+ *num = x;
++ fclose(FROMF);
+
+ return keys;
+
Index: pkgsrc/security/mcrypt/patches/patch-src_gaaout.c
diff -u /dev/null pkgsrc/security/mcrypt/patches/patch-src_gaaout.c:1.1
--- /dev/null Wed May 30 14:58:03 2018
+++ pkgsrc/security/mcrypt/patches/patch-src_gaaout.c Wed May 30 14:58:03 2018
@@ -0,0 +1,36 @@
+$NetBSD: patch-src_gaaout.c,v 1.1 2018/05/30 14:58:03 ginsbach Exp $
+
+* Fix ARM build [XXX needed?]
+* Make native format default like in Debian, Red Hat, and SUSE since
+ openpgp format handling is seriously broken.
+
+From: Debian, Red Hat, SUSE
+
+--- src/gaaout.c.orig 2007-06-09 08:39:14.000000000 +0000
++++ src/gaaout.c
+@@ -5,6 +5,7 @@
+
+
+ #include <defines.h>
++#include "mcrypt_int.h"
+
+ #include <stdio.h>
+ #include <string.h>
+@@ -123,7 +124,7 @@ void gaa_help(void)
+ {
+ printf(_("Mcrypt encrypts and decrypts files with symmetric encryption algorithms.\nUsage: mcrypt [-dFusgbhLvrzp] [-f keyfile] [-k key1 key2 ...] [-m mode] [-o keymode] [-s keysize] [-a
algorithm] [-c config_file] [file ...]\n\n"));
+ __gaa_helpsingle('g', "openpgp", "", _("Use the OpenPGP (RFC2440) file format."));
+- __gaa_helpsingle(0, "no-openpgp", "", _("Use the native (mcrypt) file format."));
++ __gaa_helpsingle(0, "no-openpgp", "", _("Use the native (mcrypt) file format. (DEFAULT)"));
+ __gaa_helpsingle(0, "openpgp-z", _("INTEGER "), _("Sets the compression level for openpgp packets (0 disables)."));
+ __gaa_helpsingle('d', "decrypt", "", _("decrypts."));
+ __gaa_helpsingle('s', "keysize", _("INTEGER "), _("Set the algorithm's key size (in bytes)."));
+@@ -1036,7 +1037,7 @@ int gaa(int argc, char **argv, gaainfo *
+ gaaval->config_file=NULL; gaaval->mode=NULL; gaaval->input=NULL; gaaval->ed_specified=0;
+ gaaval->double_check=0; gaaval->noecho=1; gaaval->flush=0; gaaval->keysize=0;
+ gaaval->algorithms_directory=NULL; gaaval->modes_directory=NULL; gaaval->nodelete=0;
+- gaaval->hash=NULL; gaaval->timer=0; gaaval->openpgp=1; gaaval->openpgp_z = 0; ;};
++ gaaval->hash=NULL; gaaval->timer=0; gaaval->openpgp=0; gaaval->openpgp_z = 0; ;};
+
+ }
+ inited = 1;
Index: pkgsrc/security/mcrypt/patches/patch-src_mcrypt.c
diff -u /dev/null pkgsrc/security/mcrypt/patches/patch-src_mcrypt.c:1.1
--- /dev/null Wed May 30 14:58:03 2018
+++ pkgsrc/security/mcrypt/patches/patch-src_mcrypt.c Wed May 30 14:58:03 2018
@@ -0,0 +1,57 @@
+$NetBSD: patch-src_mcrypt.c,v 1.1 2018/05/30 14:58:03 ginsbach Exp $
+
+* Fix potential long filename buffer overlow (CVE-2012-4527)
+
+From: Debian, Red Hat, SUSE
+
+--- src/mcrypt.c.orig 2007-11-07 17:10:21.000000000 +0000
++++ src/mcrypt.c
+@@ -46,3 +46,3 @@ static char rcsid[] =
+
+-char tmperr[128];
++char tmperr[PATH_MAX + 128];
+ unsigned int stream_flag = FALSE;
+@@ -484,3 +484,3 @@ int main(int argc, char **argv)
+ if (is_normal_file(file[i]) == FALSE) {
+- sprintf(tmperr,
++ snprintf(tmperr, sizeof(tmperr),
+ _
+@@ -503,3 +503,3 @@ int main(int argc, char **argv)
+ && (stream_flag == TRUE) && (force == 0)) { /* not a tty */
+- sprintf(tmperr,
++ snprintf(tmperr, sizeof(tmperr),
+ _
+@@ -522,3 +522,3 @@ int main(int argc, char **argv)
+ && (stream_flag == TRUE) && (force == 0)) { /* not a tty */
+- sprintf(tmperr,
++ snprintf(tmperr, sizeof(tmperr),
+ _
+@@ -546,3 +546,3 @@ int main(int argc, char **argv)
+ if (strstr(outfile, ".nc") != NULL) {
+- sprintf(tmperr,
++ snprintf(tmperr, sizeof(tmperr),
+ _
+@@ -592,3 +592,5 @@ int main(int argc, char **argv)
+ if (stream_flag == FALSE) {
+- sprintf(tmperr, _("File %s was decrypted.\n"), dinfile);
++ snprintf(tmperr, sizeof(tmperr),
++ _
++ ("File %s was decrypted.\n"), dinfile);
+ err_warn(tmperr);
+@@ -612,3 +614,3 @@ int main(int argc, char **argv)
+ if (stream_flag == FALSE) {
+- sprintf(tmperr,
++ snprintf(tmperr, sizeof(tmperr),
+ _
+@@ -638,3 +640,5 @@ int main(int argc, char **argv)
+ if (stream_flag == FALSE) {
+- sprintf(tmperr, _("File %s was encrypted.\n"), einfile);
++ snprintf(tmperr, sizeof(tmperr),
++ _
++ ("File %s was encrypted.\n"), einfile);
+ err_warn(tmperr);
+@@ -657,3 +661,3 @@ int main(int argc, char **argv)
+ if (stream_flag == FALSE) {
+- sprintf(tmperr,
++ snprintf(tmperr, sizeof(tmperr),
+ _
Index: pkgsrc/security/mcrypt/patches/patch-src_mcrypt.gaa
diff -u /dev/null pkgsrc/security/mcrypt/patches/patch-src_mcrypt.gaa:1.1
--- /dev/null Wed May 30 14:58:03 2018
+++ pkgsrc/security/mcrypt/patches/patch-src_mcrypt.gaa Wed May 30 14:58:03 2018
@@ -0,0 +1,27 @@
+$NetBSD: patch-src_mcrypt.gaa,v 1.1 2018/05/30 14:58:03 ginsbach Exp $
+
+* Make native format default like in Debian, Red Hat, and SUSE since
+ openpgp format handling is seriously broken.
+
+From: Debian, Red Hat, SUSE
+
+--- src/mcrypt.gaa.orig 2007-06-09 08:38:38.000000000 +0000
++++ src/mcrypt.gaa
+@@ -12,7 +12,7 @@ helpnode "Mcrypt encrypts and decrypts f
+
+ #int openpgp;
+ option (g, openpgp) { $openpgp = 1 } "Use the OpenPGP (RFC2440) file format."
+-option (no-openpgp) { $openpgp = 0 } "Use the native (mcrypt) file format."
++option (no-openpgp) { $openpgp = 0 } "Use the native (mcrypt) file format. (DEFAULT)"
+
+ #int openpgp_z;
+ option (openpgp-z) INT "INTEGER" { $openpgp_z = $1 } "Sets the compression level for openpgp packets (0 disables)."
+@@ -119,7 +119,7 @@ init { $force=0; $quiet=1; $real_random_
+ $config_file=NULL; $mode=NULL; $input=NULL; $ed_specified=0;
+ $double_check=0; $noecho=1; $flush=0; $keysize=0;
+ $algorithms_directory=NULL; $modes_directory=NULL; $nodelete=0;
+- $hash=NULL; $timer=0; $openpgp=1; $openpgp_z = 0; }
++ $hash=NULL; $timer=0; $openpgp=0; $openpgp_z = 0; }
+
+ INCOMP kf
+ INCOMP Vq
Index: pkgsrc/security/mcrypt/patches/patch-src_mcrypt__int.h
diff -u /dev/null pkgsrc/security/mcrypt/patches/patch-src_mcrypt__int.h:1.1
--- /dev/null Wed May 30 14:58:03 2018
+++ pkgsrc/security/mcrypt/patches/patch-src_mcrypt__int.h Wed May 30 14:58:03 2018
@@ -0,0 +1,17 @@
+$NetBSD: patch-src_mcrypt__int.h,v 1.1 2018/05/30 14:58:03 ginsbach Exp $
+
+* Fix ARM build [XXX needed?]
+
+From: Red Hat, SUSE
+
+--- src/mcrypt_int.h.orig 2003-09-08 17:25:50.000000000 +0000
++++ src/mcrypt_int.h
+@@ -15,3 +15,8 @@ void rol_buf(void * buffer, int buffersi
+ void mcrypt_version();
+ void mcrypt_license();
+ void usage(void);
++
++int print_list(void);
++int print_hashlist(void);
++int print_keylist(void);
++
Index: pkgsrc/security/mcrypt/patches/patch-src_rfc2440.c
diff -u /dev/null pkgsrc/security/mcrypt/patches/patch-src_rfc2440.c:1.1
--- /dev/null Wed May 30 14:58:03 2018
+++ pkgsrc/security/mcrypt/patches/patch-src_rfc2440.c Wed May 30 14:58:03 2018
@@ -0,0 +1,30 @@
+$NetBSD: patch-src_rfc2440.c,v 1.1 2018/05/30 14:58:03 ginsbach Exp $
+
+* Correct include file for OSX
+* Minor consistency change (previously len was uninitialized)
+
+From: Brew, Red Hat, SUSE
+
+--- src/rfc2440.c.orig 2008-11-16 19:50:01.000000000 +0000
++++ src/rfc2440.c
+@@ -23,7 +23,11 @@
+ #include <zlib.h>
+ #endif
+ #include <stdio.h>
++#ifdef __APPLE__
++#include <malloc/malloc.h>
++#else
+ #include <malloc.h>
++#endif
+
+ #include "xmalloc.h"
+ #include "keys.h"
+@@ -409,7 +413,7 @@ length_decode(const uchar *buf, int pos,
+ len += (buf[pos+1] + 192);
+ }
+ else if (buf[pos] == 255) {
+- len += (buf[pos+1] << 24);
++ len = (buf[pos+1] << 24);
+ len += (buf[pos+2] << 16);
+ len += (buf[pos+3] << 8);
+ len += buf[pos+4];
Home |
Main Index |
Thread Index |
Old Index