From bogorodskiy@inbox.ru  Sun Oct 24 19:40:19 2004
Return-Path: <bogorodskiy@inbox.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9A21216A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 24 Oct 2004 19:40:19 +0000 (GMT)
Received: from mx2.mail.ru (mx2.mail.ru [194.67.23.122])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5656743D2D
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 24 Oct 2004 19:40:19 +0000 (GMT)
	(envelope-from bogorodskiy@inbox.ru)
Received: from [194.186.150.232] (port=58664 helo=inbox.ru)
	by mx2.mail.ru with esmtp 
	id 1CLoDw-000G9N-00
	for FreeBSD-gnats-submit@freebsd.org; Sun, 24 Oct 2004 23:40:17 +0400
Message-Id: <E1CLoDw-000G9N-00.bogorodskiy-inbox-ru@mx2.mail.ru>
Date: Sun, 24 Oct 2004 23:40:17 +0400
From: Roman Bogorodskiy <bogorodskiy@inbox.ru>
Reply-To: Roman Bogorodskiy <bogorodskiy@inbox.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [ maintainer ] fix audio/mpg123 vulnerabilities
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         73091
>Category:       ports
>Synopsis:       [ maintainer ] fix audio/mpg123 vulnerabilities
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    simon
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 24 19:40:30 GMT 2004
>Closed-Date:    Fri Nov 05 22:55:08 GMT 2004
>Last-Modified:  Fri Nov 05 22:55:08 GMT 2004
>Originator:     Roman Bogorodskiy
>Release:        FreeBSD 5.3-BETA7 i386
>Organization:
>Environment:
System: FreeBSD lame.novel.ru 5.3-BETA7 FreeBSD 5.3-BETA7 #12: Sat Oct 16 20:09:15 MSD 2004 root@lame.novel.ru:/usr/obj/usr/home/novel/current/src/sys/NOVEL i386


>Description:
	Fix two mpg123 vulnerabilities[1], pointed out/helped to fix: simon.

	[1] http://www.vuxml.org/freebsd/20d16518-2477-11d9-814e-0001020eed82.html
>How-To-Repeat:
>Fix:

diff -ru mpg123.orig/files/patch-httpget.c mpg123/files/patch-httpget.c
--- mpg123.orig/files/patch-httpget.c	Sun Oct 24 19:25:52 2004
+++ mpg123/files/patch-httpget.c	Sun Oct 24 23:24:40 2004
@@ -1,6 +1,6 @@
---- httpget.c.orig	2003-11-13 18:34:37.000000000 +0000
-+++ httpget.c	2003-11-13 18:35:10.000000000 +0000
-@@ -55,11 +55,10 @@ void readstring (char *string, int maxle
+--- httpget.c.orig	Sun Oct 24 19:33:47 2004
++++ httpget.c	Sun Oct 24 19:34:18 2004
+@@ -55,11 +55,10 @@
  #endif
  	int pos = 0;
  
@@ -13,7 +13,7 @@
  				break;
  			}
  		}
-@@ -68,6 +67,7 @@ void readstring (char *string, int maxle
+@@ -68,6 +67,7 @@
  			exit(1);
  		}
  	}
@@ -21,3 +21,32 @@
  #if 0
  	do {
  		result = fgets(string, maxlen, f);
+@@ -126,7 +126,13 @@
+       if( url[i] == '/' )
+          return 0;
+     }
+-    strncpy(auth,url,pos-url);
++
++    /* cut up the string to prevent scary BOF */
++    if (pos-url > 255)
++	strncpy(auth,url,255);
++    else
++	strncpy(auth,url,pos-url);
++
+     auth[pos-url] = 0;
+     strcpy(url,pos+1);
+     return 1;
+@@ -292,11 +298,11 @@
+ 			}
+ 			strcat (request, sptr);
+ 		}
+-		sprintf (request + strlen(request),
++		snprintf (request + strlen(request), linelength - strlen(request),
+ 			" HTTP/1.0\r\nUser-Agent: %s/%s\r\n",
+ 			prgName, prgVersion);
+ 		if (host) {
+-			sprintf(request + strlen(request),
++			snprintf(request + strlen(request), linelength - strlen(request),
+ 				"Host: %s:%s\r\n", host, myport);
+ #if 0
+ 			free (host);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->simon 
Responsible-Changed-By: simon 
Responsible-Changed-When: Sun Oct 24 22:02:09 GMT 2004 
Responsible-Changed-Why:  
I have been looking at this issue, so I will get it committed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73091 
State-Changed-From-To: open->closed 
State-Changed-By: simon 
State-Changed-When: Fri Nov 5 22:53:16 GMT 2004 
State-Changed-Why:  
Latest version of the patch committed, with a few whitespaces changes 
to make the diff more readable.  Thanks for the submission, sorry 
about the delay! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73091 
>Unformatted:
