mirror of
https://github.com/SlackBuildsOrg/slackbuilds
synced 2024-09-28 15:21:00 +02:00
network/rhapsody: Security fix.
Signed-off-by: B. Watson <yalhcru@gmail.com> Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
This commit is contained in:
parent
4fb23fcdac
commit
4c6598c811
4 changed files with 79 additions and 11 deletions
|
@ -1,3 +1,5 @@
|
|||
rhapsody (text console IRC client for Unix operating systems)
|
||||
|
||||
Rhapsody is small, fast, portable and easy to use, yet it is full
|
||||
featured. The thing that separates it from the crowd is its intuitive
|
||||
menu driven user interface.
|
||||
|
|
|
@ -6,11 +6,23 @@
|
|||
|
||||
# Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details.
|
||||
|
||||
# 20210923 bkw: fix build on -current, mitigate buffer overflow.
|
||||
|
||||
# TODO: see if there's anything to these:
|
||||
# https://www.cvedetails.com/cve/CVE-2007-1502/
|
||||
# https://www.cvedetails.com/cve/CVE-2007-1503/
|
||||
# ...these appear to be the same CVE. Huh.
|
||||
# It looks autogenerated, and there's no POC. Pretty much all the
|
||||
# buffer overflows would depend on the user typing >1024 characters.
|
||||
# The patch below prevents that, at least. There are a bunch of
|
||||
# format string warnings from gcc that deserve looking at, but I
|
||||
# don't have the time right now.
|
||||
|
||||
cd $(dirname $0) ; CWD=$(pwd)
|
||||
|
||||
PRGNAM=rhapsody
|
||||
VERSION=${VERSION:-0.28b}
|
||||
BUILD=${BUILD:-1}
|
||||
BUILD=${BUILD:-2}
|
||||
TAG=${TAG:-_SBo}
|
||||
PKGTYPE=${PKGTYPE:-tgz}
|
||||
|
||||
|
@ -22,9 +34,6 @@ if [ -z "$ARCH" ]; then
|
|||
esac
|
||||
fi
|
||||
|
||||
# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
|
||||
# the name of the created package would be, and then exit. This information
|
||||
# could be useful to other scripts.
|
||||
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
|
||||
echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
|
||||
exit 0
|
||||
|
@ -58,14 +67,17 @@ rm -rf $PRGNAM-$VERSION
|
|||
tar xvf $CWD/${PRGNAM}_$VERSION.tgz
|
||||
cd $PRGNAM-$VERSION
|
||||
chown -R root:root .
|
||||
find -L . \
|
||||
\( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
|
||||
-o -perm 511 \) -exec chmod 755 {} \; -o \
|
||||
\( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
|
||||
-o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
|
||||
find -L . -perm /111 -a \! -perm 755 -a -exec chmod 755 {} \+ -o \
|
||||
\! -perm /111 -a \! -perm 644 -a -exec chmod 644 {} \+
|
||||
|
||||
# This patch does:
|
||||
# - prevent input buffer overflow if user types/pastes > 1023 chars
|
||||
# into the input window.
|
||||
# - ignore incoming DCC files, if their names contain a /
|
||||
patch -p1 < $CWD/securityfix.diff
|
||||
|
||||
./configure -i /usr/bin -d /usr/doc/$PRGNAM-$VERSION
|
||||
make LOCALFLAGS="$SLKCFLAGS"
|
||||
make LOCALFLAGS="$SLKCFLAGS -fcommon"
|
||||
strip $PRGNAM
|
||||
make install \
|
||||
INSTALLPATH=$PKG/usr/bin \
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
PRGNAM="rhapsody"
|
||||
VERSION="0.28b"
|
||||
HOMEPAGE="http://rhapsody.sourceforge.net/"
|
||||
DOWNLOAD="http://downloads.sourceforge.net/rhapsody/rhapsody_0.28b.tgz"
|
||||
DOWNLOAD="https://downloads.sourceforge.net/rhapsody/rhapsody_0.28b.tgz"
|
||||
MD5SUM="0792de636a2625a826491e387fcb1305"
|
||||
DOWNLOAD_x86_64=""
|
||||
MD5SUM_x86_64=""
|
||||
|
|
54
network/rhapsody/securityfix.diff
Normal file
54
network/rhapsody/securityfix.diff
Normal file
|
@ -0,0 +1,54 @@
|
|||
diff -Naur rhapsody-0.28b/src/dcc.c rhapsody-0.28b.patched/src/dcc.c
|
||||
--- rhapsody-0.28b/src/dcc.c 2006-02-24 01:46:19.000000000 -0500
|
||||
+++ rhapsody-0.28b.patched/src/dcc.c 2021-09-16 15:46:52.830186229 -0400
|
||||
@@ -702,7 +702,11 @@
|
||||
FILE *fp;
|
||||
int fd;
|
||||
|
||||
- sprintf(filepath, "%s/%s", configuration.dccdlpath, filename);
|
||||
+ if(strchr(filename, "/")) {
|
||||
+ vprint_all_attrib(ERROR_COLOR, "DCC File: Filename %s has directory separators, not allowed\n", filename);
|
||||
+ }
|
||||
+
|
||||
+ snprintf(filepath, 1023, "%s/%s", configuration.dccdlpath, filename);
|
||||
|
||||
/* check if the file exists, and if it does, append a timestamp extension */
|
||||
fp = fopen(filepath, "rb");
|
||||
@@ -710,13 +714,13 @@
|
||||
if (fp != NULL && configuration.dccduplicates == 1){
|
||||
ct = time(NULL);
|
||||
t = localtime(&ct);
|
||||
- sprintf(filestamp, "%s.%04d%02d%02d%02d%02d%02d", filename, t->tm_year + 1900, t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
|
||||
+ snprintf(filestamp, 1023, "%s.%04d%02d%02d%02d%02d%02d", filename, t->tm_year + 1900, t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
|
||||
vprint_all_attrib(DCC_COLOR, "DCC file %s exists, saving as %s\n", filename, filestamp);
|
||||
- sprintf(filepath, "%s/%s", configuration.dccdlpath, filestamp);
|
||||
+ snprintf(filepath, 1023, "%s/%s", configuration.dccdlpath, filestamp);
|
||||
fclose(fp);
|
||||
strcpy(filenamex, filestamp);
|
||||
}
|
||||
- else strcpy(filenamex, filename);
|
||||
+ else strncpy(filenamex, filename, 1023);
|
||||
|
||||
//fp = fopen(filepath, "wb");
|
||||
//if (fp == NULL){
|
||||
diff -Naur rhapsody-0.28b/src/screen.c rhapsody-0.28b.patched/src/screen.c
|
||||
--- rhapsody-0.28b/src/screen.c 2006-02-24 01:46:19.000000000 -0500
|
||||
+++ rhapsody-0.28b.patched/src/screen.c 2021-09-16 15:39:03.142240866 -0400
|
||||
@@ -2294,7 +2294,7 @@
|
||||
void add_input_buffer(inputwin *I, int value){
|
||||
char scratch[MAXDATASIZE];
|
||||
|
||||
- if (I->cursorpos < MAXDATASIZE){
|
||||
+ if (I->cursorpos < MAXDATASIZE - 1){
|
||||
strcpy(scratch, &(I->inputbuffer)[I->cursorpos]);
|
||||
(I->inputbuffer)[I->cursorpos] = value;
|
||||
strcpy(&(I->inputbuffer)[I->cursorpos+1], scratch);
|
||||
@@ -2306,7 +2306,7 @@
|
||||
void append_input_buffer(inputwin *I, char *string){
|
||||
char scratch[MAXDATASIZE];
|
||||
|
||||
- if (I->cursorpos + strlen(string) < MAXDATASIZE){
|
||||
+ if (I->cursorpos + strlen(string) < MAXDATASIZE - 1){
|
||||
strcpy(scratch, &(I->inputbuffer)[I->cursorpos]);
|
||||
strcpy(&(I->inputbuffer)[I->cursorpos], string);
|
||||
strcpy(&(I->inputbuffer)[I->cursorpos + strlen(string)], scratch);
|
Loading…
Reference in a new issue