network/rhapsody: Security fix.

Signed-off-by: B. Watson <yalhcru@gmail.com> Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
2024-09-28 15:21:00 +02:00 · 2021-09-23 16:51:58 -04:00 · 2021-09-23 16:51:58 -04:00 · 4c6598c811
commit 4c6598c811
parent 4fb23fcdac
4 changed files with 79 additions and 11 deletions
--- a/network/rhapsody/README
+++ b/network/rhapsody/README
@ -1,3 +1,5 @@
+rhapsody (text console IRC client for Unix operating systems)
+
 Rhapsody is small, fast, portable and easy to use, yet it is full
 featured. The thing that separates it from the crowd is its intuitive
 menu driven user interface.
--- a/network/rhapsody/rhapsody.SlackBuild
+++ b/network/rhapsody/rhapsody.SlackBuild
@ -6,11 +6,23 @@

 # Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details.

+# 20210923 bkw: fix build on -current, mitigate buffer overflow.
+
+# TODO: see if there's anything to these:
+# https://www.cvedetails.com/cve/CVE-2007-1502/
+# https://www.cvedetails.com/cve/CVE-2007-1503/
+# ...these appear to be the same CVE. Huh.
+# It looks autogenerated, and there's no POC. Pretty much all the
+# buffer overflows would depend on the user typing >1024 characters.
+# The patch below prevents that, at least. There are a bunch of
+# format string warnings from gcc that deserve looking at, but I
+# don't have the time right now.
+
 cd $(dirname $0) ; CWD=$(pwd)

 PRGNAM=rhapsody
 VERSION=${VERSION:-0.28b}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 TAG=${TAG:-_SBo}
 PKGTYPE=${PKGTYPE:-tgz}

@ -22,9 +34,6 @@ if [ -z "$ARCH" ]; then
  esac
 fi

-# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
-# the name of the created package would be, and then exit. This information
-# could be useful to other scripts.
 if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
  echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
  exit 0
@ -58,14 +67,17 @@ rm -rf $PRGNAM-$VERSION
 tar xvf $CWD/${PRGNAM}_$VERSION.tgz
 cd $PRGNAM-$VERSION
 chown -R root:root .
-find -L . \
- \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
-  -o -perm 511 \) -exec chmod 755 {} \; -o \
- \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
- -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
+find -L .  -perm /111 -a \! -perm 755 -a -exec chmod 755 {} \+ -o \
+        \! -perm /111 -a \! -perm 644 -a -exec chmod 644 {} \+
+
+# This patch does:
+# - prevent input buffer overflow if user types/pastes > 1023 chars
+#   into the input window.
+# - ignore incoming DCC files, if their names contain a /
+patch -p1 < $CWD/securityfix.diff

 ./configure -i /usr/bin -d /usr/doc/$PRGNAM-$VERSION
-make LOCALFLAGS="$SLKCFLAGS"
+make LOCALFLAGS="$SLKCFLAGS -fcommon"
 strip $PRGNAM
 make install \
  INSTALLPATH=$PKG/usr/bin \
--- a/network/rhapsody/rhapsody.info
+++ b/network/rhapsody/rhapsody.info
@ -1,7 +1,7 @@
 PRGNAM="rhapsody"
 VERSION="0.28b"
 HOMEPAGE="http://rhapsody.sourceforge.net/"
-DOWNLOAD="http://downloads.sourceforge.net/rhapsody/rhapsody_0.28b.tgz"
+DOWNLOAD="https://downloads.sourceforge.net/rhapsody/rhapsody_0.28b.tgz"
 MD5SUM="0792de636a2625a826491e387fcb1305"
 DOWNLOAD_x86_64=""
 MD5SUM_x86_64=""
--- a/network/rhapsody/securityfix.diff
+++ b/network/rhapsody/securityfix.diff
@ -0,0 +1,54 @@
+diff -Naur rhapsody-0.28b/src/dcc.c rhapsody-0.28b.patched/src/dcc.c
+--- rhapsody-0.28b/src/dcc.c	2006-02-24 01:46:19.000000000 -0500
+++ rhapsody-0.28b.patched/src/dcc.c	2021-09-16 15:46:52.830186229 -0400
+@@ -702,7 +702,11 @@
+ 	FILE *fp;
+ 	int fd;
+ 
+-	sprintf(filepath, "%s/%s", configuration.dccdlpath, filename);
+	if(strchr(filename, "/")) {
+		vprint_all_attrib(ERROR_COLOR, "DCC File: Filename %s has directory separators, not allowed\n", filename);
+	}
+
+	snprintf(filepath, 1023, "%s/%s", configuration.dccdlpath, filename);
+ 
+ 	/* check if the file exists, and if it does, append a timestamp extension */
+ 	fp = fopen(filepath, "rb");
+@@ -710,13 +714,13 @@
+ 	if (fp != NULL && configuration.dccduplicates == 1){
+ 		ct = time(NULL);
+ 		t = localtime(&ct);
+-		sprintf(filestamp, "%s.%04d%02d%02d%02d%02d%02d", filename, t->tm_year + 1900, t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
+		snprintf(filestamp, 1023, "%s.%04d%02d%02d%02d%02d%02d", filename, t->tm_year + 1900, t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
+ 		vprint_all_attrib(DCC_COLOR, "DCC file %s exists, saving as %s\n", filename, filestamp);
+-		sprintf(filepath, "%s/%s", configuration.dccdlpath, filestamp);
+		snprintf(filepath, 1023, "%s/%s", configuration.dccdlpath, filestamp);
+ 		fclose(fp);
+ 		strcpy(filenamex, filestamp);
+ 	}
+-	else strcpy(filenamex, filename);
+	else strncpy(filenamex, filename, 1023);
+ 
+ 	//fp = fopen(filepath, "wb");
+ 	//if (fp == NULL){
+diff -Naur rhapsody-0.28b/src/screen.c rhapsody-0.28b.patched/src/screen.c
+--- rhapsody-0.28b/src/screen.c	2006-02-24 01:46:19.000000000 -0500
+++ rhapsody-0.28b.patched/src/screen.c	2021-09-16 15:39:03.142240866 -0400
+@@ -2294,7 +2294,7 @@
+ void add_input_buffer(inputwin *I, int value){
+ 	char scratch[MAXDATASIZE];
+ 
+-	if (I->cursorpos < MAXDATASIZE){
+	if (I->cursorpos < MAXDATASIZE - 1){
+ 		strcpy(scratch, &(I->inputbuffer)[I->cursorpos]);
+ 	        (I->inputbuffer)[I->cursorpos] = value;
+ 	        strcpy(&(I->inputbuffer)[I->cursorpos+1], scratch);
+@@ -2306,7 +2306,7 @@
+ void append_input_buffer(inputwin *I, char *string){
+ 	char scratch[MAXDATASIZE];
+ 
+-	if (I->cursorpos + strlen(string) < MAXDATASIZE){
+	if (I->cursorpos + strlen(string) < MAXDATASIZE - 1){
+ 		strcpy(scratch, &(I->inputbuffer)[I->cursorpos]);
+ 	        strcpy(&(I->inputbuffer)[I->cursorpos], string);
+ 	        strcpy(&(I->inputbuffer)[I->cursorpos + strlen(string)], scratch);