head 1.4; access; symbols OPENPKG_E1_MP_HEAD:1.4 OPENPKG_E1_MP:1.4 OPENPKG_E1_MP_2_STABLE:1.4 OPENPKG_E1_FP:1.4 OPENPKG_2_STABLE_20061018:1.4 OPENPKG_2_STABLE:1.4.0.10 OPENPKG_2_STABLE_BP:1.4 OPENPKG_2_5_SOLID:1.4.0.8 OPENPKG_2_5_SOLID_BP:1.4 OPENPKG_2_4_RELEASE:1.4 OPENPKG_2_4_SOLID:1.4.0.6 OPENPKG_2_4_SOLID_BP:1.4 OPENPKG_2_3_RELEASE:1.4 OPENPKG_2_3_SOLID:1.4.0.4 OPENPKG_2_3_SOLID_BP:1.4 OPENPKG_2_2_RELEASE:1.4 OPENPKG_2_2_SOLID:1.4.0.2 OPENPKG_2_2_SOLID_BP:1.4 OPENPKG_2_1_RELEASE:1.3 OPENPKG_2_1_SOLID:1.3.0.2 OPENPKG_2_1_SOLID_BP:1.3 OPENPKG_1_3_SOLID:1.1.0.4 OPENPKG_2_0_SOLID:1.1.0.2; locks; strict; comment @# @; 1.4 date 2004.09.30.17.32.18; author rse; state dead; branches; next 1.3; 1.3 date 2004.04.13.07.53.32; author thl; state Exp; branches; next 1.2; 1.2 date 2004.04.13.07.48.56; author thl; state Exp; branches; next 1.1; 1.1 date 2004.04.07.12.40.09; author thl; state Exp; branches 1.1.2.1 1.1.4.1; next ; 1.1.2.1 date 2004.04.07.12.42.11; author thl; state Exp; branches; next 1.1.2.2; 1.1.2.2 date 2004.04.13.07.57.01; author thl; state Exp; branches; next ; 1.1.4.1 date 2004.04.07.12.45.25; author thl; state Exp; branches; next 1.1.4.2; 1.1.4.2 date 2004.04.13.07.58.54; author thl; state Exp; branches; next ; desc @@ 1.4 log @upgrading package: sharutils 4.2.1 -> 4.3.77 @ text @http://www.securityfocus.com/archive/1/359639 GNU Sharutils buffer overflow vulnerability http://marc.theaimsgroup.com/?l=bugtraq&m=108164583423126 http://marc.theaimsgroup.com/?l=bugtraq&m=108164583423126&q=p3 GNU Sharutils buffer overflow vulnerability - improved patch --- src/shar.orig.c 2004-04-07 16:18:23.000000000 +0100 +++ src/shar.c 2004-04-07 16:39:04.000000000 +0100 @@@@ -212,10 +212,10 @@@@ static long first_file_position; /* Base for output filename. FIXME: No fix limit in GNU... */ -static char output_base_name[50]; +static char output_base_name[512]; /* Actual output filename. FIXME: No fix limit in GNU... */ -static char output_filename[50]; +static char output_filename[512]; static char *submitter_address = NULL; @@@@ -1905,9 +1905,29 @@@@ break; case 'o': - strcpy (output_base_name, optarg); - if (!strchr (output_base_name, '%')) - strcat (output_base_name, ".%02d"); + /* + * Note: the magic '6' below is exactly sizeof(".%02d"). + * Don't forget to increase size of output_filename[] appropriately + * when you increase field width from 2 up to something greater than 4. + */ + { + register int i = 0; + register char *str = optarg; + + while (i < sizeof(output_base_name) - 6) { + register char c; + + output_base_name[i++] = (c = *str++); + if (c == '%') + if (i < sizeof(output_base_name) - 6) + output_base_name[i++] = c; + else { + i--; + break; + } + } + strcpy (output_base_name + i, ".%02d"); + } part_number = 0; open_output (); break; @ 1.3 log @GNU Sharutils buffer overflow vulnerability - improved patch @ text @@ 1.2 log @make room for improved patch @ text @d4 53 @ 1.1 log @SA-2004.011-sharutils @ text @a3 13 Index: src/shar.c --- src/shar.c.orig 2004-04-07 14:27:20.000000000 +0200 +++ src/shar.c 2004-04-07 14:30:27.000000000 +0200 @@@@ -1905,7 +1905,7 @@@@ break; case 'o': - strcpy (output_base_name, optarg); + strncpy (output_base_name, optarg, sizeof(output_base_name)); if (!strchr (output_base_name, '%')) strcat (output_base_name, ".%02d"); part_number = 0; @ 1.1.4.1 log @SA-2004.011-sharutils @ text @@ 1.1.4.2 log @MFC: GNU Sharutils buffer overflow vulnerability - improved patch @ text @d4 4 a7 20 http://marc.theaimsgroup.com/?l=bugtraq&m=108164583423126 http://marc.theaimsgroup.com/?l=bugtraq&m=108164583423126&q=p3 GNU Sharutils buffer overflow vulnerability - improved patch --- src/shar.orig.c 2004-04-07 16:18:23.000000000 +0100 +++ src/shar.c 2004-04-07 16:39:04.000000000 +0100 @@@@ -212,10 +212,10 @@@@ static long first_file_position; /* Base for output filename. FIXME: No fix limit in GNU... */ -static char output_base_name[50]; +static char output_base_name[512]; /* Actual output filename. FIXME: No fix limit in GNU... */ -static char output_filename[50]; +static char output_filename[512]; static char *submitter_address = NULL; @@@@ -1905,9 +1905,29 @@@@ d12 3 a14 25 - if (!strchr (output_base_name, '%')) - strcat (output_base_name, ".%02d"); + /* + * Note: the magic '6' below is exactly sizeof(".%02d"). + * Don't forget to increase size of output_filename[] appropriately + * when you increase field width from 2 up to something greater than 4. + */ + { + register int i = 0; + register char *str = optarg; + + while (i < sizeof(output_base_name) - 6) { + register char c; + + output_base_name[i++] = (c = *str++); + if (c == '%') + if (i < sizeof(output_base_name) - 6) + output_base_name[i++] = c; + else { + i--; + break; + } + } + strcpy (output_base_name + i, ".%02d"); + } a15 2 open_output (); break; @ 1.1.2.1 log @SA-2004.011-sharutils @ text @@ 1.1.2.2 log @MFC: GNU Sharutils buffer overflow vulnerability - improved patch @ text @d4 4 a7 20 http://marc.theaimsgroup.com/?l=bugtraq&m=108164583423126 http://marc.theaimsgroup.com/?l=bugtraq&m=108164583423126&q=p3 GNU Sharutils buffer overflow vulnerability - improved patch --- src/shar.orig.c 2004-04-07 16:18:23.000000000 +0100 +++ src/shar.c 2004-04-07 16:39:04.000000000 +0100 @@@@ -212,10 +212,10 @@@@ static long first_file_position; /* Base for output filename. FIXME: No fix limit in GNU... */ -static char output_base_name[50]; +static char output_base_name[512]; /* Actual output filename. FIXME: No fix limit in GNU... */ -static char output_filename[50]; +static char output_filename[512]; static char *submitter_address = NULL; @@@@ -1905,9 +1905,29 @@@@ d12 3 a14 25 - if (!strchr (output_base_name, '%')) - strcat (output_base_name, ".%02d"); + /* + * Note: the magic '6' below is exactly sizeof(".%02d"). + * Don't forget to increase size of output_filename[] appropriately + * when you increase field width from 2 up to something greater than 4. + */ + { + register int i = 0; + register char *str = optarg; + + while (i < sizeof(output_base_name) - 6) { + register char c; + + output_base_name[i++] = (c = *str++); + if (c == '%') + if (i < sizeof(output_base_name) - 6) + output_base_name[i++] = c; + else { + i--; + break; + } + } + strcpy (output_base_name + i, ".%02d"); + } a15 2 open_output (); break; @