diff options
author | B. Watson <yalhcru@gmail.com> | 2021-09-23 16:51:58 -0400 |
---|---|---|
committer | Willy Sudiarto Raharjo <willysr@slackbuilds.org> | 2021-10-13 00:52:25 +0700 |
commit | 4c6598c811f7088fd054bd96c2585785329a26da (patch) | |
tree | 1bc4a5de34495b512106414dd0ec8d3018bfab69 /network/rhapsody | |
parent | 4fb23fcdacf11976f0dc1e0c19ff48ec245ebd49 (diff) |
network/rhapsody: Security fix.
Signed-off-by: B. Watson <yalhcru@gmail.com>
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
Diffstat (limited to 'network/rhapsody')
-rw-r--r-- | network/rhapsody/README | 2 | ||||
-rw-r--r-- | network/rhapsody/rhapsody.SlackBuild | 32 | ||||
-rw-r--r-- | network/rhapsody/rhapsody.info | 2 | ||||
-rw-r--r-- | network/rhapsody/securityfix.diff | 54 |
4 files changed, 79 insertions, 11 deletions
diff --git a/network/rhapsody/README b/network/rhapsody/README index a3e174d539782..fde0ab3badae8 100644 --- a/network/rhapsody/README +++ b/network/rhapsody/README @@ -1,3 +1,5 @@ +rhapsody (text console IRC client for Unix operating systems) + Rhapsody is small, fast, portable and easy to use, yet it is full featured. The thing that separates it from the crowd is its intuitive menu driven user interface. diff --git a/network/rhapsody/rhapsody.SlackBuild b/network/rhapsody/rhapsody.SlackBuild index 747f403192610..6d85a502b6f48 100644 --- a/network/rhapsody/rhapsody.SlackBuild +++ b/network/rhapsody/rhapsody.SlackBuild @@ -6,11 +6,23 @@ # Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details. +# 20210923 bkw: fix build on -current, mitigate buffer overflow. + +# TODO: see if there's anything to these: +# https://www.cvedetails.com/cve/CVE-2007-1502/ +# https://www.cvedetails.com/cve/CVE-2007-1503/ +# ...these appear to be the same CVE. Huh. +# It looks autogenerated, and there's no POC. Pretty much all the +# buffer overflows would depend on the user typing >1024 characters. +# The patch below prevents that, at least. There are a bunch of +# format string warnings from gcc that deserve looking at, but I +# don't have the time right now. + cd $(dirname $0) ; CWD=$(pwd) PRGNAM=rhapsody VERSION=${VERSION:-0.28b} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} PKGTYPE=${PKGTYPE:-tgz} @@ -22,9 +34,6 @@ if [ -z "$ARCH" ]; then esac fi -# If the variable PRINT_PACKAGE_NAME is set, then this script will report what -# the name of the created package would be, and then exit. This information -# could be useful to other scripts. if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE" exit 0 @@ -58,14 +67,17 @@ rm -rf $PRGNAM-$VERSION tar xvf $CWD/${PRGNAM}_$VERSION.tgz cd $PRGNAM-$VERSION chown -R root:root . -find -L . \ - \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ - -o -perm 511 \) -exec chmod 755 {} \; -o \ - \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ - -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; +find -L . -perm /111 -a \! -perm 755 -a -exec chmod 755 {} \+ -o \ + \! -perm /111 -a \! -perm 644 -a -exec chmod 644 {} \+ + +# This patch does: +# - prevent input buffer overflow if user types/pastes > 1023 chars +# into the input window. +# - ignore incoming DCC files, if their names contain a / +patch -p1 < $CWD/securityfix.diff ./configure -i /usr/bin -d /usr/doc/$PRGNAM-$VERSION -make LOCALFLAGS="$SLKCFLAGS" +make LOCALFLAGS="$SLKCFLAGS -fcommon" strip $PRGNAM make install \ INSTALLPATH=$PKG/usr/bin \ diff --git a/network/rhapsody/rhapsody.info b/network/rhapsody/rhapsody.info index 5decd05926f8f..b401f337cb219 100644 --- a/network/rhapsody/rhapsody.info +++ b/network/rhapsody/rhapsody.info @@ -1,7 +1,7 @@ PRGNAM="rhapsody" VERSION="0.28b" HOMEPAGE="http://rhapsody.sourceforge.net/" -DOWNLOAD="http://downloads.sourceforge.net/rhapsody/rhapsody_0.28b.tgz" +DOWNLOAD="https://downloads.sourceforge.net/rhapsody/rhapsody_0.28b.tgz" MD5SUM="0792de636a2625a826491e387fcb1305" DOWNLOAD_x86_64="" MD5SUM_x86_64="" diff --git a/network/rhapsody/securityfix.diff b/network/rhapsody/securityfix.diff new file mode 100644 index 0000000000000..bb9db0d646eb4 --- /dev/null +++ b/network/rhapsody/securityfix.diff @@ -0,0 +1,54 @@ +diff -Naur rhapsody-0.28b/src/dcc.c rhapsody-0.28b.patched/src/dcc.c +--- rhapsody-0.28b/src/dcc.c 2006-02-24 01:46:19.000000000 -0500 ++++ rhapsody-0.28b.patched/src/dcc.c 2021-09-16 15:46:52.830186229 -0400 +@@ -702,7 +702,11 @@ + FILE *fp; + int fd; + +- sprintf(filepath, "%s/%s", configuration.dccdlpath, filename); ++ if(strchr(filename, "/")) { ++ vprint_all_attrib(ERROR_COLOR, "DCC File: Filename %s has directory separators, not allowed\n", filename); ++ } ++ ++ snprintf(filepath, 1023, "%s/%s", configuration.dccdlpath, filename); + + /* check if the file exists, and if it does, append a timestamp extension */ + fp = fopen(filepath, "rb"); +@@ -710,13 +714,13 @@ + if (fp != NULL && configuration.dccduplicates == 1){ + ct = time(NULL); + t = localtime(&ct); +- sprintf(filestamp, "%s.%04d%02d%02d%02d%02d%02d", filename, t->tm_year + 1900, t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); ++ snprintf(filestamp, 1023, "%s.%04d%02d%02d%02d%02d%02d", filename, t->tm_year + 1900, t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); + vprint_all_attrib(DCC_COLOR, "DCC file %s exists, saving as %s\n", filename, filestamp); +- sprintf(filepath, "%s/%s", configuration.dccdlpath, filestamp); ++ snprintf(filepath, 1023, "%s/%s", configuration.dccdlpath, filestamp); + fclose(fp); + strcpy(filenamex, filestamp); + } +- else strcpy(filenamex, filename); ++ else strncpy(filenamex, filename, 1023); + + //fp = fopen(filepath, "wb"); + //if (fp == NULL){ +diff -Naur rhapsody-0.28b/src/screen.c rhapsody-0.28b.patched/src/screen.c +--- rhapsody-0.28b/src/screen.c 2006-02-24 01:46:19.000000000 -0500 ++++ rhapsody-0.28b.patched/src/screen.c 2021-09-16 15:39:03.142240866 -0400 +@@ -2294,7 +2294,7 @@ + void add_input_buffer(inputwin *I, int value){ + char scratch[MAXDATASIZE]; + +- if (I->cursorpos < MAXDATASIZE){ ++ if (I->cursorpos < MAXDATASIZE - 1){ + strcpy(scratch, &(I->inputbuffer)[I->cursorpos]); + (I->inputbuffer)[I->cursorpos] = value; + strcpy(&(I->inputbuffer)[I->cursorpos+1], scratch); +@@ -2306,7 +2306,7 @@ + void append_input_buffer(inputwin *I, char *string){ + char scratch[MAXDATASIZE]; + +- if (I->cursorpos + strlen(string) < MAXDATASIZE){ ++ if (I->cursorpos + strlen(string) < MAXDATASIZE - 1){ + strcpy(scratch, &(I->inputbuffer)[I->cursorpos]); + strcpy(&(I->inputbuffer)[I->cursorpos], string); + strcpy(&(I->inputbuffer)[I->cursorpos + strlen(string)], scratch); |