pkg/28840: security update for ytalk package

To: pkg-manager%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, pkgsrc-bugs%netbsd.org@localhost
Subject: pkg/28840: security update for ytalk package
From: mike%ethmoid.org@localhost
Date: Sun, 2 Jan 2005 17:45:00 +0000 (UTC)
>Number:         28840
>Category:       pkg
>Synopsis:       update to ytalk 3.2.0 for security fix
>Confidential:   yes
>Severity:       critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 02 17:45:00 +0000 2005
>Originator:     Michael Santos
>Release:        NetBSD 2.99.11
>Organization:
        
>Environment:
        
        
System: NetBSD ack 2.99.11 NetBSD 2.99.11 (ack) #90: Thu Dec 30 16:05:34 EST 
2004 root@ack:/home/build/src/sys/arch/i386/compile/obj/ack i386
Architecture: i386
Machine: i386
>Description:

ytalk maintainer informed me there is a buffer overflow in an
sprintf() that is remotely exploitable in versions previous to
3.2.0.

from 3.1.6 to 3.2.0
        . added far-right "stomping", fixes procps top(1) among other things
        . separated handling of CR and LF, makes a lot of programs work better
        . added support for 'G' escape sequence used by Gentoo's init scripts
        . added "escape-yesno" patch from FreeBSD that optionally requires
          you to press <escape> before answering yes/no questions
        . added a "YTALK_VERSION" environment variable to subshells
        . fixed an endless loop in curses titlebar code
        . we now use snprintf() instead of sprintf() if available
        . restored limit on auto-invite hostnames from 16 to 64 characters
        . --with-x is now --enable-x

from 3.1.5 to 3.1.6
        . fixed a crash when resizing YTalk in an XTerm
        . fixed a remote-crash format string bug in auto-invite daemon
        . fixed build problems on SunOS
        . fixed --with-x on X.org (broken since 3.1.2)
        . don't even build pty allocation code if system has openpty()
        . made all debugging code strictly optional, add --enable-debug
          to ./configure if you want it

from 3.1.4 to 3.1.5
        . added the prompt-quit patch from Debian again (oops, lost in 3.1.3)
        . we now use openpty() if available to securely allocate ptys
        . fixed a problem with the configure script on Slackware
        . added a missing part of VT100 scrolling support
        . fixed a small memory leak in terminal tab handling
        . some documentation fixes and updates

from 3.1.3 to 3.1.4
        . added "rering all" to main menu (requested by Matthew Vernon in '99)
        . fixed detection of `socklen_t' type on OpenBSD
        . added --with-curses=DIR option to configure script
        . cleaned up the configure script a bit
        . fixed a minor problem with the no-beep mode
        . fixed a minor signed/unsigned issue

from 3.1.2 to 3.1.3
        . maintainer change to Andreas Kling <keso%impul.se@localhost>
        . added support for job control on BSD systems
        . fixed the shell on Tru64 UNIX
        . added terminal tab handling
        . added terminal keypad capabilities
        . added "ignorebreak" mode where ^C is ignored unless running a shell
        . added "beeps" to the .ytalkrc flag collection (applies to all beeps)
        . added internal memory management and tracking
        . restored compatibility with old talk daemons (broken in 3.1.2)
        . restored command line parsing (broken on many systems in 3.1.2)
        . removed debug code that broke terminal raw mode in 3.1.2
        . drop getlogin() for getpwuid()
        . removed logging(?) code

from 3.1.1 to 3.1.2
        . maintainer change to Jessica Peterson <angel%metawire.org@localhost>
        . fixed a possible buffer overflow regarding a oversized $HOME
          when loading the configuration file
        . debug logger added
        . X support isn't compiled as default anymore
        . -x command line switch now enables X11 mode instead of disabling it.
        . scrolling is enabled by default
        . applied Debian patches:
          - Now optionally prompts user before quitting (when using -q),
            patch from Colin Watson <cjw44%flatline.org.uk@localhost>
          - Reset handling of SIGCHLD for shells - patch from P. Maragakis
           <Maragakis%mpq.mpg.de@localhost> following hints by Jason Gunthorpe
        . fixed maximum username length to 11 instead of 8
        . upgraded to autoconf 2.59
        . added parsing of long options



>How-To-Repeat:
        
>Fix:

1. Remove patches/patch-ab

2. Apply patch:

begin 644 patch-ytalk
M26YD97@Z($UA:V5F:6QE"CT]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]
M/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T*4D-3(&9I
M;&4Z("]C=G-R;V]T+W!K9W-R8R]N970O>71A;&LO36%K969I;&4L=@IR971R
M:65V:6YG(')E=FES:6]N(#$N,3$*9&EF9B`M53(@+7(Q+C$Q($UA:V5F:6QE
M"BTM+2!-86ME9FEL90DV($UA<B`R,#`T(#$R.C`Q.C,R("TP,#`P"3$N,3$*
M*RLK($UA:V5F:6QE"3(@2F%N(#(P,#4@,3<Z,#<Z-#4@+3`P,#`*0$`@+3,L
M-2`K,RPT($!`"B`N:6YC;'5D92`B+BXO+BXO;F5T+WET86QK+TUA:V5F:6QE
M+F-O;6UO;B(*(`HM4$M'4D5625-)3TX]"3(*($-/34U%3E0]"4UU;'1I+75S
M97(@<F5P;&%C96UE;G0@9F]R(%5.25@@=&%L:PH@"DEN9&5X.B!-86ME9FEL
M92YC;VUM;VX*/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]
M/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/0I20U,@9FEL93H@+V-V
M<W)O;W0O<&MG<W)C+VYE="]Y=&%L:R]-86ME9FEL92YC;VUM;VXL=@IR971R
M:65V:6YG(')E=FES:6]N(#$N,0ID:69F("U5,B`M<C$N,2!-86ME9FEL92YC
M;VUM;VX*+2TM($UA:V5F:6QE+F-O;6UO;@DV($UA<B`R,#`T(#$R.C`Q.C,R
M("TP,#`P"3$N,0HK*RL@36%K969I;&4N8V]M;6]N"3(@2F%N(#(P,#4@,3<Z
M,#<Z-#4@+3`P,#`*0$`@+3$L,3`@*S$L,3`@0$`*(",@)$YE=$)31#H@36%K
M969I;&4N8V]M;6]N+'8@,2XQ(#(P,#0O,#,O,#8@,3(Z,#$Z,S(@9W)A;G0@
M17AP("0*(`HM1$E35$Y!344]("`@("`@('ET86QK+3,N,2XQ"BM$25-43D%-
M13T@("`@("`@>71A;&LM,RXR+C`*($-!5$5'3U))15,]"6YE=`HM34%35$52
M7U-)5$53/2`@("1[34%35$527U-)5$5?4U5.4TE413H]<WES=&5M+VYE='=O
M<FLO8VAA="]]"BM-05-415)?4TE415,]("`@:'1T<#HO+W=W=RYI;7!U;"YS
M92]Y=&%L:R\*(`H@34%)3E1!24Y%4CT);6EK94!E=&AM;VED+F]R9PHM2$]-
M15!!1T4]"6AT='`Z+R]W=W<N:6%G;W)A+F-O;2]^97-P96PO>71A;&LO>71A
M;&LN:'1M;`HK2$]-15!!1T4]"6AT='`Z+R]W=W<N:6UP=6PN<V4O>71A;&LO
M:6YD97@N<&AP"B!#3TU-14Y4/0E-=6QT:2UU<V5R(')E<&QA8V5M96YT(&9O
M<B!53DE8('1A;&L*(`I`0"`M,3(L-B`K,3(L,3(@0$`*(%5315]02T=)3E-4
M04Q,/0EY97,*(`HM0T].1DE'55)%7T%21U,K/2TM<WES8V]N9F1I<CTD>U!+
M1U]365-#3TY&1$E2?0HK0T].1DE'55)%7T%21U,K/2TM<WES8V]N9F1I<CTD
M>U!2149)6'TO<VAA<F4O97AA;7!L97,O>71A;&L*(`H@14=$25(]"0DD>U!2
M149)6'TO<VAA<F4O97AA;7!L97,O>71A;&L*($-/3D9?1DE,15,]"21[14=$
M25)]+WET86QK<F,@)'M02T=?4UE30T].1D1)4GTO>71A;&MR8PHK"BMP<F4M
M8V]N9FEG=7)E.@HK"6-D("1[5U)+4U)#?2`F)B`D>T%55$]#3TY&?0HK"BLN
M:6YC;'5D92`B+BXO+BXO;6LO875T;V-O;F8N;6LB"BLN:6YC;'5D92`B+BXO
M+BXO;6LO8W5R<V5S+F)U:6QD;&EN:S,N;6LB"DEN9&5X.B!P871C:&5S+W!A
M=&-H+6%A"CT]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]
M/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T]/3T*4D-3(&9I;&4Z("]C=G-R
M;V]T+W!K9W-R8R]N970O>71A;&LO<&%T8VAE<R]P871C:"UA82QV"G)E=')I
M979I;F<@<F5V:7-I;VX@,2XQ"F1I9F8@+54R("UR,2XQ('!A=&-H+6%A"BTM
M+2!P871C:&5S+W!A=&-H+6%A"3$S(%-E<"`Q.3DY(#$T.C4T.C0P("TP,#`P
M"3$N,0HK*RL@<&%T8VAE<R]P871C:"UA80DR($IA;B`R,#`U(#$W.C`W.C0V
M("TP,#`P"D!`("TQ+#(S("LQ+#(V($!`"BTD3F5T0E-$.B!P871C:"UA82QV
M(#$N,2`Q.3DY+S`Y+S$S(#$T.C4T.C0P(&IL86T@17AP("0**R1.971"4T0D
M"B`*+2TM+2!C;VYF:6=U<F4N;W)I9PE3=6X@36%Y("`Y(#(Q.C$Q.C(U(#$Y
M.3D*+2LK*R!C;VYF:6=U<F4)36]N(%-E<"`Q,R`Q,#HS-CHT-"`Q.3DY"BU`
M0"`M.#,S+#8@*S@S,RPW($!`"BT@=&5S="`M>B`B)$E.4U1!3$Q?1$%402(@
M)B8@24Y35$%,3%]$051!/2<D>TE.4U1!3$Q]("UM(#8T-"<*+2`*+2`*+2MI
M9B!F86QS93L@=&AE;@HM(&5C:&\@)&%C7VX@(F-H96-K:6YG(&9O<B!I;FET
M<V-R(&EN("UL;F-U<G-E<R(B+BXN("1A8U]C(B`Q/B8V"BT@96-H;R`B8V]N
M9FEG=7)E.C@S.#H@8VAE8VMI;F<@9F]R(&EN:71S8W(@:6X@+6QN8W5R<V5S
M(B`^)C4*+2!A8U]L:6)?=F%R/6!E8VAO(&YC=7)S97,G7R=I;FET<V-R('P@
M<V5D("=Y)2XO*RTE7U]P7R4G8`HM0$`@+3@W.2PV("LX.#`L,3`@0$`*+2!E
M;'-E"BT@("!E8VAO("(D86-?="(B;F\B(#$^)C8*+2!N;U]N8W5R<V5S/3$*
M+2MF:0HM*V5L<V4*+2L@(",@3F5T0E-$(&1O97-N)W0@;F5E9"!N8W5R<V5S
M+@HM*R`@;F]?;F-U<G-E<STQ"BT@9FD**RTM+2!C;VYF:6=U<F4N:6XN;W)I
M9PDR,#`U+3`Q+3`Q(#(S.C(U.C4R+C`P,#`P,#`P,"`M,#4P,`HK*RLK(&-O
M;F9I9W5R92YI;@DR,#`U+3`Q+3`R(#$R.C`T.C`P+C`P,#`P,#`P,"`M,#4P
M,`HK0$`@+30U+#$V("LT-2PQ,R!`0`HK(`EF:5TI"B`@"BLM04-?0TA%0TM?
M3$E"*&YC=7)S97,L(&EN:71S8W(L"BLM"5M,24)3/2(D3$E"4R`M;&YC=7)S
M97,B"BLM"6EF('1E<W0@>"1Y=&%L:U]C=E]C=7)S97,@/2!X+W5S<B`M82`M
M9"`O=7-R+VEN8VQU9&4O;F-U<G-E<SL@=&AE;@HK+0D)0U!01DQ!1U,](B1#
M4%!&3$%'4R`M22]U<W(O:6YC;'5D92]N8W5R<V5S(@HK+0EF:0HK+0E!0U]#
M2$5#2U](14%$15)3*&YC=7)S97,N:"E=+`HK*T%#7T-(14-+7TQ)0BAC=7)S
M97,L(&EN:71S8W(L"BLK"5M,24)3/2(D3$E"4R`M;&-U<G-E<R(**RL)04-?
M0TA%0TM?2$5!1$524RAC=7)S97,N:"E=+`HK(`E;0T9?0U524T537TQ)0E-=
M*0H@(`HK(&1N;"!#:&5C:R!F;W(@:V5Y<&%D*"D**RU!0U]#2$5#2U],24(H
M;F-U<G-E<RP@:V5Y<&%D+`HK*T%#7T-(14-+7TQ)0BAC=7)S97,L(&ME>7!A
M9"P**R`)6T%#7T1%1DE.12A(059%7TM%65!!1"P@,2P@6T1E9FEN92!T;R`Q
M(&EF('EO=2!H879E(&ME>7!A9"@I72E=+`HK+5M!0U]#2$5#2U],24(H8W5R
M<V5S+"!K97EP860L"BLK6T%#7T-(14-+7TQ)0BAN8W5R<V5S+"!K97EP860L
M"BL@"5M!0U]$149)3D4H2$%615]+15E0040L(#$L(%M$969I;F4@=&\@,2!I
@9B!Y;W4@:&%V92!K97EP860H*5TI72P**R!;72E=*0I$
`
end

3. Update pkg-vulnerabilities

--- pkg-vulnerabilities 2005-01-01 22:26:39.000000000 -0500
+++ /tmp/pkg-vulnerabilities    2005-01-02 12:31:01.000000000 -0500
@@ -851,3 +851,4 @@
 mozilla-gtk2<1.7.5     remote-code-execution   
http://isec.pl/vulnerabilities/isec-0020-mozilla.txt
 cups<1.1.23rc1         remote-code-execution   
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125
+ytalk<3.2.0            remote-code-execution   unpublished
 #CHECKSUM SHA1 54ac648f1a581049708d0cc79205af08e638b681

>Unformatted:
Prev by Date: pkg/28839: update ytalk-x11 package
Next by Date: Re: pkg/28835
Previous by Thread: pkg/28839: update ytalk-x11 package
Next by Thread: Re: pkg/28835
Indexes:
Home | Main Index | Thread Index | Old Index