[pkgsrc/trunk]: pkgsrc/games/xboing strcpy and sprintf are evil, don't use th...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/games/xboing strcpy and sprintf are evil, don't use th...
From: snj <snj%pkgsrc.org@localhost>
Date: Wed, 13 Oct 2021 23:38:38 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/d22562781a0a
branches:  trunk
changeset: 469764:d22562781a0a
user:      snj <snj%pkgsrc.org@localhost>
date:      Sat Feb 28 18:36:38 2004 +0000

description:
strcpy and sprintf are evil, don't use them.  Inspired by similar changes
in Debian.  This fixes several locally exploitable vulnerabilities.

diffstat:

 games/xboing/Makefile         |   4 +-
 games/xboing/distinfo         |   9 ++++++-
 games/xboing/patches/patch-ad |  48 +++++++++++++++++++++++++++++++++++++++--
 games/xboing/patches/patch-ae |  13 +++++++++++
 games/xboing/patches/patch-af |  31 +++++++++++++++++++++++++++
 games/xboing/patches/patch-ag |  49 +++++++++++++++++++++++++++++++++++++++++++
 games/xboing/patches/patch-ah |  13 +++++++++++
 games/xboing/patches/patch-ai |  13 +++++++++++
 8 files changed, 173 insertions(+), 7 deletions(-)

diffs (233 lines):

diff -r 912e1ac2c434 -r d22562781a0a games/xboing/Makefile
--- a/games/xboing/Makefile     Sat Feb 28 18:32:39 2004 +0000
+++ b/games/xboing/Makefile     Sat Feb 28 18:36:38 2004 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.12 2004/01/20 12:15:41 agc Exp $
+# $NetBSD: Makefile,v 1.13 2004/02/28 18:36:38 snj Exp $
 #
 
 DISTNAME=              xboing2.4
 PKGNAME=               xboing-2.4
-PKGREVISION=           1
+PKGREVISION=           2
 CATEGORIES=            games x11
 MASTER_SITES=          ${MASTER_SITE_XCONTRIB:=games/}
 
diff -r 912e1ac2c434 -r d22562781a0a games/xboing/distinfo
--- a/games/xboing/distinfo     Sat Feb 28 18:32:39 2004 +0000
+++ b/games/xboing/distinfo     Sat Feb 28 18:36:38 2004 +0000
@@ -1,8 +1,13 @@
-$NetBSD: distinfo,v 1.5 2002/09/23 10:21:19 jlam Exp $
+$NetBSD: distinfo,v 1.6 2004/02/28 18:36:38 snj Exp $
 
 SHA1 (xboing2.4.tar.gz) = 57fad37ab99e6a3ff87ff814d0de1baad3b93b91
 Size (xboing2.4.tar.gz) = 588811 bytes
 SHA1 (patch-aa) = 7236098cd0f15f38e6d20947ecb5efe8c8e6c1b0
 SHA1 (patch-ab) = 94b232e173ad7bb39e37d4287669bd0842ef5610
 SHA1 (patch-ac) = c8b7d1b323be04c2456768eabf24da43707c4b98
-SHA1 (patch-ad) = 1bb064fda1baebd314e0d65703e7775e9072f43b
+SHA1 (patch-ad) = 444331ce4cbca8e291331bc3d5e698e9f01d8f6e
+SHA1 (patch-ae) = 99ce1073635a0d9c34e8d53882a5c9d0c9e89a92
+SHA1 (patch-af) = 3abd5e5eabbaac9eeb6496529038f67aac176b76
+SHA1 (patch-ag) = 0488a63bdac3074c0305b05456468c266232f81c
+SHA1 (patch-ah) = ba161ff2b28359e9406b7f104fd58bad4c234a6f
+SHA1 (patch-ai) = 1a87732ac9cf06fa107060bd07488a22108da193
diff -r 912e1ac2c434 -r d22562781a0a games/xboing/patches/patch-ad
--- a/games/xboing/patches/patch-ad     Sat Feb 28 18:32:39 2004 +0000
+++ b/games/xboing/patches/patch-ad     Sat Feb 28 18:36:38 2004 +0000
@@ -1,7 +1,7 @@
-$NetBSD: patch-ad,v 1.1 2002/07/15 09:01:43 wiz Exp $
+$NetBSD: patch-ad,v 1.2 2004/02/28 18:36:38 snj Exp $
 
---- highscore.c.orig   Fri Nov 22 02:28:46 1996
-+++ highscore.c
+--- highscore.c.orig   1996-11-21 17:28:46.000000000 -0800
++++ highscore.c        2004-02-28 10:27:07.000000000 -0800
 @@ -54,6 +54,9 @@
  #include <unistd.h>
  #include <time.h>
@@ -12,3 +12,45 @@
  #include <sys/param.h>
  #include <X11/Xlib.h>
  #include <X11/Xutil.h>
+@@ -1022,9 +1025,10 @@ int ReadHighScoreTable(type)
+       if (type == GLOBAL)
+       {
+               /* Use the environment variable if it exists */
+-              if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
+-                      strcpy(filename, str);
+-              else
++              if ((str = getenv("XBOING_SCORE_FILE")) != NULL) {
++                      strncpy(filename, str, sizeof(filename)-1);
++                      filename[sizeof(filename)-1] = '\0';
++              } else
+                       strcpy(filename, HIGH_SCORE_FILE);
+       }
+       else
+@@ -1094,9 +1098,10 @@ int WriteHighScoreTable(type)
+       if (type == GLOBAL)
+       {
+               /* Use the environment variable if it exists */
+-              if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
+-                      strcpy(filename, str);
+-              else
++              if ((str = getenv("XBOING_SCORE_FILE")) != NULL) {
++                      strncpy(filename, str, sizeof(filename)-1);
++                      filename[sizeof(filename)-1] = '\0';
++              } else
+                       strcpy(filename, HIGH_SCORE_FILE);
+       }       
+       else
+@@ -1217,9 +1222,10 @@ static int LockUnlock(cmd)
+ 
+ 
+       /* Use the environment variable if it exists */
+-      if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
+-              strcpy(filename, str);
+-      else
++      if ((str = getenv("XBOING_SCORE_FILE")) != NULL) {
++              strncpy(filename, str, sizeof(filename)-1);
++              filename[sizeof(filename)-1] = '\0';
++      } else
+               strcpy(filename, HIGH_SCORE_FILE);
+ 
+       /* Open the highscore file for both read & write */
diff -r 912e1ac2c434 -r d22562781a0a games/xboing/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/games/xboing/patches/patch-ae     Sat Feb 28 18:36:38 2004 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ae,v 1.1 2004/02/28 18:36:38 snj Exp $
+
+--- demo.c.orig        2004-02-28 10:06:20.000000000 -0800
++++ demo.c     2004-02-28 10:06:41.000000000 -0800
+@@ -154,7 +154,7 @@ static void DoBlocks(display, window)
+ 
+     /* Construct the demo level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/demo.data", str);
++        snprintf(levelPath, sizeof(levelPath), "%s/demo.data", str);
+     else
+         sprintf(levelPath, "%s/demo.data", LEVEL_INSTALL_DIR);
+ 
diff -r 912e1ac2c434 -r d22562781a0a games/xboing/patches/patch-af
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/games/xboing/patches/patch-af     Sat Feb 28 18:36:38 2004 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-af,v 1.1 2004/02/28 18:36:38 snj Exp $
+
+--- editor.c.orig      2004-02-28 10:06:52.000000000 -0800
++++ editor.c   2004-02-28 10:10:24.000000000 -0800
+@@ -213,7 +213,7 @@ static void DoLoadLevel(display, window)
+ 
+     /* Construct the Edit level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/editor.data", str);
++        snprintf(levelPath, sizeof(levelPath), "%s/editor.data", str);
+     else
+         sprintf(levelPath, "%s/editor.data", LEVEL_INSTALL_DIR);
+ 
+@@ -959,7 +959,7 @@ static void LoadALevel(display)
+     {
+           /* Construct the Edit level filename */
+               if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
+-              sprintf(levelPath, "%s/level%02ld.data", str2, (u_long) num);
++              snprintf(levelPath, sizeof(levelPath), "%s/level%02ld.data", str2, (u_long) num);
+       else
+               sprintf(levelPath, "%s/level%02ld.data", 
+                               LEVEL_INSTALL_DIR, (u_long) num);
+@@ -1019,7 +1019,7 @@ static void SaveALevel(display)
+     {
+           /* Construct the Edit level filename */
+               if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
+-              sprintf(levelPath, "%s/level%02ld.data", str2, (u_long) num);
++              snprintf(levelPath, sizeof(levelPath), "%s/level%02ld.data", str2, (u_long) num);
+       else
+               sprintf(levelPath, "%s/level%02ld.data", 
+                               LEVEL_INSTALL_DIR, (u_long) num);
diff -r 912e1ac2c434 -r d22562781a0a games/xboing/patches/patch-ag
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/games/xboing/patches/patch-ag     Sat Feb 28 18:36:38 2004 +0000
@@ -0,0 +1,49 @@
+$NetBSD: patch-ag,v 1.1 2004/02/28 18:36:38 snj Exp $
+
+--- file.c.orig        2004-02-28 10:10:55.000000000 -0800
++++ file.c     2004-02-28 10:12:50.000000000 -0800
+@@ -139,7 +139,7 @@ void SetupStage(display, window)
+ 
+     /* Construct the level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/level%02ld.data", str, newLevel);
++        snprintf(levelPath, sizeof(levelPath), "%s/level%02ld.data", str, newLevel);
+     else
+         sprintf(levelPath, "%s/level%02ld.data", LEVEL_INSTALL_DIR, newLevel);
+ 
+@@ -177,7 +177,7 @@ int LoadSavedGame(display, window)
+     static int bgrnd = 1;
+ 
+       /* Save the file in home directory - construct path */
+-      sprintf(levelPath, "%s/.xboing-saveinfo", GetHomeDir());
++      snprintf(levelPath, sizeof(levelPath), "%s/.xboing-saveinfo", GetHomeDir());
+ 
+     /* Open the save file info for reading */
+     if ((saveFile = fopen(levelPath, "r+")) == NULL)
+@@ -239,7 +239,7 @@ int LoadSavedGame(display, window)
+     DisplayLevelInfo(display, levelWindow, level);
+ 
+       /* Load the saved file in home directory - construct path */
+-      sprintf(levelPath, "%s/.xboing-savelevel", GetHomeDir());
++      snprintf(levelPath, sizeof(levelPath), "%s/.xboing-savelevel", GetHomeDir());
+ 
+       /* Read in the saved level data */
+     if (ReadNextLevel(display, window, levelPath, True) == False)
+@@ -283,7 +283,7 @@ int SaveCurrentGame(display, window)
+       saveGame.numBullets     = GetNumberBullets();
+ 
+       /* Save the file in home directory - construct path */
+-      sprintf(levelPath, "%s/.xboing-saveinfo", GetHomeDir());
++      snprintf(levelPath, sizeof(levelPath), "%s/.xboing-saveinfo", GetHomeDir());
+ 
+     /* Open the save file info for writing */
+     if ((saveFile = fopen(levelPath, "w+")) == NULL)
+@@ -309,7 +309,7 @@ int SaveCurrentGame(display, window)
+       WarningMessage("Cannot close save game info file.");
+ 
+       /* Save the file in home directory - construct path */
+-      sprintf(levelPath, "%s/.xboing-savelevel", GetHomeDir());
++      snprintf(levelPath, sizeof(levelPath), "%s/.xboing-savelevel", GetHomeDir());
+ 
+       if (SaveLevelDataFile(display, levelPath) == True)
+       {
diff -r 912e1ac2c434 -r d22562781a0a games/xboing/patches/patch-ah
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/games/xboing/patches/patch-ah     Sat Feb 28 18:36:38 2004 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ah,v 1.1 2004/02/28 18:36:38 snj Exp $
+
+--- init.c.orig        2004-02-28 10:13:29.000000000 -0800
++++ init.c     2004-02-28 10:14:17.000000000 -0800
+@@ -438,7 +438,7 @@ static void HandleDisplayErrors(displayN
+               WarningMessage("Your X Window system display variable is not set.");
+       else
+       {
+-              sprintf(string, "Cannot connect to display called <%s>.", displayName);
++              snprintf(string, sizeof(string), "Cannot connect to display called <%s>.", displayName);
+               WarningMessage(string);
+       }
+ }
diff -r 912e1ac2c434 -r d22562781a0a games/xboing/patches/patch-ai
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/games/xboing/patches/patch-ai     Sat Feb 28 18:36:38 2004 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ai,v 1.1 2004/02/28 18:36:38 snj Exp $
+
+--- preview.c.orig     2004-02-28 10:19:15.000000000 -0800
++++ preview.c  2004-02-28 10:19:31.000000000 -0800
+@@ -139,7 +139,7 @@ static void DoLoadLevel(display, window)
+ 
+     /* Construct the Preview level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/level%02d.data", str, lnum);
++        snprintf(levelPath, sizeof(levelPath), "%s/level%02d.data", str, lnum);
+     else
+         sprintf(levelPath, "%s/level%02d.data", LEVEL_INSTALL_DIR, lnum);
+
Prev by Date: [pkgsrc/trunk]: pkgsrc/doc Note update of eclipse to 2.1.2
Next by Date: [pkgsrc/trunk]: pkgsrc/devel/eclipse Update eclipse to 2.1.2:
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc Note update of eclipse to 2.1.2
Next by Thread: [pkgsrc/trunk]: pkgsrc/devel/eclipse Update eclipse to 2.1.2:
Indexes:
Home | Main Index | Thread Index | Old Index