[pkgsrc/pkgsrc-2005Q3]: pkgsrc/net/ethereal Pullup ticket 950 - requested by ...

[snj <snj%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/f18e81cce7cc
branches:  pkgsrc-2005Q3
changeset: 499737:f18e81cce7cc
user:      snj <snj%pkgsrc.org@localhost>
date:      Sat Dec 10 23:40:57 2005 +0000

description:
Pullup ticket 950 - requested by Lubomir Sedlacik
security fix for ethereal

Revisions pulled up:
- pkgsrc/net/ethereal/Makefile          1.121
- pkgsrc/net/ethereal/distinfo          1.46
- pkgsrc/net/ethereal/patches/patch-ac  1.5

   Modified Files:
           pkgsrc/net/ethereal: Makefile distinfo
   Added Files:
           pkgsrc/net/ethereal/patches: patch-ac

   Log Message:
   Security fix for CVE-2005-3651:

   "Remote exploitation of an input validation vulnerability in the OSPF
   protocol dissectors within Ethereal, as included in various vendors
   operating system distributions, could allow attackers to crash the
   vulnerable process or potentially execute arbitrary code."

   http://www.idefense.com/application/poi/display?id=349&type=vulnerabilities

   Patch from the Ethereal SVN repository.

diffstat:

 net/ethereal/Makefile         |   4 +-
 net/ethereal/distinfo         |   3 +-
 net/ethereal/patches/patch-ac |  64 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+), 3 deletions(-)

diffs (94 lines):

diff -r 0bf31dc5a349 -r f18e81cce7cc net/ethereal/Makefile
--- a/net/ethereal/Makefile     Sat Dec 10 22:47:13 2005 +0000
+++ b/net/ethereal/Makefile     Sat Dec 10 23:40:57 2005 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.115.2.2 2005/11/03 13:27:30 salo Exp $
+# $NetBSD: Makefile,v 1.115.2.3 2005/12/10 23:40:57 snj Exp $
 
 DISTNAME=              ethereal-0.10.13
-PKGREVISION=           1
+PKGREVISION=           2
 CATEGORIES=            net
 MASTER_SITES=          http://www.ethereal.com/distribution/ \
                        http://ethereal.planetmirror.com/distribution/ \
diff -r 0bf31dc5a349 -r f18e81cce7cc net/ethereal/distinfo
--- a/net/ethereal/distinfo     Sat Dec 10 22:47:13 2005 +0000
+++ b/net/ethereal/distinfo     Sat Dec 10 23:40:57 2005 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.42.2.2 2005/11/03 13:27:30 salo Exp $
+$NetBSD: distinfo,v 1.42.2.3 2005/12/10 23:40:58 snj Exp $
 
 SHA1 (ethereal-0.10.13.tar.bz2) = 4ed2014a1ede6bdb05fbe99b0469a030c7794a13
 RMD160 (ethereal-0.10.13.tar.bz2) = 54f6431ac2d807e0d7dd896af71463d340c66107
 Size (ethereal-0.10.13.tar.bz2) = 8029087 bytes
 SHA1 (patch-aa) = 0513b971c0af032fc64fc181fbd64d78aef0d044
 SHA1 (patch-ab) = bfbefb0ae66607068e21d0912a15a72606ab8ea8
+SHA1 (patch-ac) = 101cbc6315b2ad9732b70d697295ad8e4a389dcd
diff -r 0bf31dc5a349 -r f18e81cce7cc net/ethereal/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/net/ethereal/patches/patch-ac     Sat Dec 10 23:40:57 2005 +0000
@@ -0,0 +1,64 @@
+$NetBSD: patch-ac,v 1.3.2.2 2005/12/10 23:40:58 snj Exp $
+
+Security fix for CVE-2005-3651, from Ethereal SVN tree.
+
+--- epan/dissectors/packet-ospf.c.orig 2005-10-10 15:23:02.000000000 +0200
++++ epan/dissectors/packet-ospf.c      2005-12-10 21:40:23.000000000 +0100
+@@ -2321,39 +2321,28 @@
+ static void dissect_ospf_v3_address_prefix(tvbuff_t *tvb, int offset, int prefix_length, proto_tree *tree)
+ {
+ 
+-    guint8 value;
+-    guint8 position;
+-    guint8 bufpos;
+-    gchar  *buffer;
+-    gchar  *bytebuf;
+-    guint8 bytes_to_process;
+-    int start_offset;
+-
+-    start_offset=offset;
+-    position=0;
+-    bufpos=0;
+-    bytes_to_process=((prefix_length+31)/32)*4;
+-
+-    buffer=ep_alloc(32+7);
+-    while (bytes_to_process > 0 ) {
+-
+-        value=tvb_get_guint8(tvb, offset);
++    int bytes_to_process;
++    struct e_in6_addr prefix;
+ 
+-        if ( (position > 0) && ( (position%2) == 0 ) )
+-          buffer[bufpos++]=':';
++    bytes_to_process=((prefix_length+31)/32)*4;
+ 
+-      bytebuf=ep_alloc(3);
+-        g_snprintf(bytebuf, 3, "%02x",value);
+-        buffer[bufpos++]=bytebuf[0];
+-        buffer[bufpos++]=bytebuf[1];
+-
+-      position++;
+-      offset++;
+-        bytes_to_process--;
++    if (prefix_length > 128) {
++        proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++            "Address Prefix: length is invalid (%d, should be <= 128)",
++            prefix_length);
++        return;
+     }
+ 
+-    buffer[bufpos]=0;
+-    proto_tree_add_text(tree, tvb, start_offset, ((prefix_length+31)/32)*4, "Address Prefix: %s",buffer);
++    memset(prefix.bytes, 0, sizeof prefix.bytes);
++    if (bytes_to_process != 0) {
++        tvb_memcpy(tvb, prefix.bytes, offset, bytes_to_process);
++        if (prefix_length % 8) {
++            prefix.bytes[bytes_to_process - 1] &=
++                ((0xff00 >> (prefix_length % 8)) & 0xff);
++        }
++    }
++    proto_tree_add_text(tree, tvb, offset, bytes_to_process,
++        "Address Prefix: %s", ip6_to_str(&prefix));
+ 
+ }
+