3f08af39e0
which officially fixes the setuid security exploit by the vendors.
Additionally, from the PR:
* adds in distribution patches to allow it to interoperate
with libtiff-3.5.5 (the current version in the ports tree),
and replace an original FreeBSD patch.
* includes security patches (replacements of 'strcpy' and
'sprintf', primarily), mostly based on patches originally
submitted by Alex Langer [1] for 4.0pl2 and not yet commited,
although some new work was done too.
[1] I don't think, that these were my patches but those submitted by
John Holland <john@zoner.org> in PR 19180.
* Fixes some issues with the configure/setup scripts introduced
since the previous version.
* Additionally, original FreeBSD patches from 4.0pl2 were
merged in where they were not addressed by anything else.
(except the I18N patch, sorry).
I removed the FORBIDDEN line since there are at least no obvious security
concerns left.
PR: 19237
Submitted by: Andy Sparrow <andy@geek4food.org>
346 lines
11 KiB
Plaintext
346 lines
11 KiB
Plaintext
diff -ruN util/Class2Params.c++.orig util/Class2Params.c++
|
|
--- util/Class2Params.c++.orig Sun Jun 13 00:41:19 1999
|
|
+++ util/Class2Params.c++ Mon Jun 12 21:52:43 2000
|
|
@@ -59,14 +59,15 @@
|
|
}
|
|
|
|
static char*
|
|
-addParam(char* cp, u_int v)
|
|
+addParam(char* cp, u_int v, int *maxn)
|
|
{
|
|
if (v != (u_int)-1) {
|
|
- sprintf(cp, ",%u", v);
|
|
- while (*cp != '\0') cp++;
|
|
+ snprintf(cp, *maxn, ",%u", v);
|
|
+ while (*cp != '\0') { cp++; (*maxn)++; }
|
|
} else {
|
|
*cp++ = ',';
|
|
*cp = '\0';
|
|
+ (*maxn)++;
|
|
}
|
|
return (cp);
|
|
}
|
|
@@ -76,18 +77,19 @@
|
|
{
|
|
char buf[1024];
|
|
char* cp = buf;
|
|
+ int n = sizeof(buf);
|
|
|
|
if (vr != (u_int) -1) {
|
|
- sprintf(cp, "%u", vr);
|
|
- while (*cp != '\0') cp++;
|
|
+ snprintf(cp, n, "%u", vr);
|
|
+ while (*cp != '\0') { cp++; n--; }
|
|
}
|
|
- cp = addParam(cp, br);
|
|
- cp = addParam(cp, wd);
|
|
- cp = addParam(cp, ln);
|
|
- cp = addParam(cp, df);
|
|
- cp = addParam(cp, ec);
|
|
- cp = addParam(cp, bf);
|
|
- cp = addParam(cp, st);
|
|
+ cp = addParam(cp, br, &n);
|
|
+ cp = addParam(cp, wd, &n);
|
|
+ cp = addParam(cp, ln, &n);
|
|
+ cp = addParam(cp, df, &n);
|
|
+ cp = addParam(cp, ec, &n);
|
|
+ cp = addParam(cp, bf, &n);
|
|
+ cp = addParam(cp, st, &n);
|
|
return fxStr(buf);
|
|
}
|
|
|
|
diff -ruN util/FaxClient.c++.orig util/FaxClient.c++
|
|
--- util/FaxClient.c++.orig Thu Jun 17 04:05:38 1999
|
|
+++ util/FaxClient.c++ Mon Jun 12 21:52:43 2000
|
|
@@ -623,7 +623,7 @@
|
|
traceServer("-> ADMIN XXXX");
|
|
} else {
|
|
char buf[128];
|
|
- sprintf(buf, "-> %s", fmt);
|
|
+ snprintf(buf, sizeof(buf), "-> %s", fmt);
|
|
vtraceServer(buf, ap);
|
|
}
|
|
}
|
|
diff -ruN util/PageSize.c++.orig util/PageSize.c++
|
|
--- util/PageSize.c++.orig Sun Jun 13 00:41:23 1999
|
|
+++ util/PageSize.c++ Mon Jun 12 21:52:43 2000
|
|
@@ -72,7 +72,7 @@
|
|
PageSizeInfo::readPageInfoFile()
|
|
{
|
|
char file[1024];
|
|
- sprintf(file, "%s/%s", FAX_LIBDATA, FAX_PAGESIZES);
|
|
+ snprintf(file, sizeof(file), "%s/%s", FAX_LIBDATA, FAX_PAGESIZES);
|
|
PageInfoArray* info = new PageInfoArray;
|
|
FILE* fp = fopen(file, "r");
|
|
u_int lineno = 0;
|
|
diff -ruN util/SNPPClient.c++.orig util/SNPPClient.c++
|
|
--- util/SNPPClient.c++.orig Sun Jun 13 00:41:24 1999
|
|
+++ util/SNPPClient.c++ Mon Jun 12 21:52:43 2000
|
|
@@ -638,7 +638,7 @@
|
|
traceServer("-> LOGI XXXX");
|
|
else {
|
|
char buf[128];
|
|
- sprintf(buf, "-> %s", fmt);
|
|
+ snprintf(buf, sizeof(buf), "-> %s", fmt);
|
|
vtraceServer(buf, ap);
|
|
}
|
|
}
|
|
diff -ruN util/StackBuffer.c++.orig util/StackBuffer.c++
|
|
--- util/StackBuffer.c++.orig Fri Jan 1 20:12:43 1999
|
|
+++ util/StackBuffer.c++ Mon Jun 12 21:52:44 2000
|
|
@@ -105,7 +105,7 @@
|
|
fxStackBuffer::vput(const char* fmt, va_list ap)
|
|
{
|
|
char buf[8*1024];
|
|
- vsprintf(buf, fmt, ap);
|
|
+ vsnprintf(buf, sizeof(buf), fmt, ap);
|
|
put(buf);
|
|
}
|
|
|
|
diff -ruN util/Str.c++.orig util/Str.c++
|
|
--- util/Str.c++.orig Sun Jun 13 00:41:25 1999
|
|
+++ util/Str.c++ Mon Jun 12 21:52:44 2000
|
|
@@ -91,7 +91,7 @@
|
|
{
|
|
char buffer[NUMBUFSIZE];
|
|
if (!format) format = "%d";
|
|
- sprintf(buffer,format,a);
|
|
+ snprintf(buffer,sizeof(buffer),format,a);
|
|
slength = strlen(buffer) + 1;
|
|
data = (char*) malloc(slength);
|
|
memcpy(data,buffer,slength);
|
|
@@ -101,7 +101,7 @@
|
|
{
|
|
char buffer[NUMBUFSIZE];
|
|
if (!format) format = "%ld";
|
|
- sprintf(buffer,format,a);
|
|
+ snprintf(buffer,sizeof(buffer),format,a);
|
|
slength = strlen(buffer) + 1;
|
|
data = (char*) malloc(slength);
|
|
memcpy(data,buffer,slength);
|
|
@@ -111,7 +111,7 @@
|
|
{
|
|
char buffer[NUMBUFSIZE];
|
|
if (!format) format = "%g";
|
|
- sprintf(buffer,format,a);
|
|
+ snprintf(buffer,sizeof(buffer),format,a);
|
|
slength = strlen(buffer) + 1;
|
|
fxAssert(slength>1, "Str::Str(float): bogus conversion");
|
|
data = (char*) malloc(slength);
|
|
@@ -122,7 +122,7 @@
|
|
{
|
|
char buffer[NUMBUFSIZE];
|
|
if (!format) format = "%lg";
|
|
- sprintf(buffer,format,a);
|
|
+ snprintf(buffer,sizeof(buffer),format,a);
|
|
slength = strlen(buffer) + 1;
|
|
fxAssert(slength>1, "Str::Str(double): bogus conversion");
|
|
data = (char*) malloc(slength); // XXX assume slength>1
|
|
@@ -141,7 +141,7 @@
|
|
char buf[4096];
|
|
va_list ap;
|
|
va_start(ap, fmt);
|
|
- vsprintf(buf, fmt, ap);
|
|
+ vsnprintf(buf, sizeof(buf), fmt, ap);
|
|
va_end(ap);
|
|
return fxStr(buf);
|
|
}
|
|
@@ -150,7 +150,7 @@
|
|
fxStr::vformat(const char* fmt, va_list ap)
|
|
{
|
|
char buf[4096];
|
|
- vsprintf(buf, fmt, ap);
|
|
+ vsnprintf(buf, sizeof(buf), fmt, ap);
|
|
return fxStr(buf);
|
|
}
|
|
|
|
diff -ruN util/Str.h.orig util/Str.h
|
|
--- util/Str.h.orig Sun Jun 13 00:41:25 1999
|
|
+++ util/Str.h Mon Jun 12 21:52:44 2000
|
|
@@ -93,8 +93,8 @@
|
|
fxStr(const fxTempStr&);
|
|
~fxStr();
|
|
|
|
- static fxStr format(const char* fmt ...); // sprintf sort of
|
|
- static fxStr vformat(const char* fmt, va_list ap); // vsprintf sort of
|
|
+ static fxStr format(const char* fmt ...); // snprintf sort of
|
|
+ static fxStr vformat(const char* fmt, va_list ap); // vsnprintf sort of
|
|
static fxStr null; // null string for general use
|
|
/////////////////////////////////////////////////////
|
|
u_long hash() const;
|
|
diff -ruN util/faxadduser.c.orig util/faxadduser.c
|
|
--- util/faxadduser.c.orig Wed Aug 11 04:59:28 1999
|
|
+++ util/faxadduser.c Mon Jun 12 21:52:44 2000
|
|
@@ -81,7 +81,7 @@
|
|
}
|
|
hf = fopen(hostfile, "a+");
|
|
if (hf == NULL) {
|
|
- sprintf(buff, "Error - cannot open hosts file: %s", hostfile);
|
|
+ snprintf(buff, sizeof(buff), "Error - cannot open hosts file: %s", hostfile);
|
|
perror(buff);
|
|
return 0;
|
|
}
|
|
diff -ruN util/faxconfig.c.orig util/faxconfig.c
|
|
--- util/faxconfig.c.orig Fri Jan 1 20:04:28 1999
|
|
+++ util/faxconfig.c Mon Jun 12 21:52:45 2000
|
|
@@ -81,12 +81,12 @@
|
|
}
|
|
if (devid != NULL) {
|
|
if (devid[0] == FAX_FIFO[0])
|
|
- strcpy(fifoname, devid);
|
|
+ strlcpy(fifoname, devid, sizeof(fifoname));
|
|
else
|
|
- sprintf(fifoname, "%s.%.*s", FAX_FIFO,
|
|
+ snprintf(fifoname, sizeof(fifoname), "%s.%.*s", FAX_FIFO,
|
|
sizeof (fifoname) - sizeof (FAX_FIFO), devid);
|
|
} else
|
|
- strcpy(fifoname, FAX_FIFO);
|
|
+ strlcpy(fifoname, FAX_FIFO, sizeof(fifoname));
|
|
for (cp = fifoname; cp = strchr(cp, '/'); *cp++ = '_')
|
|
;
|
|
if (chdir(spooldir) < 0)
|
|
@@ -99,6 +99,8 @@
|
|
do {
|
|
int quote;
|
|
char *cmd;
|
|
+ int len;
|
|
+
|
|
|
|
if (argc - optind < 2)
|
|
fatal("Missing value for \"%s\" parameter.\n", argv[optind]);
|
|
@@ -109,12 +111,13 @@
|
|
quote = (*cp != '\0');
|
|
} else
|
|
quote = 1;
|
|
- cmd = malloc(strlen(argv[optind])+strlen(argv[optind+1])+10);
|
|
+ len = strlen(argv[optind])+strlen(argv[optind+1])+10;
|
|
+ cmd = malloc(len);
|
|
if (quote)
|
|
- sprintf(cmd, "C%s%s:\"%s\"",
|
|
+ snprintf(cmd, len, "C%s%s:\"%s\"",
|
|
isQueuer ? ":" : "", argv[optind], argv[optind+1]);
|
|
else
|
|
- sprintf(cmd, "C%s%s:%s",
|
|
+ snprintf(cmd, len, "C%s%s:%s",
|
|
isQueuer ? ":" : "", argv[optind], argv[optind+1]);
|
|
if (write(fifo, cmd, strlen(cmd)) != strlen(cmd))
|
|
fatal("%s: FIFO write failed for command (%s)",
|
|
diff -ruN util/faxdeluser.c.orig util/faxdeluser.c
|
|
--- util/faxdeluser.c.orig Thu Aug 5 02:46:06 1999
|
|
+++ util/faxdeluser.c Mon Jun 12 21:52:45 2000
|
|
@@ -64,14 +64,14 @@
|
|
}
|
|
}
|
|
if ((hf = fopen(hostfile, "r+")) == NULL) {
|
|
- sprintf(buff, "Error - cannot open file: %s", hostfile);
|
|
+ snprintf(buff, sizeof(buff), "Error - cannot open file: %s", hostfile);
|
|
perror(buff);
|
|
return 0;
|
|
}
|
|
- sprintf(newhostfile, "%s.%i", hostfile, (int)getpid());
|
|
+ snprintf(newhostfile, sizeof(newhostfile), "%s.%i", hostfile, (int)getpid());
|
|
fd = open(newhostfile, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR | S_IWUSR);
|
|
if (fd == -1) {
|
|
- sprintf(buff, "Error cannot open file %s", newhostfile);
|
|
+ snprintf(buff, sizeof(buff), "Error cannot open file %s", newhostfile);
|
|
perror(buff);
|
|
return 0;
|
|
}
|
|
@@ -87,7 +87,7 @@
|
|
}
|
|
if (!skip) {
|
|
if (write(fd, buff, strlen(buff)) == -1) {
|
|
- sprintf(buff, "Error writing to file %s", newhostfile);
|
|
+ snprintf(buff, sizeof(buff), "Error writing to file %s", newhostfile);
|
|
perror(buff);
|
|
return 0;
|
|
}
|
|
diff -ruN util/faxmodem.c.orig util/faxmodem.c
|
|
--- util/faxmodem.c.orig Fri Jan 1 20:04:28 1999
|
|
+++ util/faxmodem.c Mon Jun 12 21:52:45 2000
|
|
@@ -243,9 +243,9 @@
|
|
if (optind != argc-1)
|
|
fatal("Missing modem device.\nusage: %s %s modem", argv[0], usage);
|
|
if (strncmp(argv[optind], _PATH_DEV, strlen(_PATH_DEV)) == 0)
|
|
- strcpy(devname, argv[optind]+strlen(_PATH_DEV));
|
|
+ strlcpy(devname, argv[optind]+strlen(_PATH_DEV), sizeof(devname));
|
|
else
|
|
- strcpy(devname, argv[optind]);
|
|
+ strlcpy(devname, argv[optind], sizeof(devname));
|
|
for (cp = devname; cp = strchr(cp, '/'); *cp++ = '_')
|
|
;
|
|
if (chdir(spooldir) < 0)
|
|
@@ -254,9 +254,10 @@
|
|
if (fifo < 0)
|
|
fatal("%s: open: %s", FAX_FIFO, strerror(errno));
|
|
if (priority != -1)
|
|
- sprintf(cmd, "+%s:R%c%08x:%x", devname, canpoll, caps, priority);
|
|
+ snprintf(cmd, sizeof(cmd), "+%s:R%c%08x:%x", devname, canpoll, caps,
|
|
+ priority);
|
|
else
|
|
- sprintf(cmd, "+%s:R%c%08x", devname, canpoll, caps);
|
|
+ snprintf(cmd, sizeof(cmd), "+%s:R%c%08x", devname, canpoll, caps);
|
|
if (write(fifo, cmd, strlen(cmd)) != strlen(cmd))
|
|
fatal("%s: FIFO write failed for command (%s)",
|
|
argv[0], strerror(errno));
|
|
diff -ruN util/faxmsg.c.orig util/faxmsg.c
|
|
--- util/faxmsg.c.orig Fri Jan 1 20:04:28 1999
|
|
+++ util/faxmsg.c Mon Jun 12 21:52:45 2000
|
|
@@ -108,12 +108,12 @@
|
|
}
|
|
if (optind == argc-1) {
|
|
if (argv[optind][0] == FAX_FIFO[0])
|
|
- strcpy(fifoname, argv[optind]);
|
|
+ strlcpy(fifoname, argv[optind], sizeof(fifoname));
|
|
else
|
|
- sprintf(fifoname, "%s.%.*s", FAX_FIFO,
|
|
+ snprintf(fifoname, sizeof(fifoname), "%s.%.*s", FAX_FIFO,
|
|
sizeof (fifoname) - sizeof (FAX_FIFO), argv[optind]);
|
|
} else if (!modemRequired) {
|
|
- strcpy(fifoname, FAX_FIFO);
|
|
+ strlcpy(fifoname, FAX_FIFO, sizeof(fifoname));
|
|
} else
|
|
fatal("usage: %s %s", argv[0], usage);
|
|
for (cp = fifoname; cp = strchr(cp, '/'); *cp++ = '_')
|
|
@@ -123,7 +123,7 @@
|
|
fifo = open(fifoname, O_WRONLY|O_NDELAY);
|
|
if (fifo < 0)
|
|
fatal("%s: open: %s", fifoname, strerror(errno));
|
|
- sprintf(cmd, cmdfmt, arg);
|
|
+ snprintf(cmd, sizeof(cmd), cmdfmt, arg);
|
|
if (write(fifo, cmd, strlen(cmd)) != strlen(cmd))
|
|
fatal("FIFO write failed for command (%s)", strerror(errno));
|
|
(void) close(fifo);
|
|
diff -ruN util/faxstate.c.orig util/faxstate.c
|
|
--- util/faxstate.c.orig Fri Jan 1 20:04:28 1999
|
|
+++ util/faxstate.c Mon Jun 12 21:52:46 2000
|
|
@@ -113,7 +113,7 @@
|
|
}
|
|
if (optind != argc-1)
|
|
fatal("Bad option `%c'; usage: %s %s modem", c, argv[0], usage);
|
|
- strcpy(devid, argv[optind]);
|
|
+ strlcpy(devid, argv[optind], sizeof(devid));
|
|
for (cp = devid; cp = strchr(cp, '/'); *cp++ = '_')
|
|
;
|
|
if (chdir(spooldir) < 0)
|
|
@@ -126,16 +126,16 @@
|
|
fifo = open(FAX_FIFO, O_WRONLY|O_NDELAY);
|
|
if (fifo < 0)
|
|
fatal("%s: open: %s", FAX_FIFO, strerror(errno));
|
|
- sprintf(cmd, "+%s:%s", devid, arg);
|
|
+ snprintf(cmd, sizeof(cmd), "+%s:%s", devid, arg);
|
|
if (write(fifo, cmd, strlen(cmd)) != strlen(cmd))
|
|
fatal("FIFO write failed for command (%s)", strerror(errno));
|
|
} else {
|
|
- sprintf(fifoname, "%s.%.*s", FAX_FIFO,
|
|
+ snprintf(fifoname, sizeof(fifoname), "%s.%.*s", FAX_FIFO,
|
|
sizeof (fifoname) - sizeof (FAX_FIFO), devid);
|
|
fifo = open(fifoname, O_WRONLY|O_NDELAY);
|
|
if (fifo < 0)
|
|
fatal("%s: open: %s", fifoname, strerror(errno));
|
|
- sprintf(cmd, "S%s", arg);
|
|
+ snprintf(cmd, sizeof(cmd), "S%s", arg);
|
|
if (write(fifo, cmd, strlen(cmd)) != strlen(cmd))
|
|
fatal("FIFO write failed for command (%s)", strerror(errno));
|
|
}
|